Skip to content

/ cryptacular

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RandomIdGenerator has weak PRNG seeding #40

Closed
serac opened this issue Apr 17, 2018 · 1 comment
Closed

RandomIdGenerator has weak PRNG seeding #40

serac opened this issue Apr 17, 2018 · 1 comment
Assignees
@serac
Labels
bug

Comments

@serac
Copy link
Member

@serac serac commented Apr 17, 2018
edited

RandomIdGenerator uses weak PRNG seeding that makes it susceptible to producing duplicate identifiers under some usage patterns. For example, two threads creating new instances at exactly the same instant; both instances will produce exactly the same sequence of identifiers since the DRBG underneath is initialized with the same seed. That behavior arguably violates the principle of least surprise and could easily be corrected through the use of a seed with greater entropy.
@serac serac added the bug label Apr 17, 2018
@serac serac self-assigned this Apr 17, 2018
serac added a commit that referenced this issue Apr 17, 2018
@serac
Avoid time-based nonces.
488f94f 
Use a properly seeded SecureRandom as a source of random data for nonces
and secure random sequence generation (e.g. RandomIdGenerator).

Fixed #40
@serac serac mentioned this issue Apr 17, 2018
Merged
@serac
Copy link
Member Author

@serac serac commented Apr 17, 2018

Pull request with fix: #41
@dfish3r dfish3r closed this in #41 Apr 19, 2018
dfish3r added a commit that referenced this issue Apr 19, 2018
@dfish3r
Merge master changes.
Verified
This commit was signed with a verified signature.
dfish3r Daniel Fisher
GPG key ID: 70B2EBE96C112CC9 Learn about signing commits
Loading status checks…
4e0e9ea 
Includes fixes for issues #37, #39, and #40.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@serac serac

Labels
bug
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
@serac