Random GUIDs and UUID, and Randomizer.java

[Jeffrey Walton]

Hi Everyone/Kevin,

It looks like Randomizer.java is providing random UUIDs. The reference
given is dead.[1] I went back to 2007 and the IETF returned 404's.

Nowadays I think you should use RFC 1422 and UUIDv4.[2] From Section
4.1.3 of [2]:

Msb0 Msb1 Msb2 Msb3 Version Description
...

0 1 0 0 4 The randomly or pseudo-
randomly generated version
specified in this document.

Jeff

[1] http://www.ietf.org/internet-drafts/draft-mealling-uuid-urn-03.txt
[2] https://datatracker.ietf.org/doc/html/rfc4122

[Kevin W. Wall]

Thanks for the notice, Jeff.

We probably should just call the static method,

   UUID.randomUUID()

That returns a Type 4 UUID as defined in RFC4122. The class uses SecureRandom for that. Our use of it predates this the java.uil.UUID class though,  which wasn't added until Java 5.

Unless you beat me to it, I'll create a GitHub issue to fix it this evening. 

-kevin

--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/CAH8yC8kQQAMDNXdXqn9_ekr8huAMpuLz5mHxtvz7jUQ30a4ZfQ%40mail.gmail.com.

[Kevin W. Wall]

@Jeff Walton and others: Please check out https://github.com/ESAPI/esapi-java-legacy/issues/737 and see if I adequately captured your concern and if you are okay with the proposed solution. If not, please comment in the GitHub issue itself.

Thanks,

-kevin

--

Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.