harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Imran Ghory" <imrangh...@gmail.com>
Subject Re: [classlib][security] RandomBitsSupplier.getRandomBits() on zOS
Date Tue, 08 Jan 2008 01:19:33 GMT
On Jan 8, 2008 12:35 AM, Endre StĂžlsvik <Endre@stolsvik.com> wrote:

> Yuri Dolgov wrote:
> > I had a little experience in this. I used several rdtsc values, local
> and
> > JNI variables
> > addresses, java memory info and nanotime value.
>
> Once upon a time, I also had the great idea to seed a random number
> generator by using the hashCode() (they say it is the "address" of the
> object on many JVMs) of some specific object.
>
>
There was an incident a while back where an online poker service was
exploited by the fact they seeded their randomness from time - someone just
brute forced all the possible time combinations and with the information
about which cards they had been dealt they were able to figure out what the
seed was.

Incidently, I know I'm coming a bit late to this conversation but couldn't
we just resort to throwing a NoSuchAlgorithmException in the case we don't
have a random source  - wouldn't that be better then using a non-random
source to avoid a false sense of security ?

Looking at the SecureRandom docs a SecureRandom source has to comply with
FIPS 140-2 & RFC 1750 - which unix random() almost certainly won't.

Imran

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message