Layer7 Access Management

Expand all | Collapse all

SiteMinder Cookies Entropy

Jump to Best Answer
  • 1.  SiteMinder Cookies Entropy

    Posted 02-28-2017 02:50 PM

    We have been asked the below question about SiteMinder cookies:

     

    “Is the value of the cookie not predictable and does it provide 64-bit entropy?”

     

     



  • 2.  Re: SiteMinder Cookies Entropy
    Best Answer

    Posted 02-28-2017 05:21 PM

    Hi Anand,

     

    I did run a Entropy test with the sample SMSESSION cookie

     

    "55v6p6uth1UB5ySw4DQEc4DMlto7VK8aZltp4+RWaOnLy30xlrJ5xlN2CO9kCvFP7zM+3nMC0biFdKkmP7J7EyOtpPI4SqZLzyVQ6m/EWFqa+nftbIfqEG06JHwD8gUgxLsZaWzipHPQyINXz4qgxHtldn/VBFAJ+BiODR8PtKzE0mHPeIGFhK7RfoLWAkfB3DUp3/fqXw1yHtHL5CBlM7uNFEgwGYyH3JlbwNllrxNY6f3OmEKjR2kfGJiRU55o94UVGoarvIKsYg3XqcpaAeIS9WTqFLjOMDMHIqDloZjM2sKVWdZOVt0QbUO4uOkCqUd4zz1jtfgchKaaPdaZTC2hm1QDiUfbcyCusIaAwdElrumw4FccxEaXNF5qh7aHmzFVuxic3BBU3ShIMGDON6mGDklJk6yMUyIsTkm7Mv9ObcaFLlFDeN/vc/GRB1FjpZbMW0qj5x4bOYkuliGuo/AKFB9DuHsMHId8gYmhVcBtgnN98oqmfjEqSMj5MLTVyDliLaIjiweP0tukzQEksWXups/lMxYvkzrvkn5k+LHONUmAGWNQ5G5g7GnkWr+iqEvMu5MjacRau+igy3L6e4Q/ipTBLysvq1WdmnriTx1EDiQ7cteTdZcHZF/pM1Is5dEmzj7KGQeh0LCP/xloeFZ9oJb+0sfyz8C/o3Lr1IBNE/6d46Xj4WLBRLPDKK6FcrghvwDHTh6MEbn4qimd62OZ7i5paijcx3+jJxNE4u5V+GkXcGA6P/Yy6lBl9ps4RFJ4gn2zzes3e1me5pzGVaeelo+hJkojQKs4VTTEfI0zU0POABW/8/7JyWw5TaCfbAVQFmi9UnNXNxuVbn8rQg3rU2zHc0cTRbjLu0H02+VFh8PwqyHZ4YAldkgo0f6+dhhOYkeaL4GRLPXKM4vL11TtqBfarjww4zVEiRIDTC4WaR6x+JTYH8s719D3HRAeGzyNA0szKma8WKBYz9ZiXQaAVqfwt8zus0dflqNdbSiNxItrm6fj6N+/noIrx31uAIB3sHssBDzWUAoxDxIds0l9Vic87ZLbDwIHMp4M5mrBUt4WFhHL1aFzxWauft+OYEkTSEDfOX5eoYJUE6HXFQaswEwFiqz80dMwqToF74g8wCMb0mT4sZsHcKsIw8MK; SMIDENTITY=zQgWPB/ZxSd/wa27udMGNUnWaiK/RBut0WyawfylBpr182wgPLxC+LfQaY10Qg3xiN0SnVs4ZbECMgETlxABg0i8yJQwpmmjl6MgXu2jRcqgxbUVq0UDYzpVscD6eFqsxXF4YBlSaTzmYTNmVO78KUBlWosjLMe92IJvB4RS6zhCvMFnZBk8lRfZl8QdVShNdmdbgGL6az6GcnxV4Umcd7zWKu7QDSqZR67iDHOsEwgN6b5oRq4eqKsIXYwmzouMQvj1w5FDFfqYpUR76MFvsNDLvoCozDkIVjRhfi8Zj8pn7mr/mS+ijENe49zs1f0ExaNyAl+r2bb2/YAU7n/5OiRvVOUruud1LaI9VKQvBeszqaRjUqWEI5N2SsYvJu+GqqmbUAA3i54kKeMc+KnTvUQ5RCGWS7opi9uZZFlWher3C3sDJM0GsyrKQrU007TN2eRuhJRLZQnpFTa7tVT+piVTiDUs/1KOQeifYtgF6TE4Dxj9B37CU4ir9gVHIObDPKD/nMqsDZ7F4TzGiOxaHP4lytmC3uyUrGAhcqv2pPuOZJgwTLTVbxyxv/GqoVxSgiDpPRtzcwiLIlsA2xzMCXN3qQnzdJAwGaU8D4ZPKMihc2ODlx7ArhwFKLp8OZV03T5f3YI7aDWuT5LykripCBqQPXU5UvWmmzMxaipO7dYxdpXgtY0DVOtLnFFlisOy"

     

    And here is the result :

    Entroyp Test : Strength Test 

    Now, to be able to guess this level of complex value , I think is out of question.

     

    For your information, SMSESSION cookie is first encrypted by using the Agent KEY and then Base64 encoded.

    Now, the Agent KEY itself is of following strength:

     

    In FIPS Compat Mode :

    Agent Key: Encrypted using RC2 algorithm with an HMAC-SHA1 digest : 128 bit length

     

    In FIPS Only Mode:

    Agent Key: Encrypted using AES algorithm with an HMAC-SHA256 digest : 128 bit length



  • 3.  Re: SiteMinder Cookies Entropy

    Posted 02-28-2017 06:00 PM

    Hi Anand,  

     

    I had some answer written, but Ujwol beat me to it :-) - no problem so I will just add the extra part that I had.

     

    I suspect your asker is not quite aware how SMSESSION cookie is constructed, the question seems to imply it is unique random id for the session, such as JSESSIONID, where it is just a random number or string.

     

    As Ujwol points out it is a (fairly large) encrypted string, he has an aticle here that explains what it contains :

     

    https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2016/08/16/tech-tip-ca-single-sign-on-what-information-is-stored-in-the-smsession-cookie

     

    Witihin this large blob, there are several timestamps, and also a "sessionid"  The session id is 64 byte filled from machine random device. 

     

     

    Cheers  - Mark



  • 4.  Re: SiteMinder Cookies Entropy

    Posted 02-28-2017 06:27 PM

     



  • 5.  Re: SiteMinder Cookies Entropy

    Posted 03-01-2017 12:09 AM

    Thanks Mark and Ujwol for your detailed answers. This is very helpful.