[jira] [Created] (MYFACES-4726) Update to a Stronger Pseudo-Random Number Generator (i.e move way from SHA1PRNG)

Volodymyr Siedlecki (Jira) Tue, 17 Jun 2025 11:08:05 -0700

Volodymyr Siedlecki created MYFACES-4726:
--------------------------------------------


             Summary: Update to a Stronger Pseudo-Random Number Generator (i.e 
move way from SHA1PRNG)
                 Key: MYFACES-4726
                 URL: https://issues.apache.org/jira/browse/MYFACES-4726
             Project: MyFaces Core
          Issue Type: Bug
            Reporter: Volodymyr Siedlecki


We currently use SHA1PRNG for 
*o.a.m.RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM_ALGORITM*  and 
*o.a.m.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM_ALGORITHM.*
However, I've noticed it's based on the SHA1 Hash Algorithm which is no longer 
recommended. 

SHA256DRBG looks to be a common replacement, though it is a bit more 
computation intensive.  

I propose updating the existing SHA1PRNG references in 4.1  and 5.0 to 
SHA256DRBG?  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (MYFACES-4726) Update to a Stronger Pseudo-Random Number Generator (i.e move way from SHA1PRNG)

Reply via email to