[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Photuris
Page 10: [Size of cookies]
The size of the cookies (16 octets) seems unnecessarily large.
Why not 8 octets each?
The chance that a random cookie will satisfy the recipient is
then only 2^{-64}.
From an engineering point of view, it seems that the cookie length
is about right when the probability of a random cookie being accepted
is about the same as the ratio of the cookie computation time to the
exchange-value computation time. The only penalty we really pay for
bogus cookies being accepted is the possible extra computation time
for computing the exchange value; with the condition I gave this is
on the order of the cookie computation time (in terms of expected
value).
This argument is perhaps not correct if the adversary can detect
when he has success; but this I don't see how to do unless he uses
his real IP address, which he is unlikely to do.
Even then, if the recipient increments his secret value for computing
cookies every so often, then the adversary can't keep pounding on a
discovered cookie.
2^{-64} is really quite small...
(If you think it is too big you should certainly never use DES, since
its key is only 56 bits long...)