[Twisted-web] Session class

Maarten ter Huurne maarten at treewalker.org
Fri Oct 3 20:13:13 EDT 2008 

On Friday 03 October 2008, George Pauly wrote:

> There are a couple  of things I don't understand about Site._mkuid()
>
> IANAC (I am not a cryptographer).
>
> Md5 collisions are rare, but (I guess) might theoretically happen
> depending on length of input.  Does appending the counter to the random
> output with an underscore change the statistics of collision?

The random() function returns a 53-bit float, while the MD5 hash is 128-bit, 
so I think combining the random number with something else does decrease 
the chance of collisions. However, it would probably be safer to ask the 
random generator to produce more bits.

> Alternatively, perhaps the counter is used as a salt?  If so, the salt
> does not seem _very_ secret in this case.  If a sufficiently strong
> random number is used a salt would seem unnecessary.

I think the idea is that the random number by itself is already 
unpredictable enough. But hashing more data will never make it easier to 
recover the random number and might make it harder, if I understand MD5 
correctly.

> I've looked at some python code for session keys (Django, something on
> activestate that might be Zope code) and they hash together various
> things, but not counters.
>
> I've generated session keys by appending plain-text counters (with an
> offset) to random hashes.  This guarantees uniqueness & is handy because
> it is human readable & you can quickly see how many sessions have been
> used since initiation.  Of course, the counter value might be sensitive
> information in some situations.  An encrypted counter might be helpful,
> if the object is to have a session key that is guaranteed random and
> unique.  Or you could just check to see if the key was in use, ala
> Django, and leave off the counter altogether.

You can check whether there is already an active session with the newly 
generated UID, but if you want to know for sure whether or not there is an 
expired session with the newly generated UID, you'd have to remember all 
UIDs you ever handed out.

> One idea from this code (http://code.activestate.com/recipes/52252/) :
> > # create a unique session id
> > # input - string to use as part of the data used to create the session
> > key. #         Although not required, it is best if this includes some
> > unique #         data from the site, such as it's IP address or other
> > environment #         information.  For ZOPE applications, pass in the
> > entire ZOPE "REQUEST" #         object.
> > def makeSessionId(st):
> > 	import md5, time, base64
> > 	m = md5.new()
> > 	m.update('this is a test of the emergency broadcasting system')
> > 	m.update(str(time.time()))
> > 	m.update(str(st))
> > 	return string.replace(base64.encodestring(m.digest())[:-3], '/', '$'
> > )

I don't know exactly what is in a ZOPE request object, but it's likely to be 
predictable. A constant string is impossible to mispredict. And the time 
might not predictable exactly, but if the uncertainty is small enough to 
make brute forcing it feasible, it's also relatively predictable. A hash of 
predictable things is itself predictable.

The Twisted session UID uses a random number generator which is seeded from 
a secure random generator (if the OS has one). So assuming the secure 
random generator does its job well, the initial session UID cannot be 
predicted. However, from that point on the random generator is completely 
deterministic, which means that someone who can discover its internal state 
can generate the same numbers.

The problem is that the current implementation uses Python's shared random 
generator instance, which might be used for other purposes as well and some 
applications might leak too many hints about the internal state of this 
shared generator. Although this is not very likely to happen, it is 
possible and could be avoided by allocating a dedicated generator just for 
session UIDs.

> is to pass in environment info to defend against hijacking.  I've used a
> very similar method in a stateless (on the server, for cgi) session key
> using several environment vars and a salt.  This code does not seem to
> worry about uniqueness (may be OK, I'm not sure).

If collisions are rare enough that the chance of one occurring during the 
lifetime of the application is neglible, that's close enough to unique for 
practical purposes.

Bye,
		Maarten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
Url : http://twistedmatrix.com/pipermail/twisted-web/attachments/20081004/9829bb50/attachment.pgp

More information about the Twisted-web mailing list