![]() I hold the future date at which time the generator should be reseeded in order Generator.nextBytes( charsetDecode( " ", "utf-8" ) ) reason to do it during initialization time rather than at first-use time. ![]() this may hang until enough entropy has been collected. CAUTION: Since the underlying seed generator reads from sources of entropy, This will ensure that the random generator is self-seeded using Now that we've initialized the random generator, we have to generate a random such, we're defining the algorithm explicitly to keep this code consistent. NOTE: The SHA1PRNG is not the default in all implementations of the JVM. I am the generator implementation used to generate the random token data. Hint = "I generate random tokens using Java's SecureRandom class." I'm using base64url so that the generated tokens can be safely used in a variety of contexts, including, but not limited to, URLs where they can be passed back and forth for request authentication: This method returns bas64url-encoded values that are based on a given number of random bytes. In the following code, I've encapsulated the interaction with the SecureRandom class inside of a ColdFusion component that exposes one method - nextToken(). In my experimental code, I've opted to use the SHA1PRNG algorithm, instead of the NativePRNG algorithm, because it seems to be a more widely available implementation and is apparently the faster of the two (from what I've read). On their blog, they recommend always explicitly defining the algorithm and provider when getting a SecureRandom instance so that you are sure to be using a consistent implementation across all environments. As such, I put more faith into the articles that I found on the Cigital Blog since Cigital is one of the world's largest security firms. Many articles that I read seemed to contradict each other. Unfortunately, it was hard to find consistent information on the SecureRandom class. SecureRandom Implementation ( - SHA1PRNG).So, I went to the Google and found a few solid articles to get me going: ![]() In Java (and therefore in ColdFusion as well), the class (and its various implementations) are designed to generate these kind of values.īefore this, I had never dealt with. Essentially, that means that these values (and the generators that create them) are sufficiently unpredictable and hold up well to attacks. These are random values that are suitable for cryptography and security purposes. Lately, I've been working on some security stuff that requires generating "cryptographically strong" (or cryptographically secure) random values. I am simply trying to make heads-and-tails of some of the stuff that I am reading. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |