问题
Let's say I need good seed to initialize pseudo random generator (PRNG) in Java program and I don't have access to any hardware random generator.
How to get entropy from JVM without any user interaction?
回答1:
SHA-1 is going to be depreciated
The vulnerability is not relevant to CSPRNG construction.
How to get entropy from JVM?
SecureRandom is a generic facade over various security providers, including OS-specific entropy sources
回答2:
You can use generateSeed(int) or getSeed(int) to statically retrieve the seed input that is also used for SecureRandom itself. Then you can simply use that seed to seed your own CSPRNG.
There is really little need to do so, as the8472 already explained, but if you want to generate your own CSPRNG (or DRBG as it is known to NIST) then nothing is stopping you - simply provide the seed in the constructor of your SecureRandom implementation.
The chance that you can generate better entropy yourself is minimal. You can use the standard System.nanoTime() and add that to the internal state of the CSPRNG using the badly named setSeed method. I'd call one of the nextXxx methods before doing so though, otherwise you may replace the state instead of adding entropy to it.
Note that it is possible to extend SecureRandom; this is not the case for most of the other cryptography related classes. Implementing a CSPRNG is not of weak of heart; the chance that you will create a better CSPRNG as SHA1PRNG is minimal (the Apache implementation had some pretty horrible properties, to name just one attempt).
来源:https://stackoverflow.com/questions/42457032/how-to-get-entropy-from-jvm