[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Fwd: minor security problem with the SAML spec
>Sender: Erwin.Vanderkoogh@sun.com >Date: Tue, 11 Sep 2001 11:54:57 +0100 >From: Erwin van der Koogh <erwin.vanderkoogh@sun.com> >To: eve.maler@sun.com >Subject: minor security problem with the SAML spec > >Hi Eve, > >I am not sure if you are the right person to send this to and it's not a >big issue, but there's might be a small problem with the SAML core spec. > >On draft-sstc-core-15.doc line 167: > >"In the case that a pseudorandom technieuq is employed the probability >of two random chosen identifiers being identical MUST be less than 2-128 >and SHOULD be less than 2-160." > >Now the problem with this is that this is open to a so-called birthday >attack. >Basically while it's not very likely there's someone you know that has >the same birthday as you, it's a lot more likely there's someone that >shares someone else's birthday. > >I think the intention of the document was to specify: > >"... the probability of ANY two identifiers being identical" > >It's possible to adjust for a birthday attack by lowering the chance of >a collision of 2 identifiers and I am not sure if that's done already. > >Regards, > >Erwin van der Koogh > >-- >XML Technology Centre, Dublin >Erwin.vanderkoogh@sun.com >+353.1.8199145 (ext. 19145) -- Eve Maler +1 781 442 3190 Sun Microsystems XML Technology Center eve.maler @ sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC