Ported to ColdFusion/CFML

[JamoCA]

I've ported nanoid to ColdFusion/CFML.
https://github.com/JamoCA/cfml-nanoid

NOTE: The built-in RandRange() function leverages Java's SecureRandom SHA1PRNG algorithm.

[ai]

Does it use hardware random generator?

[JamoCA]

I'm not sure... I'm still researching.

I found this:

2013 - Google confirmed that the IBM Java SecureRandom class in Java Cryptography Architecture (JCA) generated repetitive (and therefore predictable) sequences, which compromised application security made for Android to support the electronic currency Bitcoin – the equivalent of USD large amount in Bitcoins10,11 was stolen. (NOTE: The Java version is not mentioned.)
https://www.nature.com/articles/s41598-021-95388-7

and this:

SHA1PRNG is a pure Java implementation, that may or may not use /dev/[u]random, depending on the java.security.egd System property or securerandom.source Security property.... SHA1PRNG is an old method, unless there is an obvious reason or unless you definitely know what you are doing, it should not be used in production.
https://metebalci.com/blog/everything-about-javas-securerandom/

Which makes me think that it may not be possible to use Java's SecureRandom SHA1PRNG implementation (like the listed jnanoid library does) to generate a nanoid. (Does jnanoid use hardware random generator? source)

ColdFusion server environments may vary link as well as the version of Java used. I may need to rewrite the function to support different security classes, but I'm attempting to use regular CFML so that nothing additional has to be installed and/or configured.

[ai]

The modern secure random generators works in two steps:

1. CPU collects electromagnetic noises (with another random data from OS) to generate random seed. It could take a while.
2. Then we use a deterministic algorithm to generate a long pseudo-random bytes sequence from this seed.

These two steps allows us to generate random numbers faster. We need to collect noise only once (the implementation is a little more complicated, but let’s simplify).

SHA1PRNG is only the second step. With the same seed, it will generate the same byte sequence.

So, main question is who and how you set seed.

[ai]

Does jnanoid use hardware random generator?

It doesn’t pass anything to SecureRandom constructor. Why do we limit algorithm to SHA1PRNG?

[JamoCA]

I've just updated the component and added support for all available CFML algorithms for RandRange(): SHA1PRNG, IBMSecureRandom, NativePRNG, NativePRNGBlocking and NativePRNGNonBlocking.

[ai]

Still not sure how it works, but seems very likely that it should work properly.

Please send PR to docs with a link to your project to save your name in the project history.

[JamoCA]

BTW, Thanks for responding so quickly! (It often takes me days, weeks, etc to get responses from some project maintainers.)

[JamoCA]

BTW, I just noticed that the quantity of "ports other programming languages" was referenced in the project's readme intro. (The number should now reflect 20 instead of 19.) Is this an issue? Should I re-edit?

[ai]

BTW, I just noticed that the quantity of "ports other programming languages" was referenced in the project's readme intro. (The number should now reflect 20 instead of 19.) Is this an issue? Should I re-edit?

Yeap! And try to find the same number in Chinese and Russian docs.