## Session IDs and the Birthday Paradox

February 10, 2006

If you have a database (or in general some writable store), the best way to do authentication in a web app is with session ID cookies. Every time someone logs in, you pick a large random number to be their session ID, give them a cookie with the session ID, and then store all of the details in your database under the session ID. When they come back, you get the session ID cookie, look it up in the database, make sure it's (still) valid, and go.

What prevents attackers from getting in is the difficulty of guessing a usable session ID. So, assuming you're using a good random number generator such as `/dev/urandom` on Linux, how big do your session ID numbers have to be to make one infeasible to guess?

This is a slight variant on the 'Birthday paradox' problem. With `N` items and `M` possible values they can have, the basic Birthday paradox approximation is (in Python notation):

`1 - exp( (-(N*(N-1))) / (2*M))`

(call this p(N, M).)

To start with, let's say that you expect three million valid session IDs at a time; this might seem extreme, but LiveJournal currently has two million active users. I've made a handy little table of results:

 Bits Collision chance 32 100% 40 98.3% 48 1.59% 56 0.006% 64 0.00002% 72 ~ 0%

(Disclaimer: I think I, and Python, got the math right. Please feel free to correct me if I didn't. '~ 0%' means 'so small that it prints as 0'; the collision chance is clearly never literally 0.)

So 72 bits (9 bytes) should be pretty durn safe. It even remains safe at 30 million valid session IDs, which is a pretty good sign that people trying to guess valid session IDs will be there for a long, long time. If you expect 300 million valid session IDs, you'll want to go to more bits.

On most modern systems, the easy way to get this much good randomness is just to read however many bytes you need from `/dev/urandom`. (Please don't try to make up your own random number generator. The security world is littered with the shattered remnants of people who tried that.)

### More probability and math

Now, this isn't quite the answer to the question I posed at the start, which I can rephrase as:

Starting with `N` unique session IDs out of `M` possible values, what are the odds of finding a duplicate in `R` additional guesses?

The figures I gave are somewhat of a handwave about, effectively, p(N+R, M), which is more or less the same as p(N, M) if `R` is (very) small compared to `N`.

A friend pointed out that this is just the probability of making `R` different wrong guesses, so the full expression for the probability is:

1 - (1 - N/M) * (1 - N/(M-1)) * ... * (1 - N/(M-R))

(Update: actually the terms should run only to (M-(R-1)).)

However, computing this for large `R`s is irksome (unless you have a good symbolic math package around), and I don't know if there's a good approximation or summation.

I think p(N+R, M) - p(N, M) might be close, although that sort of overcounts by roughly p(R, M) (since the attacker's values will be non-colliding if the attacker has any brains).

### Sidebar: giving everyone on earth a randomly assigned unique ID

Let's assume that we wanted to randomly assign everyone on earth a numeric ID, and be relatively sure that there were no collisions. How large a bit space would we need?

To have a margin for error, let's use a world population figure of ten billion.

 Bits Collision chance 64 93.35% 72 1.05% 80 0.004% 88 0.000016% 96 0.000000063% 104 0.0000000002% 128 0.000000000000000014% 160 ~ 0%

(These figures are from `bc`, because `python` ran out of precision. MD5 hashes are 128 bits and SHA1 hashes are 160 bits.)

Written on 10 February 2006.