[
https://issues.apache.org/jira/browse/MYFACES-4726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17980468#comment-17980468
]
Volodymyr Siedlecki commented on MYFACES-4726:
----------------------------------------------
[~bommel], it looks like you last changed security in MYFACES-4376. Would you
be okay with this change?
Thanks!
> Update to a Stronger Pseudo-Random Number Generator (i.e move way from
> SHA1PRNG)
> --------------------------------------------------------------------------------
>
> Key: MYFACES-4726
> URL: https://issues.apache.org/jira/browse/MYFACES-4726
> Project: MyFaces Core
> Issue Type: Bug
> Reporter: Volodymyr Siedlecki
> Priority: Major
>
> We currently use SHA1PRNG for
> *o.a.m.RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM_ALGORITM* and
> *o.a.m.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM_ALGORITHM.*
> However, I've noticed it's based on the SHA1 Hash Algorithm which is no
> longer recommended.
> SHA256DRBG looks to be a common replacement, though it is a bit more
> computation intensive.
> I propose updating the existing SHA1PRNG references in 4.1 and 5.0 to
> SHA256DRBG?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
