Random vs Secure Random numbers in Java
Prerequisite: Generating Random numbers in Java
java.security.SecureRandom class: This class provides a cryptographically strong random number generator (RNG). A cryptographically strong random number minimally complies with the statistical random number generator tests specified in FIPS 140-2, Security Requirements for Cryptographic Modules, section 4.9.1. Additionally, SecureRandom must produce non-deterministic output. Therefore any seed material passed to a SecureRandom object must be unpredictable, and all SecureRandom output sequences must be cryptographically strong.
java.util.Random class: The classes defined in Random are not cryptographically strong, and the numbers chosen are not completely random because a definite mathematical algorithm (based on Donald E. Knuth’s subtractive random number generator algorithm) is used to select them. Therefore, it is not safe to use this class for tasks that require a high level of security, like creating a random password etc.
Random vs SecureRandom
- Size: A Random class has only 48 bits whereas SecureRandom can have up to 128 bits. So the chances of repeating in SecureRandom are smaller.
- Seed Generation: Random uses the system clock as the seed/or to generate the seed. So they can be reproduced easily if the attacker knows the time at which the seed was generated. But SecureRandom takes Random Data from your OS (they can be interval between keystrokes etc – most OS collect these data and store them in files – /dev/random and /dev/urandom in case of linux/solaris) and use that as the seed.
- Breaking the code: In case of random, just 2^48 attempts are required, with today’s advanced cpu’s it is possible to break it in practical time. But for securerandom 2^128 attempts will be required, which will take years and years to break even with today’s advanced machines.
- Generating Function: The standard Oracle JDK 7 implementation uses what’s called a Linear Congruential Generator to produce random values in java.util.Random. Whereas Secure Random implements SHA1PRNG algorithm, which uses SHA1 to generate pseudo-random numbers. The algorithm computes the SHA-1 hash over a true random number(uses an entropy source) and then concatenates it with a 64-bit counter which increments by 1 on each operation.
- Security: Consequently, the java.util. The random class must not be used either for security-critical applications or for protecting sensitive data.
Generating Random number using java.util.Random;
Random Integers: 956 Random Integers: 678
Generating Random number using java.security.SecureRandom;
Random Integers: 817 Random Integers: 500
This article is contributed by Saket Kumar. If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to email@example.com. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please write comments if you find anything incorrect, or you want to share more information about the topic discussed above.
Attention reader! Don’t stop learning now. Get hold of all the important Java Foundation and Collections concepts with the Fundamentals of Java and Java Collections Course at a student-friendly price and become industry ready. To complete your preparation from learning a language to DS Algo and many more, please refer Complete Interview Preparation Course.