RandomIdGenerator has weak PRNG seeding #40
Closed
Labels
Comments
serac
added a commit
that referenced
this issue
Apr 17, 2018
Use a properly seeded SecureRandom as a source of random data for nonces and secure random sequence generation (e.g. RandomIdGenerator). Fixed #40
Merged
Pull request with fix: #41 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
RandomIdGenerator
uses weak PRNG seeding that makes it susceptible to producing duplicate identifiers under some usage patterns. For example, two threads creating new instances at exactly the same instant; both instances will produce exactly the same sequence of identifiers since the DRBG underneath is initialized with the same seed. That behavior arguably violates the principle of least surprise and could easily be corrected through the use of a seed with greater entropy.The text was updated successfully, but these errors were encountered: