发表新帖
发表新帖

Should I seed a SecureRandom?

前端 未结
关注
5 836
忘了有多久
忘了有多久 2021-01-17 07:09

Found the following code in our code base:

public static final int DEFAULT_LENGTH = 16;
private static SecureRandom SR;
static
{
   try
   {
      SecureRand
5条回答
  • 广开言路
    广开言路 (楼主)
    2021-01-17 08:02

    This is not only completely unnecessary, it may actually increase the predictability of the numbers generated by the SecureRandom object.

    A SecureRandom that does not have an explicit seed set will self-seed. It uses a highly random data source to perform this operation, and is quite secure. The first SecureRandom in your code sample will use such a seed.

    The second is seeded from the first by producing 256 random bits. Assuming the system-default SHA1PRNG is used, this is good enough. It uses 160 bits of state, so 256 random bits will completely satisfy it's requirements. But assume now somebody decides this isn't enough, and switches the default to a SHA512PRNG (they can do this without even looking at your code by changing java's security properties). Now you're providing too few seed bits to it: only half as many as it needs.

    Get rid of it, and just use the self-seeded object, unless you have a better source of seed data than the system has available.

    0 讨论(0)
 看不清?
提交回复
热议问题