I've see many toturials for SecureRandom to give the following example:
SecureRandom random = new SecureRandom();
random.nextBytes(new byte[20]);
From the document, when an SecureRandom instance is created, it is not seeded yet. The nextBytes() method will invoke the default seeding for it. Therefore, I also see the following suggestion:
If using SHA1PRNG, always call java.security.SecureRandom.nextBytes(byte[]) immediately after creating a new instance of the PRNG.
My first question is: Is it a must? Can I also seed it with:
SecureRandom random = new SecureRandom();
sandom.setSeed(random.generateSeed(20));
Is it also an secure way to seed it?
My Second question is about reseeding.
The setSeed(long seed) method of java.security.SecureRandom class is used to reseeds this random object, using the eight bytes contained in the given long seed. The given seed supplements, rather than replaces, the existing seed. Thus, repeated calls are guaranteed never to reduce randomness.
So, it means once I instantly call the nextBytes to invoke the default seeding. It will be always secure regardless of what the reseeding seed is, correct? Does it mean the following code which giving a hardcoded seed is also secure:
SecureRandom random = new SecureRandom();
random.nextBytes(new byte[20]);
//reseed after usage
random.setSeed(new byte[]{0x(90),0x(15)});
Aucun commentaire:
Enregistrer un commentaire