licel / jcardsim

https://jcardsim.org
224 stars 123 forks source link

Make secure random significantly more random #140

Closed kategray closed 5 years ago

kategray commented 5 years ago

I updated the pull request to work even when the applet is called multiple times in the same exact millisecond. I'd like to be able to use jCardSim to virtualize applets over the internet (even if just for testing purposes), and predictable random numbers simply won't work in that usage scenario.

frankmorgner commented 5 years ago

Are you crazy? Simply go with java.security.SecureRandom!

kategray commented 5 years ago

@frankmorgner The implementation used is bouncycastle, and I'd like to keep it that way. Additionally, one of the uses of jcardsim is for unit testing. Java's SecureRandom will use /dev/random (if present) and block on systems with low entropy pretty easily.

It would be more secure, but it would carry the risk of hanging.

kategray commented 5 years ago

Having weighed the pros and cons, @frankmorgner, I'm going to take your advice. For production use, SecureRandom does make more sense.

I've added a note about blocking.