You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Thibaut SAUTEREAU (JIRA)" <se...@james.apache.org> on 2017/11/30 09:30:00 UTC
[jira] [Created] (JAMES-2245) Use cryptographically strong RNG
Thibaut SAUTEREAU created JAMES-2245:
----------------------------------------
Summary: Use cryptographically strong RNG
Key: JAMES-2245
URL: https://issues.apache.org/jira/browse/JAMES-2245
Project: James Server
Issue Type: Improvement
Components: mailbox, Queue
Affects Versions: master
Reporter: Thibaut SAUTEREAU
java.util.Random is a Linear Congruential Generator and Math.random is based on it. That means that both functions produce predictable values.
An attacker could leverage this property against James to eventually "obtain/use" an already "in-use" pseudo-randomly generated number to overwrite things like files, emails, mailboxes, etc. Such scenarios are rather unlikely but still in theory much more feasible than if a true robust and cryptographically strong RNG was used. java.security.SecureRandom has these properties.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org