You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Thibaut SAUTEREAU (JIRA)" <se...@james.apache.org> on 2017/11/30 09:30:00 UTC

[jira] [Created] (JAMES-2245) Use cryptographically strong RNG

Thibaut SAUTEREAU created JAMES-2245:
----------------------------------------

             Summary: Use cryptographically strong RNG
                 Key: JAMES-2245
                 URL: https://issues.apache.org/jira/browse/JAMES-2245
             Project: James Server
          Issue Type: Improvement
          Components: mailbox, Queue
    Affects Versions: master
            Reporter: Thibaut SAUTEREAU


java.util.Random is a Linear Congruential Generator and Math.random is based on it. That means that both functions produce predictable values.

An attacker could leverage this property against James to eventually "obtain/use" an already "in-use" pseudo-randomly generated number to overwrite things like files, emails, mailboxes, etc. Such scenarios are rather unlikely but still in theory much more feasible than if a true robust and cryptographically strong RNG was used. java.security.SecureRandom has these properties.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org