-
Notifications
You must be signed in to change notification settings - Fork 364
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DefaultRandomizer.java use SecureRandom.getInstance(algorithm) to get SecureRandom instance Generating pseudo-random numbers #668
Comments
@JerryDevis Thanks. We will track this issue here, but we are tied to Java 1.7 until July 2022 and the end of Oracle advanced support for Java 1.7. |
Method referenced doesn't exist prior to 1.8: https://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html#getInstanceStrong-- |
Also, probably worth asking you @kwwall about configurations regarding
So it seems that we are probably fine when the library is running on JVMs < 1.8, but we begin to drift as implementations swap out underneath us. |
@xeno6696 - First off, I didn't think the race condition necessarily involved mkdir. I thought it could also apply to creating sym links, although I may be thinking of something else. @JerryDevis - Secondly, if you don't like the way your default JCE behaves for SecureRandom, then change your JCE to something else such as BouncyCastle. The problem though that I have with this GH issue is that the "ask" is unclear. It's unclear if this gripe is about the fact that the SunJCE SecureRandom uses SHA1PRNG instead of something else (like SHA256PRNG), which really is not an issue as SHA1 is fine as a PRNG. Or is it that it uses /dev/random (which might block) vs /dev/urandom which doesn't block, or something else? I honestly and not sure which particular thing that you are objecting to and what exactly you propose ESAPI do about it so a more detailed explanation would be welcomed by all. |
Pulled this from some backchannel talk.
So I plan on closing this as "won't fix" unless @kwwall you think this is something we can loop back to after awhile? I'm guessing we just don't want to make this change until 1.) We can divorce from Java 1.7 and 2.) We can be reasonably assured that those linux versions are behind us. I'm not sure how long 2 would take. |
The only way that we can do this in a way that the ESAPI community will accept is to write it in a manner where:
But otherwise, there will be hell to pay with older Linux kernels if we cause the programs using ESAPI to block. But I can pretty much assure you that there likely are some using older Linux kernels, especially for embedded systems, IoT, etc. so I don't think the assumption that those older Linux kernels are safely behind us. |
It's been awhile. I got |
Two questions for @JerryDevis:
Thanks, -kevin |
@JerryDevis - Now that we are on Java 8 (ESAPI 2.4.0.0 was the first such release), we can carry this forward, but need you to address the above questions. |
I can't prove question one ,this answer to this is "no"。 |
Yes, this. SHA-1 is fine as a PRF. SHA-1 has lost some of its collision resistance. I believe Marc Steven's HashClash has it down to 2^63 (from a theoretical 2^80). But collision resistance is not a property of random number generation. On the other hand, if the hash lost preimage resistance and the attacker could reverse the output of the hash back to the original message, then that would be bad. The attacker could learn the state of the prng, and secret state is an assumption of a prng's security model. But SHA-1 has not lost preimage resistance. There are other properties like uniform distribution, but it is still believed SHA-1 behaves as an ideal hash. That is, it does not produce a stream of weak bits when properly keyed. |
SecureRandom.getInstance(SHA1) is to generate a pseudorandom number sequence by continuously performing SHA1.
The right way:
Use SecureRandom.getInstanceStrong() to generate random numbers.
The text was updated successfully, but these errors were encountered: