Join Log in
Score:4
automatictester avatar Crypto

Java: SecureRandom.getInstanceStrong() vs new SecureRandom()

ht flag
automatictester

Given SecureRandom class is considered suitable for use in cryptography, I consider new SecureRandom() to be secure (funny term, isn't it?).

If new SecureRandom() already is secure, what would be the benefit of using SecureRandom.getInstanceStrong() instead?

Is this same kind of difference as between /dev/urandom and /dev/random?

I'm debating this in the following scenario, where I'm mostly concerned about making IV random (for use with AES-GCM):

private final SecureRandom secureRandom = new SecureRandom();

[...]

private byte[] getIv() {
    int ivLength = 12;
    byte[] iv = new byte[ivLength];
    secureRandom.nextBytes(iv);
    return iv;
}
204
0 + 0
aes
gcm
kelalaka avatar
in flag
kelalaka
[See the footnote: Depends on the OS, in IOS they are same](https://crypto.stackexchange.com/a/85545/18298)
2
Reply
kelalaka avatar
in flag
kelalaka
This is library call to get instance... [SecureRandom.getInstanceStrong()](https://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html) See [Maarten answer on so](https://stackoverflow.com/a/37256739/1820553)
1
Reply
Paul Uszak avatar
cn flag
Paul Uszak
Re. random: No (for the old ex.NSA kernel versions.) `\dev\random` was a TRNG whilst `dev\urandom` was a PRNG.
0
Reply
Gilles 'SO- stop being evil' avatar
cn flag
Gilles 'SO- stop being evil'
A GCM IV doesn't need to be random. It only needs to be unique. So for this specific case, it doesn't matter. The only reason to use a random IV for GCM is if you can't remember all the IVs that have been previously used, so you instead rely on statistical uniqueness. For that, it's enough to have a statistically random value, it doesn't even need to be cryptographically random (which is a stronger property, including impredictability and independence from all other random values).
1
Reply
Paul Uszak avatar
cn flag
Paul Uszak
@kelalaka This is a bit of a Java mess actually. `securerandom.source=file:/dev/random` which block(ed) of course. So if you spun up an app server, it took like five minutes to return a http request. Even a non https daft one like my site which is pretty surprising (probably cookie generation).
1
Reply
kelalaka avatar
in flag
kelalaka
What @Gilles said is true, If possible use [AES-GCM-SIV](https://crypto.stackexchange.com/q/82105/18298) to mitigate this issue...
1
Reply
Score:2
avatar Crypto
in flag
cactusresistance

SecureRandom.getInstanceStrong() will ensure that a strong algorithm (securerandom.strongAlgorithms) will is used.

  • It is available since Java version 8. Check your version before starting to use.

  • If no such algorithm is available in running VM, it will throw NoSuchAlgorithmException.

  • This failure is a better practice instead of defaulting into weak security.

0 + 0
kelalaka avatar
in flag
kelalaka
Welcome to Cryptography. A link to this claim or code line from the source will make this answer much better. Otherwise, this is a self claim. For example one could also say, it there is no strong ( what is the meaning of strong) algorithm then it will use the default one; java.util.Random. There is need for reference and in Java case, even versions..
1
Reply
in flag
cactusresistance
Thank your for your feedback kelalaka, I've added a bit more clarifications, as you suggested.
0
Reply
kelalaka avatar
in flag
kelalaka
Is there a list of strongAlgorithms?
0
Reply
Paul Uszak avatar
cn flag
Paul Uszak
@kelalaka 'Strong' is a common term used by cryptographers, agencies and totalitarian governments to label an encryption can can't be defeated in real time. There's a list [here](https://crypto.stackexchange.com/a/62515/23115). I don't know if AES should be added as there is no mathematical evidence that it's still secure.
0
Reply
kelalaka avatar
in flag
kelalaka
@PaulUszak I'm talking about in the context of the Java Security and specially on the random number generatos.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.