Hi Francesco, The feedback I have got is that the algorithm used in ThreadLocalRandom is not secure enough to be considered a SecureRandom. So I think it's probably not OK to switch if we are using it to generate tokens unfortunately.
Colm. On Mon, Feb 5, 2018 at 12:25 PM, Colm O hEigeartaigh <cohei...@apache.org> wrote: > No, my query got passed on to someone else, still waiting to hear back.... > > Colm. > > On Mon, Feb 5, 2018 at 7:44 AM, Francesco Chicchiriccò < > ilgro...@apache.org> wrote: > >> Hi, >> thanks for the feedback go to so far. >> >> I know from IRC that Colm has been exploring the security feasibility >> with some of his contacts: any results so far? >> >> Regards. >> >> >> On 30/01/2018 08:24, Francesco Chicchiriccò wrote: >> >>> Hi there, >>> any feedback on this? >>> If no one sees issues with that I'll proceed as indicated. >>> >>> Regards. >>> >>> On 24/01/2018 17:54, Francesco Chicchiriccò wrote: >>> >>>> Hi all (and Colm in particular, as this should be in your chords), >>>> we are currently basing all operations requiring random generation >>>> (mainly tokens used during double opt-in and password reset, and password >>>> values for specific cases) on SecureRandom [1]. >>>> >>>> SecureRandom has, however, some performance issues which were solved, >>>> starting with Java 7, by ThreadLocalRandom [2]; with Java 8 an improvement >>>> was made [3] to retain security by setting the system property >>>> 'java.util.secureRandomSeed' to true. >>>> >>>> Shall we: >>>> >>>> 1. suggest to set >>>> >>>> -Djava.security.egd=file:/dev/./urandom >>>> >>>> for Tomcat and other Java EE containers on Linux, and >>>> >>>> 2. suggest to set >>>> >>>> -Djava.util.secureRandomSeed=true >>>> >>>> for Tomcat and other Java EE containers, and >>>> >>>> 3. replace SecureRandom with ThreadLocalRandom in [1] >>>> >>>> ? >>>> >>>> Regards. >>>> >>>> [1] https://github.com/apache/syncope/blob/2_0_X/common/lib/src/ >>>> main/java/org/apache/syncope/common/lib/SecureTextRandomProv >>>> ider.java#L29 >>>> [2] https://docs.oracle.com/javase/7/docs/api/java/util/concurre >>>> nt/ThreadLocalRandom.html >>>> [3] https://docs.oracle.com/javase/8/docs/api/java/util/concurre >>>> nt/ThreadLocalRandom.html >>>> >>> >> -- >> Francesco Chicchiriccò >> >> Tirasa - Open Source Excellence >> http://www.tirasa.net/ >> >> Member at The Apache Software Foundation >> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail >> http://home.apache.org/~ilgrosso/ >> >> > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
