Random vs Secure Random numbers in Java

Prerequisite: Generating Random numbers in Java

java.security.SecureRandom class: This class provides a cryptographically strong random number generator (RNG). A cryptographically strong random number minimally complies with the statistical random number generator tests specified in FIPS 140-2, Security Requirements for Cryptographic Modules, section 4.9.1. Additionally, SecureRandom must produce non-deterministic output. Therefore any seed material passed to a SecureRandom object must be unpredictable, and all SecureRandom output sequences must be cryptographically strong.

java.util.Random class: The classes defined in Random are not cryptographically strong, and the numbers chosen are not completely random because a definite mathematical algorithm (based on Donald E. Knuth’s subtractive random number generator algorithm) is used to select them. Therefore, it is not safe to use this class for tasks that require high level of security, like creating a random password etc.

Random vs SecureRandom

  1. Size: A Random class has only 48 bits where as SecureRandom can have upto 128 bits. So the chances of repeating in SecureRandom are smaller.
  2. Seed Generation: Random uses the system clock as the seed/or to generate the seed. So they can be reproduced easily if the attacker knows the time at which the seed was generated. But SecureRandom takes Random Data from your OS (they can be interval between keystrokes etc – most OS collect these data and store them in files – /dev/random and /dev/urandom in case of linux/solaris) and use that as the seed.
  3. Breaking the code: In case of random, just 2^48 attempts are required, with today’s advanced cpu’s it is possible to break it in practical time. But for securerandom 2^128 attempts will be required, which will take years and years to break even with today’s advanced machines.
  4. Generating Function: The standard Oracle JDK 7 implementation uses what’s called a Linear Congruential Generator to produce random values in java.util.Random. SecureRandom implementations are in the form of a pseudo-random number generator (PRNG), which means they use a deterministic algorithm to produce a pseudo-random sequence from a true random seed. Other implementations may produce true random numbers, and yet others may use a combination of both techniques.
  5. Security: Consequently, the java.util.Random class must not be used either for security-critical applications or for protecting sensitive data.

Generating Random number using java.util.Random;



filter_none

edit
close

play_arrow

link
brightness_4
code

// A Java program to demonstrate
// random number generation
// using java.util.Random;
import java.util.Random;
  
public class generateRandom
{
  
    public static void main(String args[])
    {
        // create instance of Random class
        Random rand = new Random();
  
        // Generate random integers in range 0 to 999
        int rand_int1 = rand.nextInt(1000);
        int rand_int2 = rand.nextInt(1000);
  
        // Print random integers
        System.out.println("Random Integers: " + rand_int1);
        System.out.println("Random Integers: " + rand_int2);
    }
}

chevron_right


Output:

Random Integers: 956
Random Integers: 678

Generating Random number using java.security.SecureRandom;

filter_none

edit
close

play_arrow

link
brightness_4
code

// A Java program to demonstrate secure 
// random number generation
// using java.security.SecureRandom
import java.security.SecureRandom;
  
public class generateRandom
{
  
    public static void main(String args[])
    {
        // create instance of SecureRandom class
        SecureRandom rand = new SecureRandom();
  
        // Generate random integers in range 0 to 999
        int rand_int1 = rand.nextInt(1000);
        int rand_int2 = rand.nextInt(1000);
  
        // Print random integers
        System.out.println("Random Integers: " + rand_int1);
        System.out.println("Random Integers: " + rand_int2);
    }
}

chevron_right


Output:

Random Integers: 817
Random Integers: 500

This article is contributed by Saket Kumar. If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please write comments if you find anything incorrect, or you want to share more information about the topic discussed above.



My Personal Notes arrow_drop_up


Article Tags :
Practice Tags :


Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.