commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gilles (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MATH-1182) BUG - Insufficient Entropy in Commons-math3-3.3
Date Tue, 23 Dec 2014 22:50:13 GMT

    [ https://issues.apache.org/jira/browse/MATH-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14257635#comment-14257635
] 

Gilles commented on MATH-1182:
------------------------------

{quote}
1. FastMath.java (Line 813)
2. SynchronizedRandomGenerator.java (Line 78 and Line 85)
3. UniformIntegerDistribution.java (Line 164 and Line 172)
4. RandomAdaptor.java (Line 143 and 159)
{quote}

General note: to help solve issues, information (such as line numbers) should refer to the
development version.

In all the classes above, the code uses a {{RandomGenerator}} (an interface); the actual implementation
is chosen by the user!
In your testing, you may have chosen one that is indeed not recommended for secure applications.

It would be interesting information to know which of the RNGs present in the Commons Math
library are secure and which not.
Could you provide it?


> BUG - Insufficient Entropy in Commons-math3-3.3
> -----------------------------------------------
>
>                 Key: MATH-1182
>                 URL: https://issues.apache.org/jira/browse/MATH-1182
>             Project: Commons Math
>          Issue Type: Bug
>    Affects Versions: 3.3
>            Reporter: David Camilo Espitia Manrique
>   Original Estimate: 120h
>  Remaining Estimate: 120h
>
> We are currently using Commons-math3-3.3 and in the analysis for veracode, found this
bug in these class:
> 1. FastMath.java (Line 813)
> 2. SynchronizedRandomGenerator.java (Line 78 and Line 85)
> 3. UniformIntegerDistribution.java (Line 164 and Line 172)
> 4. RandomAdaptor.java (Line 143  and 159)
> Type : Insufficient Entropy
> Description:
> Standard random number generators do not provide a sufficient amount of entropy when
used for security purposes.
> Attackers can brute force the output of pseudorandom number generators such as rand().
> Recommendations:
> If this random number is used where security is a concern, such as generating a session
key or session identifier, use
> a trusted cryptographic random number generator instead. These can be found on the Windows
platform in the
> CryptoAPI or in an open source library such as OpenSSL.
> Thanks.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message