SecureRandom serializable?? was: Re: RFR 8154523: SHA1PRNG output should change after reset
Wang Weijun
weijun.wang at oracle.com
Sun May 8 23:09:45 UTC 2016
> On May 9, 2016, at 4:22 AM, Michael StJohns <mstjohns at comcast.net> wrote:
>
> Does anyone else think there's something wrong with SecureRandom being serializable? In general, the internal state of a random number generator shouldn't be extract-able or even savable.
You are right. That's why we decide to make DRBG not so serializable. Settings are saved but not the internal states.
--Max
>
> I realize this behavior has probably been in the class since the beginning - but I hadn't actually read this code until I saw the review request.
>
> Mike
More information about the security-dev
mailing list