You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Antoine Duprat (JIRA)" <se...@james.apache.org> on 2017/12/01 10:27:00 UTC

[jira] [Resolved] (JAMES-2245) Use cryptographically strong RNG

     [ https://issues.apache.org/jira/browse/JAMES-2245?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Antoine Duprat resolved JAMES-2245.
-----------------------------------
    Resolution: Fixed

merged

> Use cryptographically strong RNG
> --------------------------------
>
>                 Key: JAMES-2245
>                 URL: https://issues.apache.org/jira/browse/JAMES-2245
>             Project: James Server
>          Issue Type: Improvement
>          Components: mailbox, Queue
>    Affects Versions: master
>            Reporter: Thibaut SAUTEREAU
>              Labels: security
>
> java.util.Random is a Linear Congruential Generator and Math.random is based on it. That means that both functions produce predictable values.
> An attacker could leverage this property against James to eventually "obtain/use" an already "in-use" pseudo-randomly generated number to overwrite things like files, emails, mailboxes, etc. Such scenarios are rather unlikely but still in theory much more feasible than if a true robust and cryptographically strong RNG was used. java.security.SecureRandom has these properties.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org