Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

I'm a little bit confused about the usage of SecureRandom . I need to generate n secure random numbers in a loop. Is it secure to use the same SecureRandom instance for each generation? Are there any difference between the solutions below in terms of cryptographic strength?

1) Single instance without seeding

SecureRandom sr = new SecureRandom();
for(int i = 0; i < n; ++i) sr.nextInt();
2) New instance for each generation
for(int i = 0; i < n; ++i) new SecureRandom().nextInt();
3) Single instance with seeding
SecureRandom sr = new SecureRandom()
for(int i = 0; i < n; ++i) {
    byte[] seed = sr.generateSeed(32);
    sr.setSeed(seed);
    sr.nextInt();
                "I need to generate n random numbers in a loop" - the first question is, do you need random numbers, or secure random numbers. If the former, then you don't need SecureRandom. You can use a Linear Congruential Generator. an LCG would be appropriate for simulations, where you need numbers fast from a uniform distribution.
– jww
                Dec 24, 2014 at 23:15
Perhaps counter-intuitively the third is almost certainly the weakest, reseeding on loop iteration is a terrible idea. The second is bad, but less bad, because the SecureRandom() includes a strong default seeding strategy. As asked, the first is almost certainly the most secure because it maximizes the entropic period. I suggest you extract it to a class level constant for that reason.
private static final Random RANDOM = new SecureRandom();
// ...
// your method,
for (int i = 0; i < n; ++i) { 
    int num = RANDOM.nextInt();
                "Perhaps counter-intuitively the third is almost certainly the weakest, reseeding on loop iteration is a terrible idea..." - there are a couple of papers that might disagree with you. The papers recommend reseeding the generator the instance before the generator is asked to produce bits.
– jww
                Dec 24, 2014 at 23:18
                "second is bad, but less bad, because the SecureRandom() includes a strong default seeding strategy" - proof by counter example: Android SecureRandom. Always seed the generator before using it. Don't rely on others.
– jww
                Dec 24, 2014 at 23:19
I suggest you should read this interesting article 
In general, there is no need to create multiple instances of SecureRandom(), as @ElliottFrisch stated a static final is the most appropriate solution.
However, if you will use your SecureRandom for a huge sequence of random outputs, you should periodically reseed it to not allow malicious software to determine the seed and thus predict all future outputs.
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.