[
https://issues.apache.org/jira/browse/JCR-1206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Thomas Mueller resolved JCR-1206.
---------------------------------
Resolution: Fixed
Fix Version/s: 1.4
Fixed as of revision 594470
> UUID generation: SecureRandom should be used by default
> -------------------------------------------------------
>
> Key: JCR-1206
> URL: https://issues.apache.org/jira/browse/JCR-1206
> Project: Jackrabbit
> Issue Type: Improvement
> Components: jackrabbit-core
> Reporter: Thomas Mueller
> Assignee: Thomas Mueller
> Fix For: 1.4
>
>
> Currently, the UUID generation used the regular java.util.Random
> implementation to generate random UUIDs. The seed value of Random is
> initialized using System.currentTimeMillis(); for Windows, the resolution is
> about 15 milliseconds. That means two computer that start creating UUIDs with
> Jackrabbit within the same 15 millisecond interval will generate the same
> UUIDs. In a clustered environment the nodes could be started automatically at
> the same time (for example after a backup).
> Also, the Random class uses a 48-bit seed, which is much less than the number
> of random bits in UUID (122). This is not secure. See also:
> http://en.wikipedia.org/wiki/UUID
> Random UUID probability of duplicates
> "The probability [of duplicates] also depends on the quality of the random
> number generator. A cryptographically secure pseudorandom number generator
> must be used to generate the values, otherwise the probability of duplicates
> may be significantly higher."
> Therefore, I suggest to change VersionFourGenerator to use the SecureRandom
> implementation in by default.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
