Symantec Access Management

We have been asked the below question about SiteMinder cookies:

“Is the value of the cookie not predictable and does it provide 64-bit entropy?”

Hi Anand,

I did run a Entropy test with the sample SMSESSION cookie

"55v6p6uth1UB5ySw4DQEc4DMlto7VK8aZltp4+RWaOnLy30xlrJ5xlN2CO9kCvFP7zM+3nMC0biFdKkmP7J7EyOtpPI4SqZLzyVQ6m/EWFqa+nftbIfqEG06JHwD8gUgxLsZaWzipHPQyINXz4qgxHtldn/VBFAJ+BiODR8PtKzE0mHPeIGFhK7RfoLWAkfB3DUp3/fqXw1yHtHL5CBlM7uNFEgwGYyH3JlbwNllrxNY6f3OmEKjR2kfGJiRU55o94UVGoarvIKsYg3XqcpaAeIS9WTqFLjOMDMHIqDloZjM2sKVWdZOVt0QbUO4uOkCqUd4zz1jtfgchKaaPdaZTC2hm1QDiUfbcyCusIaAwdElrumw4FccxEaXNF5qh7aHmzFVuxic3BBU3ShIMGDON6mGDklJk6yMUyIsTkm7Mv9ObcaFLlFDeN/vc/GRB1FjpZbMW0qj5x4bOYkuliGuo/AKFB9DuHsMHId8gYmhVcBtgnN98oqmfjEqSMj5MLTVyDliLaIjiweP0tukzQEksWXups/lMxYvkzrvkn5k+LHONUmAGWNQ5G5g7GnkWr+iqEvMu5MjacRau+igy3L6e4Q/ipTBLysvq1WdmnriTx1EDiQ7cteTdZcHZF/pM1Is5dEmzj7KGQeh0LCP/xloeFZ9oJb+0sfyz8C/o3Lr1IBNE/6d46Xj4WLBRLPDKK6FcrghvwDHTh6MEbn4qimd62OZ7i5paijcx3+jJxNE4u5V+GkXcGA6P/Yy6lBl9ps4RFJ4gn2zzes3e1me5pzGVaeelo+hJkojQKs4VTTEfI0zU0POABW/8/7JyWw5TaCfbAVQFmi9UnNXNxuVbn8rQg3rU2zHc0cTRbjLu0H02+VFh8PwqyHZ4YAldkgo0f6+dhhOYkeaL4GRLPXKM4vL11TtqBfarjww4zVEiRIDTC4WaR6x+JTYH8s719D3HRAeGzyNA0szKma8WKBYz9ZiXQaAVqfwt8zus0dflqNdbSiNxItrm6fj6N+/noIrx31uAIB3sHssBDzWUAoxDxIds0l9Vic87ZLbDwIHMp4M5mrBUt4WFhHL1aFzxWauft+OYEkTSEDfOX5eoYJUE6HXFQaswEwFiqz80dMwqToF74g8wCMb0mT4sZsHcKsIw8MK; SMIDENTITY=zQgWPB/ZxSd/wa27udMGNUnWaiK/RBut0WyawfylBpr182wgPLxC+LfQaY10Qg3xiN0SnVs4ZbECMgETlxABg0i8yJQwpmmjl6MgXu2jRcqgxbUVq0UDYzpVscD6eFqsxXF4YBlSaTzmYTNmVO78KUBlWosjLMe92IJvB4RS6zhCvMFnZBk8lRfZl8QdVShNdmdbgGL6az6GcnxV4Umcd7zWKu7QDSqZR67iDHOsEwgN6b5oRq4eqKsIXYwmzouMQvj1w5FDFfqYpUR76MFvsNDLvoCozDkIVjRhfi8Zj8pn7mr/mS+ijENe49zs1f0ExaNyAl+r2bb2/YAU7n/5OiRvVOUruud1LaI9VKQvBeszqaRjUqWEI5N2SsYvJu+GqqmbUAA3i54kKeMc+KnTvUQ5RCGWS7opi9uZZFlWher3C3sDJM0GsyrKQrU007TN2eRuhJRLZQnpFTa7tVT+piVTiDUs/1KOQeifYtgF6TE4Dxj9B37CU4ir9gVHIObDPKD/nMqsDZ7F4TzGiOxaHP4lytmC3uyUrGAhcqv2pPuOZJgwTLTVbxyxv/GqoVxSgiDpPRtzcwiLIlsA2xzMCXN3qQnzdJAwGaU8D4ZPKMihc2ODlx7ArhwFKLp8OZV03T5f3YI7aDWuT5LykripCBqQPXU5UvWmmzMxaipO7dYxdpXgtY0DVOtLnFFlisOy"

And here is the result :

Entroyp Test : Strength Test 

Now, to be able to guess this level of complex value , I think is out of question.

For your information, SMSESSION cookie is first encrypted by using the Agent KEY and then Base64 encoded.

Now, the Agent KEY itself is of following strength:

In FIPS Compat Mode :

Agent Key: Encrypted using RC2 algorithm with an HMAC-SHA1 digest : 128 bit length

In FIPS Only Mode:

Agent Key: Encrypted using AES algorithm with an HMAC-SHA256 digest : 128 bit length

Hi Anand,  

I had some answer written, but Ujwol beat me to it :-) - no problem so I will just add the extra part that I had.

I suspect your asker is not quite aware how SMSESSION cookie is constructed, the question seems to imply it is unique random id for the session, such as JSESSIONID, where it is just a random number or string.

As Ujwol points out it is a (fairly large) encrypted string, he has an aticle here that explains what it contains :

https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2016/08/16/tech-tip-ca-single-sign-on-what-information-is-stored-in-the-smsession-cookie

Witihin this large blob, there are several timestamps, and also a "sessionid"  The session id is 64 byte filled from machine random device. 

Cheers  - Mark

Thanks Mark and Ujwol for your detailed answers. This is very helpful.