/cryptacular

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RandomIdGenerator has weak PRNG seeding #40

Closed
serac opened this Issue Apr 17, 2018 · 1 comment

Comments

Assignees

@serac serac

Labels
bug
Projects
None yet
Milestone
No milestone
1 participant
@serac
@serac
Member

serac commented Apr 17, 2018
edited

RandomIdGenerator uses weak PRNG seeding that makes it susceptible to producing duplicate identifiers under some usage patterns. For example, two threads creating new instances at exactly the same instant; both instances will produce exactly the same sequence of identifiers since the DRBG underneath is initialized with the same seed. That behavior arguably violates the principle of least surprise and could easily be corrected through the use of a seed with greater entropy.

@serac serac added the bug label Apr 17, 2018

@serac serac self-assigned this Apr 17, 2018

serac added a commit that referenced this issue Apr 17, 2018

@serac
Avoid time-based nonces. 
Use a properly seeded SecureRandom as a source of random data for nonces
and secure random sequence generation (e.g. RandomIdGenerator).

Fixed #40
488f94f

@serac serac referenced this issue Apr 17, 2018

Merged

Avoid time-based nonces. #41

@serac

This comment has been minimized.

Sign in to view
Member

serac commented Apr 17, 2018

Pull request with fix: #41

@dfish3r dfish3r closed this in #41 Apr 19, 2018

dfish3r added a commit that referenced this issue Apr 19, 2018

@dfish3r
Merge master changes. 
Includes fixes for issues #37, #39, and #40.
Verified
This commit was signed with a verified signature.
@dfish3r dfish3r Daniel Fisher
GPG key ID: 70B2EBE96C112CC9 Learn about signing commits
Loading status checks…
4e0e9ea
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment