﻿

# a scheme for assigning numbers

```This message is a brief description of the scheme CERT/CC uses to assign
tracking numbers to new vulnerability reports. It may provide some food
for thought for a CVE numbering system.

We had a couple of simple design goals:

-- to not "leak" information about when the report was created, or what it
concerns

-- to support multiple people assigning numbers independently with little
central coordination (i.e. no need to contact a "number server" for every
number you need)

-- reasonably quick

Here's how it works basically:

X = (R - (R%N)) +Cid

where

X    is the number to be assigned
R    is a random number in the number space
N    is the maximum number of CNAs (to use CVE parlance)
Cid  is a per-CNA-unique number
%    is the mod operator

So, for example, lets suppose that CERT, SecurityFocus, and Microsoft are
CNAs.

Mitre would choose the range, say 100, and calculate a maximum number of
CNAs, say 10, and assign Cids to the three CNAs, say 1,2,and 3
respectively.

Suppose MS wanted to assign a number. They would choose a random number R
in the range 1-100, lets say 59. Then, they'd calculate

R - (R%N) + Cid =
59 - (59 % 10) + 3 =
59 - 9 + 3 =
53

Suppose CERT wanted to do the same thing at the same time, they'd pick an
R, say 72, the calculate:

R - (R%N) + Cid =
72 - (72 % 10) + 1 =
72 - 2 + 1 =
71

Likewise SecurityFocus might choose R = 19, the calculate

R - (R%N) + Cid =
19 - (19 % 10) + 2 =
19 - 9 + 2 =
12

Basically, Cid # 1 gets 1, 11, 21, 31, 41..., Cid#2 gets 2, 12, 22, 32,
etc.

All that a given CNA needs is a list of all the numbers it has ever
assigned to avoid collisions. It can't collide with another CNA.

If someone knows the Cid, the can determine which CNA assigned the number
relatively easily, but that's not all that big a risk IMHO. If they know
the algorithm and one example of a number assigned by a particular CNA,
they can determine the Cid. Again, not a real biggie.

If it becomes an issue Cids can be swapped or rotated periodically. The
only issue is that the Cids have to be unique at a given time.

To the casual observer, the number appears to be random, and in fact does
not contain time or status information.