On Mon, 5 Feb 2007, NGSSoftware Insight Security Research wrote: > Jetty generates a 64-bit session id by generating two 32-bit numbers in > this way, so we end up with an encoded 64-bit integer. By decoding the > integer and splitting it into its two component 32-bit integers, we can > easily brute-force the generator's internal state. Why on earth would you want to brute-force it? http://www.springerlink.com/content/9jkp3179mj6fwh6m/s http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/C89/138.PDF Cheers, /mz
