SecureRandom serializable?? was: Re: RFR 8154523: SHA1PRNG output should change after reset

Wang Weijun weijun.wang at oracle.com
Sun May 8 23:09:45 UTC 2016


> On May 9, 2016, at 4:22 AM, Michael StJohns <mstjohns at comcast.net> wrote:
> 
> Does anyone else think there's something wrong with SecureRandom being serializable?  In general, the internal state of a random number generator shouldn't be extract-able or even savable.

You are right. That's why we decide to make DRBG not so serializable. Settings are saved but not the internal states.

--Max

> 
> I realize this behavior has probably been in the class since the beginning - but I hadn't actually read this code until I saw the review request.
> 
> Mike




More information about the security-dev mailing list