Hold Your Sessions: an Attack on Java Servlet Session-id Generation

  • Zvi Gutterman
  • Dahlia Malkhi

Cryptographers' Track, RSA Conference (CT-RSA '05) |

HTTP session-id’s take an important role in almost any web site today. This paper presents a cryptanalysis of Java Servlet 128-bit session-id’s and an efficient practical prediction algorithm. Using this attack an adversary may impersonate a legitimate client. Through the analysis we also present a novel, general space-time tradeoff for secure pseudo random number generator attacks.