In our discussion of seeding a random number generator, we mentioned the need to find entropy or "genuine randomness" as the seed starting point for generating other random numbers. Some typical sources that in principle we may be able to access in software include:
Now, an obvious problem with all of these sources is that (a) whether they're available, (b) how easily they can be obtained in software, and (c) how many bits of genuine randomness they give, could vary hugely from machine to machine. Some of these sources are especially useful on busy, multi-user systems. Others require specific hardware to be present and require the software to have privileges that in reality will not be available unless the user makes special dispensation.
In practice, the modern operating systems help us solve the problem of obtaining entropy. The OS generally "knows" where it can collect entropy from, and provides an API call or some other form of access to this entropy. In Java, the SecureRandom class acts as a wrapper to this OS-provided entropy:
In practice, current implementations of Windows and Linux derive their entropy from the following sources:
Windows | Linux | |
---|---|---|
Software interface | CryptGenRandom() API call | Direct read from /dev/random |
Main entropy sources |
|
Timings in milliseconds and additional, sometimes limited, data from:
|
Reference | Writing Secure Code, Second Edition |
Gutterman, Pinkas & Reinman (2006), Analysis of the Linux Random Number Generator |
In our discussion of seeding random number generators, we look at the SecureRandom.generateSeed() call, which provides access to the underlying OS entropy source.
On the next page, we look at the SecureRandom class for random number generation, and typical cases of when to use it.
If you enjoy this Java programming article, please share with friends and colleagues. Follow the author on Twitter for the latest news and rants. Follow @BitterCoffey
Editorial page content written by Neil Coffey. Copyright © Javamex UK 2021. All rights reserved.