Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RandomIdGenerator has weak PRNG seeding #40

Closed
serac opened this issue Apr 17, 2018 · 1 comment
Closed

RandomIdGenerator has weak PRNG seeding #40

serac opened this issue Apr 17, 2018 · 1 comment
Assignees
Labels

Comments

@serac
Copy link
Member

serac commented Apr 17, 2018

RandomIdGenerator uses weak PRNG seeding that makes it susceptible to producing duplicate identifiers under some usage patterns. For example, two threads creating new instances at exactly the same instant; both instances will produce exactly the same sequence of identifiers since the DRBG underneath is initialized with the same seed. That behavior arguably violates the principle of least surprise and could easily be corrected through the use of a seed with greater entropy.

@serac serac added the bug label Apr 17, 2018
@serac serac self-assigned this Apr 17, 2018
serac added a commit that referenced this issue Apr 17, 2018
Use a properly seeded SecureRandom as a source of random data for nonces
and secure random sequence generation (e.g. RandomIdGenerator).

Fixed #40
@serac
Copy link
Member Author

serac commented Apr 17, 2018

Pull request with fix: #41

dfish3r added a commit that referenced this issue Apr 19, 2018
Includes fixes for issues #37, #39, and #40.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant