4 Jul
2008
4 Jul
'08
6:35 a.m.
If you can force the system to generate the same random key twice, by injecting some data somewhere, then it is indeed a very broken system.
If the same secret key is stored both as a secured object and as a non-secure object then either the system iself is broken, the key is too weak or the user has been too careless with her handling of the key.
If the same secret key is used in several secured objects then it is probably only the same user multitasking.
If an attacker can find out the random or secret key then the least of our problems is that she can use that knowledge to perform a new novel kind of denial-of-service attack against other users of that very key.