First, I assume it's up to Pete to let me or us know how we can contribute code. Hopefully Pete or somebody can offer some guidance there?
Second, let's identify the problems: 1. ThreadedSeedGenerator returns poor quality entropy. Lots of patterns, highly compressible by any compression algorithm (zlib, bzip2, lzma, etc). This may be fixable somehow, but it's not presently clear how exactly to fix it. Even without knowing how to fix it right now, see below for workarounds that make its importance much smaller: 2. The SecureRandom static constructor seeds a Sha256Generator, with Ticks and 24 bytes from ThreadedSeedGenerator. a. What it should do instead: Seed from Ticks, and also 32 bytes from ThreadedSeedGenerator, and also 32 bytes from CryptoApiRandomGenerator, and also from any other entropy sources if they are available. 3. The non-static constructor only seeds itself with 8 bytes. Given this is a sha1Generator, it should seed itself with 20 bytes. There are some lower priority architectural issues, such as, using the same static instance of sha1Generator and sha256Generator across all instances of the class - because that way, the output of one instance is dependent on the existence and use of other instances - But this isn't a major issue. And no matter how much data gets read out from the SecureRandom instance, it is never reseeded (only at instance creation and if user manually adds seed). It really should reseed occasionally. And there are a few other small concerns similar to these, but they're not major. The primary major concerns are numbered above. Bad entropy, bad seed size, and failure to use multiple sources of entropy. These concerns are huge security problems. I'd like to contribute code; I just need permission or instruction how. I am familiar with git and github - but I don't want to go to the effort of forking & modifying & submitting pull request if that will be wasted effort.
