Closed Bug 722541 Opened 8 years ago Closed 8 years ago
Standardize on a single random number generator
There are at least 3 ways for generating random data in the current JPAKE code.  uses SecureRandom,  and  use Random. At the very least,  and  could be combined into one function. createSecret in JPakeClient.java may need to use secure random   - https://github.com/mozilla-services/android-sync/blob/develop/src/main/java/org/mozilla/gecko/sync/jpake/JPakeNumGeneratorRandom.java#L49  - https://github.com/mozilla-services/android-sync/blob/develop/src/main/java/org/mozilla/gecko/sync/jpake/JPakeClient.java#L1145 ] - https://github.com/mozilla-services/android-sync/blob/develop/src/main/java/org/mozilla/gecko/sync/jpake/JPakeUtils.java#L44  - https://github.com/mozilla-services/android-sync/blob/develop/src/main/java/org/mozilla/gecko/sync/jpake/JPakeClient.java#L1070
All of these must use a secure PRNG. The clientID stuff is a little less clear as to the necessity, but I think a secure PRNG doesn't hurt and at least theoretically should help make DoS attacks that require guessing the client ID more difficult.
Assignee: nobody → nalexander
Priority: -- → P1
Fixed in develop: https://github.com/mozilla-services/android-sync/commit/7721c1c50f28113ddd0db235894175e317c41a41
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
Product: Mozilla Services → Android Background Services
You need to log in before you can comment on or make changes to this bug.