Photuris

[rivest@theory.lcs.mit.edu (Ron Rivest)]

Page 10: [Size of cookies]

	The size of the cookies (16 octets) seems unnecessarily large.
	Why not 8 octets each?

	The chance that a random cookie will satisfy the recipient is
	then only 2^{-64}.  

	From an engineering point of view, it seems that the cookie length
	is about right when the probability of a random cookie being accepted
	is about the same as the ratio of the cookie computation time to the
	exchange-value computation time.  The only penalty we really pay for
	bogus cookies being accepted is the possible extra computation time
	for computing the exchange value; with the condition I gave this is
	on the order of the cookie computation time (in terms of expected
	value).  

	This argument is perhaps not correct if the adversary can detect 
	when he has success; but this I don't see how to do unless he uses
	his real IP address, which he is unlikely to do.  

	Even then, if the recipient increments his secret value for computing
	cookies every so often, then the adversary can't keep pounding on a
	discovered cookie.  

	2^{-64} is really quite small...  

	(If you think it is too big you should certainly never use DES, since
	its key is only 56 bits long...)

---

• Prev by Date: Photuris
• Next by Date: please post
• Prev by thread: Photuris
• Next by thread: Re: Photuris
• Index(es):
  • Main
  • Thread