[jira] [Commented] (MATH-1182) BUG - Insufficient Entropy in Commons-math3-3.3

Tue, 23 Dec 2014 14:50:34 -0800 

    [ 
https://issues.apache.org/jira/browse/MATH-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14257635#comment-14257635
 ] 

Gilles commented on MATH-1182:
------------------------------

{quote}
1. FastMath.java (Line 813)
2. SynchronizedRandomGenerator.java (Line 78 and Line 85)
3. UniformIntegerDistribution.java (Line 164 and Line 172)
4. RandomAdaptor.java (Line 143 and 159)
{quote}

General note: to help solve issues, information (such as line numbers) should 
refer to the development version.

In all the classes above, the code uses a {{RandomGenerator}} (an interface); 
the actual implementation is chosen by the user!
In your testing, you may have chosen one that is indeed not recommended for 
secure applications. 
It would be interesting information to know which of the RNGs present in the 
Commons Math library are secure and which not.
Could you provide it?


> BUG - Insufficient Entropy in Commons-math3-3.3
> -----------------------------------------------
>
>                 Key: MATH-1182
>                 URL: https://issues.apache.org/jira/browse/MATH-1182
>             Project: Commons Math
>          Issue Type: Bug
>    Affects Versions: 3.3
>            Reporter: David Camilo Espitia Manrique
>   Original Estimate: 120h
>  Remaining Estimate: 120h
>
> We are currently using Commons-math3-3.3 and in the analysis for veracode, 
> found this bug in these class:
> 1. FastMath.java (Line 813)
> 2. SynchronizedRandomGenerator.java (Line 78 and Line 85)
> 3. UniformIntegerDistribution.java (Line 164 and Line 172)
> 4. RandomAdaptor.java (Line 143  and 159)
> Type : Insufficient Entropy
> Description:
> Standard random number generators do not provide a sufficient amount of 
> entropy when used for security purposes.
> Attackers can brute force the output of pseudorandom number generators such 
> as rand().
> Recommendations:
> If this random number is used where security is a concern, such as generating 
> a session key or session identifier, use
> a trusted cryptographic random number generator instead. These can be found 
> on the Windows platform in the
> CryptoAPI or in an open source library such as OpenSSL.
> Thanks.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to