At 10:42 AM -0800 1/10/03, Eric Rescorla wrote: >Jim Jagielski <[EMAIL PROTECTED]> writes: > >> Eric Rescorla wrote: >> > >> > Glenn Olander <[EMAIL PROTECTED]> writes: >> > > 5) The strength of the PRNG is largely irrelevant >> > > >> > > As a user, I wouldn't trust any solution which lacks a check for >> > > duplicate session id's, regardless of the strength of the PRNG. >> > This doesn't seem to me to be a plausible position in view >> > of the fact that all of our security mechanisms absolutely >> > depend on statistical uniqueness of randomly generated large >> > numbers. >> > >> >> These are 2 different points I think. If you randomly generate numbers >> between 1 and 1,000,000 you will, after a point in time, have >> duplicate numbers. >Yes, but if you randomly generate numbers between 1 and 2^128, you'll >have to generate roughly 2^64 random numbers to have a good chance of >getting a duplicate. Sure, over time you'll get a duplicate, >but in this context over time needs to be measured over a >time scale far in excess of the time scale that is interesting. >
Of course, as you said, it depends on the range and the timespan. But it doesn't change the fact that randomness != uniqueness, which is what Glenn's point was I think. -- =========================================================================== Jim Jagielski [|] [EMAIL PROTECTED] [|] http://www.jaguNET.com/ "A society that will trade a little liberty for a little order will lose both and deserve neither" - T.Jefferson -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
