New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RandomIdGenerator has weak PRNG seeding #40

Closed
serac opened this Issue Apr 17, 2018 · 1 comment

Comments

Projects
None yet
1 participant
@serac
Member

serac commented Apr 17, 2018

RandomIdGenerator uses weak PRNG seeding that makes it susceptible to producing duplicate identifiers under some usage patterns. For example, two threads creating new instances at exactly the same instant; both instances will produce exactly the same sequence of identifiers since the DRBG underneath is initialized with the same seed. That behavior arguably violates the principle of least surprise and could easily be corrected through the use of a seed with greater entropy.

@serac serac added the bug label Apr 17, 2018

@serac serac self-assigned this Apr 17, 2018

serac added a commit that referenced this issue Apr 17, 2018

Avoid time-based nonces.
Use a properly seeded SecureRandom as a source of random data for nonces
and secure random sequence generation (e.g. RandomIdGenerator).

Fixed #40
@serac

This comment has been minimized.

Member

serac commented Apr 17, 2018

Pull request with fix: #41

@dfish3r dfish3r closed this in #41 Apr 19, 2018

dfish3r added a commit that referenced this issue Apr 19, 2018

Merge master changes.
Includes fixes for issues #37, #39, and #40.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment