Hold Your Sessions: an Attack on Java Servlet Session-id Generation
Cryptographers' Track, RSA Conference (CT-RSA '05) |
HTTP session-id’s take an important role in almost any web site today. This paper presents a cryptanalysis of Java Servlet 128-bit session-id’s and an eﬃcient practical prediction algorithm. Using this attack an adversary may impersonate a legitimate client. Through the analysis we also present a novel, general space-time tradeoﬀ for secure pseudo random number generator attacks.