commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gilles <>
Subject Re: [lang] Shuffling arrays
Date Sat, 01 Oct 2016 02:48:20 GMT
On Fri, 30 Sep 2016 15:02:40 +0200, Emmanuel Bourg wrote:
> Le 28/09/2016 à 15:28, Gilles a écrit :
>> Conversely, using "SecureRandom" in place of a deterministic
>> RNG is only useful in toy applications since the main feature
>> (of non-secure RNGs) one usually needs is reproducibility.
> I guess the Tomcat developers will love hearing they are building a 
> toy
> application :)

A complete misinterpretation of my sentence.

If an application requires a cryptographically secure generator,
then using (i.e. allowing a user to choose) a deterministic one
might incur a vulnerability.

If an application must generate reproducible results, then
allowing a cryptographically secure generator is a useless

>> [1] Even the Java architects have indirectly acknowledged that,
>>     by having a new random-related class _NOT_ extend "Random"
>>     (allowing them to drop all the cruft brought by it).
> Are you referring to not extending
> java.util.Random?

No, "SplittableRandom".


> This is merely a mechanism allowing to plug extra
> implementations, the whole security package is designed around this
> concept. But users only deal with SecureRandom, which extends Random.
> Emmanuel Bourg

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message