The App uses an insecure Random Number Generator.
A random has only 48 bits where as SecureRandom can have upto
128 bits. So the chances of repeating in securerandom is very small.
Random uses the
So if the small token size is okay(in case of Random), you can continue using your code without any changes, since you are using SecureRandom to generate the seed. But if you want larger tokens(which cannot be subject to
In case of random just
Random uses the
system clock
as the seed/or
to generate the seed. So they can be reproduced easily if the attacker knows
the time at which the seed was generated. But SecureRandom
takes Random Data
from your
os
(they can be
interval between keystrokes etc - most os collect these data store them in
files - /dev/random and /dev/urandom in
case of linux/solaris
) and uses that as the seed.So if the small token size is okay(in case of Random), you can continue using your code without any changes, since you are using SecureRandom to generate the seed. But if you want larger tokens(which cannot be subject to
brute force attacks
) go with
SecureRandom - In case of random just
2^48
attempts are required, with todays advanced cpu's it is possible to break it in
practical time. But for securerandom 2^128
attempts will be required, which will take years and years to break even with
today's advanced machines.
No comments