is AES key random?

Question

AES key may be generate by this code

KeyGenerator kgen = KeyGenerator.getInstance(\"AES\");
kgen.init(128); 

but

If I have a \"very re

Answer 1

You can add a random algorithm using SecureRandom :

    KeyGenerator keyGen = KeyGenerator.getInstance("AES");
    SecureRandom random = new SecureRandom(); // cryptograph. secure random 
    keyGen.init(random); 
    SecretKey secretKey = keyGen.generateKey();

Answer 2

It sounds like you're trying to generate an AES key based on a password.

If this is the case, you can use javax.crypto.SecretKeyFactory's generateSecret method, passing in a javax.crypto.spec.PBEKeySpec as the parameter. The PBEKeySpec allows to to specify the password as an argument to its constructor.

Answer 3

To add to the other answers ... I believe that the reason that the basic Random functions aren't secure are two reasons:

1. Slight statistical biases that are acceptable for non-security related situations, but narrow the distributions unacceptably for security applications.
2. They are seeded by the system DATETIME. Even knowing WHEN you generated your key - to a poor accuracy of +/- 6 months - would significantly reduce the brute force search space.

Answer 4

The AES key can be any 128 bits. It should be be practically unguessable, whatever the method of creating it.

For Example:

SecureRandom sr = new SecureRandom()

key = new byte[16];
iv = new byte[16];

sr.nextBytes(key);
sr.nextBytes(iv);

Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(key,"AES"), new IvParameterSpec(IV));

SecretKeySpec, by the way, is just a thin wrapper around a byte[] --- it does not transform the key in any way. No "special algorithm".