Return-Path: Delivered-To: apmail-jackrabbit-dev-archive@www.apache.org Received: (qmail 1801 invoked from network); 13 Nov 2007 19:13:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 13 Nov 2007 19:13:14 -0000 Received: (qmail 618 invoked by uid 500); 13 Nov 2007 19:13:02 -0000 Delivered-To: apmail-jackrabbit-dev-archive@jackrabbit.apache.org Received: (qmail 246 invoked by uid 500); 13 Nov 2007 19:13:01 -0000 Mailing-List: contact dev-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@jackrabbit.apache.org Delivered-To: mailing list dev@jackrabbit.apache.org Received: (qmail 237 invoked by uid 99); 13 Nov 2007 19:13:01 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Nov 2007 11:13:01 -0800 X-ASF-Spam-Status: No, hits=-100.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Nov 2007 19:13:03 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 41E8A714209 for ; Tue, 13 Nov 2007 11:12:43 -0800 (PST) Message-ID: <1317151.1194981163122.JavaMail.jira@brutus> Date: Tue, 13 Nov 2007 11:12:43 -0800 (PST) From: "Esteban Franqueiro (JIRA)" To: dev@jackrabbit.apache.org Subject: [jira] Commented: (JCR-1206) UUID generation: SecureRandom should be used by default In-Reply-To: <14237269.1194357590564.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/JCR-1206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542199 ] Esteban Franqueiro commented on JCR-1206: ----------------------------------------- Why not use UUID.randomUUID() directly? > UUID generation: SecureRandom should be used by default > ------------------------------------------------------- > > Key: JCR-1206 > URL: https://issues.apache.org/jira/browse/JCR-1206 > Project: Jackrabbit > Issue Type: Improvement > Components: jackrabbit-core > Reporter: Thomas Mueller > Assignee: Thomas Mueller > Fix For: 1.4 > > > Currently, the UUID generation used the regular java.util.Random implementation to generate random UUIDs. The seed value of Random is initialized using System.currentTimeMillis(); for Windows, the resolution is about 15 milliseconds. That means two computer that start creating UUIDs with Jackrabbit within the same 15 millisecond interval will generate the same UUIDs. In a clustered environment the nodes could be started automatically at the same time (for example after a backup). > Also, the Random class uses a 48-bit seed, which is much less than the number of random bits in UUID (122). This is not secure. See also: > http://en.wikipedia.org/wiki/UUID > Random UUID probability of duplicates > "The probability [of duplicates] also depends on the quality of the random number generator. A cryptographically secure pseudorandom number generator must be used to generate the values, otherwise the probability of duplicates may be significantly higher." > Therefore, I suggest to change VersionFourGenerator to use the SecureRandom implementation in by default. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.