Closed
Bug 722541
Opened 13 years ago
Closed 13 years ago
Standardize on a single random number generator
Categories
(Firefox for Android Graveyard :: Android Sync, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
mozilla13
People
(Reporter: dchanm+bugzilla, Assigned: nalexander)
References
Details
(Whiteboard: [qa-])
There are at least 3 ways for generating random data in the current JPAKE code. [1] uses SecureRandom, [2] and [3] use Random.
At the very least, [2] and [3] could be combined into one function.
createSecret in JPakeClient.java may need to use secure random [4]
[1] - https://github.com/mozilla-services/android-sync/blob/develop/src/main/java/org/mozilla/gecko/sync/jpake/JPakeNumGeneratorRandom.java#L49
[2] - https://github.com/mozilla-services/android-sync/blob/develop/src/main/java/org/mozilla/gecko/sync/jpake/JPakeClient.java#L1145
[3]] - https://github.com/mozilla-services/android-sync/blob/develop/src/main/java/org/mozilla/gecko/sync/jpake/JPakeUtils.java#L44
[4] - https://github.com/mozilla-services/android-sync/blob/develop/src/main/java/org/mozilla/gecko/sync/jpake/JPakeClient.java#L1070
|
||
Comment 1•13 years ago
|
||
All of these must use a secure PRNG. The clientID stuff is a little less clear as to the necessity, but I think a secure PRNG doesn't hurt and at least theoretically should help make DoS attacks that require guessing the client ID more difficult.
|
Assignee | |
Updated•13 years ago
|
Assignee: nobody → nalexander
Priority: -- → P1
|
||
Comment 2•13 years ago
|
||
|
||
Comment 3•13 years ago
|
||
Target Milestone: --- → mozilla13
|
||
Updated•13 years ago
|
Whiteboard: [qa-]
|
||
Updated•12 years ago
|
Product: Mozilla Services → Android Background Services
|
||
Updated•7 years ago
|
Product: Android Background Services → Firefox for Android
|
|
||
Updated•4 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•