Random vs Secure Random numbers in Java
Prerequisite: Generating Random numbers in Java
java.security.SecureRandom class: This class provides a cryptographically strong random number generator (RNG). A cryptographically strong random number minimally complies with the statistical random number generator tests specified in FIPS 140-2, Security Requirements for Cryptographic Modules, section 4.9.1. Additionally, SecureRandom must produce non-deterministic output. Therefore any seed material passed to a SecureRandom object must be unpredictable, and all SecureRandom output sequences must be cryptographically strong.
java.util.Random class: The classes defined in Random are not cryptographically strong, and the numbers chosen are not completely random because a definite mathematical algorithm (based on Donald E. Knuth’s subtractive random number generator algorithm) is used to select them. Therefore, it is not safe to use this class for tasks that require a high level of security, like creating a random password etc.
Random vs SecureRandom
- Size: A Random class has only 48 bits whereas SecureRandom can have up to 128 bits. So the chances of repeating in SecureRandom are smaller.
- Seed Generation: Random uses the system clock as the seed/or to generate the seed. So they can be reproduced easily if the attacker knows the time at which the seed was generated. But SecureRandom takes Random Data from your OS (they can be interval between keystrokes etc – most OS collect these data and store them in files – /dev/random and /dev/urandom in case of Linux/solaris) and use that as the seed.
- Breaking the code: In case of random, just 2^48 attempts are required, with today’s advanced CPU‘s it is possible to break it in practical time. But for securerandom 2^128 attempts will be required, which will take years and years to break even with today’s advanced machines.
- Generating Function: The standard Oracle JDK 7 implementation uses what’s called a Linear Congruential Generator to produce random values in java.util.Random. Whereas Secure Random implements SHA1PRNG algorithm, which uses SHA1 to generate pseudo-random numbers. The algorithm computes the SHA-1 hash over a true random number(uses an entropy source) and then concatenates it with a 64-bit counter which increments by 1 on each operation.
- Security: Consequently, the java.util. The random class must not be used either for security-critical applications or for protecting sensitive data.
Generating Random number using java.util.Random;
Java
// A Java program to demonstrate// random number generation// using java.util.Random;import java.util.Random;public class generateRandom { public static void main(String args[]) { // create instance of Random class Random rand = new Random(); // Generate random integers in range 0 to 999 int rand_int1 = rand.nextInt(1000); int rand_int2 = rand.nextInt(1000); // Print random integers System.out.println("Random Integers: " + rand_int1); System.out.println("Random Integers: " + rand_int2); }} |
Output:
Random Integers: 956 Random Integers: 678
Generating Random number using java.security.SecureRandom;
Java
// A Java program to demonstrate secure// random number generation// using java.security.SecureRandomimport java.security.SecureRandom;public class generateRandom { public static void main(String args[]) { // create instance of SecureRandom class SecureRandom rand = new SecureRandom(); // Generate random integers in range 0 to 999 int rand_int1 = rand.nextInt(1000); int rand_int2 = rand.nextInt(1000); // Print random integers System.out.println("Random Integers: " + rand_int1); System.out.println("Random Integers: " + rand_int2); }} |
Output:
Random Integers: 817 Random Integers: 500
