Get started with Spring and Spring Boot, through the
Learn Spring
course:
1. Introduction
In this short tutorial, we’ll learn about
java.security.SecureRandom,
a class that provides a cryptographically strong random number generator.
2. Comparison to
java.util.Random
Standard JDK implementations of
java.util.Random
use a
Linear Congruential Generator
(LCG) algorithm for providing random numbers. The problem with this algorithm is that it’s not cryptographically strong. In other words, the generated values are much more predictable, therefore attackers could use it to compromise our system.
To overcome this issue, we should
use
java.security.SecureRandom
in any security decisions
. It produces cryptographically strong random values by using a
cryptographically strong pseudo-random number generator
(
CSPRNG
).
For a better understanding of the difference between LCG and CSPRNG, please look at the below chart presenting a distribution of values for both algorithms:
3. Generating Random Values
The most common way of using
SecureRandom
is to
generate
int
,
long
,
float
,
double
or
boolean
values
:
int randomInt = secureRandom.nextInt();
long randomLong = secureRandom.nextLong();
float randomFloat = secureRandom.nextFloat();
double randomDouble = secureRandom.nextDouble();
boolean randomBoolean = secureRandom.nextBoolean();
For generating
int
values we can pass an upper bound as a parameter:
int randomInt = secureRandom.nextInt(upperBound);
In addition, we can
generate a stream of values
for
int,
double
and
long
:
IntStream randomIntStream = secureRandom.ints();
LongStream randomLongStream = secureRandom.longs();
DoubleStream randomDoubleStream = secureRandom.doubles();
For all streams we can explicitly set the stream size:
IntStream intStream = secureRandom.ints(streamSize);
and the origin (inclusive) and bound (exclusive) values as well:
IntStream intStream = secureRandom.ints(streamSize, originValue, boundValue);
We can also generate a
sequence of random bytes
. The
nextBytes()
function takes user-supplied
byte
array and fills it with random
byte
s:
byte[] values = new byte[124];
secureRandom.nextBytes(values);
4. Choosing an Algorithm
By default,
SecureRandom
uses the SHA1PRNG algorithm
to generate random values. We can explicitly make it use another algorithm by invoking the
getInstance()
method:
SecureRandom secureRandom = SecureRandom.getInstance("NativePRNG");
Creating
SecureRandom
with the
new
operator is equivalent to
SecureRandom.getInstance(“SHA1PRNG”)
.
All random number generators available in Java can be found
on the official docs page
.
5. Seeds
Every instance of
SecureRandom
is created with an initial seed. It works as a base for providing random values and changes every time we generate a new value.
Using the
new
operator or calling
SecureRandom.getInstance()
will
get the default seed from
/dev/urandom
.
We can change the seed by passing it as a constructor parameter:
byte[] seed = getSecureRandomSeed();
SecureRandom secureRandom = new SecureRandom(seed);
or by invoking a setter method on the already created object:
byte[] seed = getSecureRandomSeed();
secureRandom.setSeed(seed);
Remember that if we create two instances of
SecureRandom
with the same seed, and the same sequence of method calls is made for each, they will
generate and return identical sequences of numbers.
6. Conclusion
In this tutorial, we’ve learned how the
SecureRandom
works and how to use it for generating random values.
As always, all code presented in this tutorial can be found
over on GitHub
.
Partner – Aegik AB – NPI EA (tag = SQL)
Slow MySQL query performance
is all too common. Of course
it is.
The Jet Profiler was
built entirely for MySQL
, so it's
fine-tuned for it and does advanced everything with relaly minimal
impact and no server changes.
>> Try out the
Profiler
Partner – DBSchema – NPI EA (tag = SQL)
DbSchema
is a super-flexible database designer, which can
take you from designing the DB with your team
all the way to
safely deploying the schema
.
And, of course, it can be heavily visual, allowing you to
interact with the database using diagrams, visually compose
queries, explore the data, generate random data, import data or
build HTML5 database reports.
>> Take a look at
DBSchema
Partner – Machinet – NPI EA (cat = Testing)
AI is all the rage these days, but for very good reason. The
highly practical coding companion, you'll get the power of
AI-assisted coding and
automated unit test generation
.
Machinet's
Unit Test AI Agent
utilizes your own project
context to create meaningful unit tests that intelligently aligns
with the behavior of the code.
Simplify Your Coding Journey with
Machinet AI
:
>> Install Machinet
AI in your IntelliJ
Partner – Codium – NPI EA (cat = Testing)
Explore the secure, reliable, and high-performance Test
Execution Cloud built for scale. Right in your IDE:
CodiumAI. Meaningful Code Tests for Busy Devs
Basically, write code that works the way you meant it to.
Partner – Lightrun – NPI EA (cat=Spring)
We rely and run a host of libraries and frameworks we didn't
implement ourselves.
Captain obvious here.
The problem is, of course,
when things fall apart in
production
- debugging the implementation of a 3rd party
library you have no intimate knowledge of is, to say the least,
tricky.
Lightrun is a new kind of debugger:
>> Learn
more in this
quick, 5-minute Lightrun tutorial
Course – LSS (cat=Security/Spring Security)
I just announced the new
Learn Spring Security
course, including the full material focused on the new OAuth2 stack in Spring Security:
>> CHECK OUT THE COURSE
Course – LS (cat=Java)
Get started with Spring and Spring Boot, through the
Learn Spring
course:
>> CHECK OUT THE COURSE
res – Security (video) (cat=Security/Spring Security)
eBook – Video Security – NPI (cat=Security/Spring Security)
Security basics for a REST API
access to the video
Course – LSS (cat=Security)
