Cracking Pseudorandom Sequences Generators in Java Applications

No ratings

Presented at phdays 2014 by

Sergey Soldatov

Mikhail Egorov

Modern applications widely use random sequences for security related tasks: encryption keys, authentication challenges, session identifiers, CAPTCHAs and passwords. Resistance to cracking of such applications strongly depends on the quality of random sequences generators. The talk will explain vulnerabilities found in Java-applications that using pseudorandom generators, how to successfully attack them. The speaker will demonstrate a tool that effectively recover the internal state of the generator (a.k.a. seed), previous and subsequent generator output values. The research also covers mechanisms for session IDs generation for different Java application servers and web servers both open source and proprietary.