harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Deakin <oliver.dea...@googlemail.com>
Subject Re: [classlib][security] RandomBitsSupplier.getRandomBits() on zOS
Date Thu, 10 Jan 2008 11:19:13 GMT
Thanks Endre - that's an interesting account.

To generate the random seed I used the current system time, the running 
time of the current process and an address of a local variable allocated 
with the port library equivalent of malloc. I found that, although 
fairly simple, this produced a good variety of seeds. I deliberately 
avoided using the JNIEnv, jclass, jbytearray and jint addresses passed 
as parameters to the function as I found they were often consistent 
between runs.

If anyone has suggestions on improvements to the seed selection, they 
would be gratefully received. A patch with the improvements in would be 
even more gratefully received ;)


Endre StĂžlsvik wrote:
> Yuri Dolgov wrote:
>> I had a little experience in this. I used several rdtsc values, local 
>> and
>> JNI variables
>> addresses, java memory info and nanotime value.
> Once upon a time, I also had the great idea to seed a random number 
> generator by using the hashCode() (they say it is the "address" of the 
> object on many JVMs) of some specific object.
> However, by pretty much pure luck, I tested out a bit-print method 
> (basically, toBinaryString()) on the first random number that the 
> system made. And what do you know - it was the same every time I 
> started the web application! It soon hit me that of course it would 
> be: starting up big old Tomcat and this rather heavy application would 
> nevertheless be very deterministic: the sequence of objects created 
> will be exactly the same every single time - including the hashCode() 
> of that particular object I used. I guess the same can happen for 
> local addresses too.
> Please be careful when creating and seeding _secure_ system random 
> number generators - they ought to be pretty random!
> Kind regards,
> Endre.

Oliver Deakin
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

View raw message