Re: preventing sequence number guessing

[tdarcos () access digex net (Paul Robinson)]

On Sat, 28 Jan 1995, der Mouse wrote:

> > > > instead of using tcp_iss directly for the SYN ...send MD5(tcp_iss) 
> > So it takes about 7 u-seconds to MD5 hash a small block on a...
> Perhaps not.  MD5 has relatively high overhead; that is, in the
> formula, "overhead" is comparatively large[%].... MD5's actual cost 
> is more liketime = constant * round_up(bytes+9,64)

Anyone care to do a real-time test?  Generate some random strings of 
varying length, including some one-byte responses, until you have some 
large number, say, 10000 of these strings.  Randomly assign some to one 
side, so that maybe one side has 1000 outgoing strings and 9000 incoming, 
then have an MD5 checksum done in which the program generates a checksum 
for each line, sends it, then after, say, 10 lines, sends a message the 
other way.  

Now, do this for two cases: no checksum and for MD5 checksum.  Now, 
report the difference in speed on your machine.  

I'm thinking of trying it on my 386/40 here.  Is the MD5 code printed in 
one of the RFCs from 1919-1925 (it's in one of those) the same code 
generally being considered, or is the program as used with, say, the 
"md5" command on the Sun Unix box I call into get mail here something 
different?   If it is the same, I can do a simulated telnet session and 
see what I get.

--
Ask me about Listmgr - the first PC-Based mailing list manager for E-Mail.
Reports on Security Problems: To Subscribe write PROBLEMS-REQUEST () TDR COM
Paul Robinson - paul () tdr com / tdarcos () MCIMail com / tdarcos () access digex net
Voted "Largest Polluter of the (IETF) list" by Randy Bush <randy () psg com>