[jira] [Commented] (MYFACES-4726) Update to a Stronger Pseudo-Random Number Generator (i.e move way from SHA1PRNG)

[Bernd Bohmann (Jira)]

    [ 
https://issues.apache.org/jira/browse/MYFACES-4726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17980486#comment-17980486
 ] 

Bernd Bohmann commented on MYFACES-4726:
----------------------------------------

[~volosied], 

I'm ok with this change.

Best regards,

Bernd

> Update to a Stronger Pseudo-Random Number Generator (i.e move way from 
> SHA1PRNG)
> --------------------------------------------------------------------------------
>
>                 Key: MYFACES-4726
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4726
>             Project: MyFaces Core
>          Issue Type: Bug
>            Reporter: Volodymyr Siedlecki
>            Priority: Major
>
> We currently use SHA1PRNG for 
> *o.a.m.RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM_ALGORITM*  and 
> *o.a.m.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM_ALGORITHM.*
> However, I've noticed it's based on the SHA1 Hash Algorithm which is no 
> longer recommended. 
> SHA256DRBG looks to be a common replacement, though it is a bit more 
> computation intensive.  
> I propose updating the existing SHA1PRNG references in 4.1  and 5.0 to 
> SHA256DRBG?  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)