Hallo,

I am quite sure you received the paper directly, but nevertheless I want to be sure and point it out here on the list as well.

http://www.scribd.com/doc/131955288/Randomly-Failed-The-State-of-Randomness-in-Current-Java-Implementations

Kai Michaelis, Christopher Meyer and Jörg Schwenk  - Ruhr Uni Bochum

Abstract: This paper investigates the Randomness of several Java Run-time Libraries by inspecting the integrated Pseudo Random NumberGenerators. Significant weaknesses in different libraries including An-droid, are uncovered.


For the OpenJDK most of the critics was in regards of the size limited state pool for the SHA-1 generator. I guess the analysis of the entropy collector is not that relevant, and since SHA1PRNG is miving with native random on most platforms it is also not so critical. However when building a strong version for key generation the state space should be defined/observed in spec, I think?

Greetings
Bernd

PS: found this Paper via Kris Köhntopp, I think it is from the Cryptography Track at RSA 2013 conference.
--
http://bernd.eckenfels.net

Reply via email to