Entropy
OX App Suite consumes random data, provided by the operating system via the Java Virtual Machine (JVM). Some use-cases for random data are related to security sensitive parts of the application like PGP key creation, password hashing, token generation for login mechanisms, transport encryption, random tokens for sharing links etc. The cryptographic quality of those operations depends on the available entropy (randomness) collected by the operating system.
On Linux environments, there are typically two sources for entropy: /dev/random
and /dev/urandom
. The difference between those two is, that /dev/random
, which is no longer the default for most JVMs, is blocking, which means calls get returned only if sufficient entropy is available to generate random numbers. /dev/urandom
however, is non-blocking and does return a "random" number instantly. Some consider /dev/random
somehow "superior" to /dev/urandom
for generating random numbers, however this is typically based on a misconception of the nature of /dev/urandom
, which uses essentially the same underlying entropy source as /dev/random
.
OX App Suite uses the Java SecureRandom()
class, which currently defaults to using /dev/urandom
for generating random numbers (nextBytes()
method), and /dev/random
for initializing applications-specific PRNGs (generateSeed()
method). OX App Suite does not use the generateSeed()
method.
Operators are responsible to provide a source of sufficient entropy to the underlying operating system.