Session IDs and the Birthday Paradox
If you have a database (or in general some writable store), the best way to do authentication in a web app is with session ID cookies. Every time someone logs in, you pick a large random number to be their session ID, give them a cookie with the session ID, and then store all of the details in your database under the session ID. When they come back, you get the session ID cookie, look it up in the database, make sure it's (still) valid, and go.
What prevents attackers from getting in is the difficulty of guessing
a usable session ID. So, assuming you're using a good random number
generator such as /dev/urandom
on Linux, how big do your session ID
numbers have to be to make one infeasible to guess?
This is a slight variant on the 'Birthday paradox' problem. With N
items
and M
possible values they can have, the basic Birthday paradox
approximation is (in Python notation):
1  exp( ((N*(N1))) / (2*M))
(call this p(N, M).)
To start with, let's say that you expect three million valid session IDs at a time; this might seem extreme, but LiveJournal currently has two million active users. I've made a handy little table of results:
Bits  Collision chance 
32  100% 
40  98.3% 
48  1.59% 
56  0.006% 
64  0.00002% 
72  ~ 0% 
(Disclaimer: I think I, and Python, got the math right. Please feel free to correct me if I didn't. '~ 0%' means 'so small that it prints as 0'; the collision chance is clearly never literally 0.)
So 72 bits (9 bytes) should be pretty durn safe. It even remains safe at 30 million valid session IDs, which is a pretty good sign that people trying to guess valid session IDs will be there for a long, long time. If you expect 300 million valid session IDs, you'll want to go to more bits.
On most modern systems, the easy way to get this much good randomness is
just to read however many bytes you need from /dev/urandom
. (Please
don't try to make up your own random number generator. The security
world is littered with the shattered remnants of people who tried that.)
More probability and math
Now, this isn't quite the answer to the question I posed at the start, which I can rephrase as:
Starting with
N
unique session IDs out ofM
possible values, what are the odds of finding a duplicate inR
additional guesses?
The figures I gave are somewhat of a handwave about, effectively,
p(N+R, M), which is more or less the same as p(N, M) if R
is
(very) small compared to N
.
A friend pointed out that this is just the probability of making R
different wrong guesses, so the full expression for the probability
is:
1  (1  N/M) * (1  N/(M1)) * ... * (1  N/(MR))
(Update: actually the terms should run only to (M(R1)).)
However, computing this for large R
s is irksome (unless you have a
good symbolic math package around), and I don't know if there's a good
approximation or summation.
I think p(N+R, M)  p(N, M) might be close, although that sort of overcounts by roughly p(R, M) (since the attacker's values will be noncolliding if the attacker has any brains).
Sidebar: giving everyone on earth a randomly assigned unique ID
Let's assume that we wanted to randomly assign everyone on earth a numeric ID, and be relatively sure that there were no collisions. How large a bit space would we need?
To have a margin for error, let's use a world population figure of ten billion.
Bits  Collision chance 
64  93.35% 
72  1.05% 
80  0.004% 
88  0.000016% 
96  0.000000063% 
104  0.0000000002% 
128  0.000000000000000014% 
160  ~ 0% 
(These figures are from bc
, because python
ran out of precision. MD5
hashes are 128 bits and SHA1 hashes are 160 bits.)

