OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Fwd: minor security problem with the SAML spec

>Sender: Erwin.Vanderkoogh@sun.com
>Date: Tue, 11 Sep 2001 11:54:57 +0100
>From: Erwin van der Koogh <erwin.vanderkoogh@sun.com>
>To: eve.maler@sun.com
>Subject: minor security problem with the SAML spec
>Hi Eve,
>I am not sure if you are the right person to send this to and it's not a
>big issue, but there's might be a small problem with the SAML core spec.
>On draft-sstc-core-15.doc line 167:
>"In the case that a pseudorandom technieuq is employed the probability
>of two random chosen identifiers being identical MUST be less than 2-128
>and SHOULD be less than 2-160."
>Now the problem with this is that this is open to a so-called birthday
>Basically while it's not very likely there's someone you know that has
>the same birthday as you, it's a lot more likely there's someone that
>shares someone else's birthday.
>I think the intention of the document was to specify:
>"... the probability of ANY two identifiers being identical"
>It's possible to adjust for a birthday attack by lowering the chance of
>a collision of 2 identifiers and I am not sure if that's done already.
>Erwin van der Koogh
>XML Technology Centre, Dublin
>+353.1.8199145 (ext. 19145)

Eve Maler                                    +1 781 442 3190
Sun Microsystems XML Technology Center   eve.maler @ sun.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC