Cracking Pseudorandom Sequences Generators in Java Applications
Authors: Mikhail Egorov and Sergey Soldatov
Modern applications widely use random sequences for security related tasks: encryption keys, authentication challenges, session identifiers, CAPTCHAs and passwords. Resistance to cracking of such applications strongly depends on the quality of random sequences generators.
The talk will explain vulnerabilities found in Java-applications that using pseudorandom generators, how to successfully attack them. The speaker will demonstrate a tool that effectively recover the internal state of the generator (a.k.a. seed), previous and subsequent generator output values.
The research also covers mechanisms for session IDs generation for different Java application servers and web servers both open source and proprietary.
Mikhail Egorov graduated from Moscow State Technical University named after Bauman in 2009 and obtained a Master’s degree in information security. He is an independent security researcher and experienced Java/Python programmer. His area of expertise includes vulnerabilities research, fuzzing, reverse engineering, web application and network security. He worked as an information security consultant and software developer in different companies, holds OSCP and CISSP certifications.
Sergey Soldatov is a Bauman Moscow State Technological university graduate and an independent security practitioner with more than 10 years of network security experience. He has extensive programming experience and has been involved in large ISP related development projects. He is a speaker at a number of conferences including HITB, ZeroNights, holds CISA and CISSP certifications.