You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Antoine Duprat (JIRA)" <se...@james.apache.org> on 2017/12/01 10:27:00 UTC
[jira] [Resolved] (JAMES-2245) Use cryptographically strong RNG
[ https://issues.apache.org/jira/browse/JAMES-2245?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antoine Duprat resolved JAMES-2245.
-----------------------------------
Resolution: Fixed
merged
> Use cryptographically strong RNG
> --------------------------------
>
> Key: JAMES-2245
> URL: https://issues.apache.org/jira/browse/JAMES-2245
> Project: James Server
> Issue Type: Improvement
> Components: mailbox, Queue
> Affects Versions: master
> Reporter: Thibaut SAUTEREAU
> Labels: security
>
> java.util.Random is a Linear Congruential Generator and Math.random is based on it. That means that both functions produce predictable values.
> An attacker could leverage this property against James to eventually "obtain/use" an already "in-use" pseudo-randomly generated number to overwrite things like files, emails, mailboxes, etc. Such scenarios are rather unlikely but still in theory much more feasible than if a true robust and cryptographically strong RNG was used. java.security.SecureRandom has these properties.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org