[prev in list] [next in list] [prev in thread] [next in thread]
List: cryptography-randombit
Subject: Re: [cryptography] Java RNG
From: "Kevin W. Wall" <kevin.w.wall () gmail ! com>
Date: 2015-12-31 0:28:08
Message-ID: CAOPE6PjweFYmHiiyFxh-Q+W6W5OjRLYEQiSHEUGasA1irVUroQ () mail ! gmail ! com
[Download RAW message or body]
On Wed, Dec 30, 2015 at 10:24 AM, Givon Zirkind <givonne@gmx.com> wrote:
> Does anyone have any thoughts on the randomness of the Java random number
> generator?
You really need to be more specific. Here are some things to
consider in no particular order:
1) java.util.Random vs. java.security.SecureRandom
The former is not suitable at all for most cryptographic purposes.
2) Which JDK version are you using it with? (Makes a different because
of bug fixes and implementation changes in entropy gathering.)
3) If you are referring to SecureRandom, which provider are you intending
to use? The default Sun provider or Bouncy Castle or some other provider?
4) Have you tweaked any of the relevant settings from
$JAVA_HOME/jre/lib/java.security or set -Djava.security.edg
5) Are you planning on using it with a Java Security Manager? (Hahahahaha!)
6) What's your threat model?
7) Probably a dozen or more questions that I'm forgetting to ask.
-kevin
--
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic