[cryptography] Java RNG

Kevin W. Wall kevin.w.wall at gmail.com
Wed Dec 30 19:28:08 EST 2015


On Wed, Dec 30, 2015 at 10:24 AM, Givon Zirkind <givonne at gmx.com> wrote:
> Does anyone have any thoughts on the randomness of the Java random number
> generator?

You really need to be more specific.  Here are some things to
consider in no particular order:

1) java.util.Random vs. java.security.SecureRandom
    The former is not suitable at all for most cryptographic purposes.
2) Which JDK version are you using it with? (Makes a different because
     of bug fixes and implementation changes in entropy gathering.)
3) If you are referring to SecureRandom, which provider are you intending
    to use? The default Sun provider or Bouncy Castle or some other provider?
4) Have you tweaked any of the relevant settings from
    $JAVA_HOME/jre/lib/java.security or set -Djava.security.edg
5) Are you planning on using it with a Java Security Manager? (Hahahahaha!)
6) What's your threat model?
7) Probably a dozen or more questions that I'm forgetting to ask.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.


More information about the cryptography mailing list