Opened 8 years ago

Last modified 6 years ago

#264 new defect

Drop Ada.Numerics.Discrete_Random from nonce creation.

Reported by: Maxim Reznik Owned by:
Priority: major Milestone:
Component: Matreshka - Web Services Version: 0.0.4
Keywords: Cc:

Description

I belive Ada.Numerics.Discrete_Random is easy predicable and should not be used as source for nonce generation in

Web_Services.SOAP.Security.Password_Digest_Utilities

located in design/soap/ws-securit/

Change History (2)

comment:1 by Maxim Reznik, 8 years ago

As one of approach - use MD5 of Ada.Numerics.Discrete_Random.

In addition we could provide API to register user's random generator.

comment:2 by vadim.godunko, 6 years ago

Some information about cryptographically secure pseudorandom number generators

http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator

there are some references to known standards, we can implement one of them to replace random generator from predefined library.

Note: See TracTickets for help on using tickets.