jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Esteban Franqueiro (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JCR-1206) UUID generation: SecureRandom should be used by default
Date Tue, 13 Nov 2007 19:12:43 GMT

    [ https://issues.apache.org/jira/browse/JCR-1206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542199

Esteban Franqueiro commented on JCR-1206:

Why not use UUID.randomUUID() directly?

> UUID generation: SecureRandom should be used by default
> -------------------------------------------------------
>                 Key: JCR-1206
>                 URL: https://issues.apache.org/jira/browse/JCR-1206
>             Project: Jackrabbit
>          Issue Type: Improvement
>          Components: jackrabbit-core
>            Reporter: Thomas Mueller
>            Assignee: Thomas Mueller
>             Fix For: 1.4
> Currently, the UUID generation used the regular java.util.Random implementation to generate
random UUIDs. The seed value of Random is initialized using System.currentTimeMillis(); for
Windows, the resolution is about 15 milliseconds. That means two computer that start creating
UUIDs with Jackrabbit within the same 15 millisecond interval will generate the same UUIDs.
In a clustered environment the nodes could be started automatically at the same time (for
example after a backup).
> Also, the Random class uses a 48-bit seed, which is much less than the number of random
bits in UUID (122). This is not secure. See also:
> http://en.wikipedia.org/wiki/UUID
> Random UUID probability of duplicates
> "The probability [of duplicates] also depends on the quality of the random number generator.
A cryptographically secure pseudorandom number generator must be used to generate the values,
otherwise the probability of duplicates may be significantly higher."
> Therefore, I suggest to change VersionFourGenerator to use the SecureRandom implementation
in by default.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message