re: UniqueID maintenance in the store

Vittorio Bertocci - MSFT — Fri, 19 Jan 2007 20:46:00 GMT

Hello Miha.

Guessing by brute force a PPID would very difficult: it's a fairly long string (an example: FgQRItvmKACbDCY0ZAgW67haBrzGD0myRaEEUIRoOoE), with no meaningful substring that would be vulnerable to dictionary attacks.

That said, it is still strongly discouraged to use PPID recognition as the only mean of authenticating the user: involving active content in the mix (= content that is verifiably involved in the cryptographic processing of the token, say the public key of the issuer who sisngs the token) is always the safest, because even in case of leaking of the info in your db nobody will be able to produce a matching token anyway.

HTH,

re: UniqueID maintenance in the store

Miha — Thu, 18 Jan 2007 17:45:40 GMT

Vittorio,

reading all this, makes me wonder: if RP uses PPID to associate "user" with application for, let's say persistent state or whatever, PPID could be guessed (brute force comes to mind) by an evil user and thus the identity would be taken over?

PPID is defined as a string of a defined length, so guessing-it (brute forcing it) is kind of possible.

Is this totally off?

Thanks,

Miha.