2.2 The SecureRandom Engine
The ability to build cryptographically secure pseudo-random number generators (CSPRNG) is crucial. To meet this demand, the JCA includes an engine capable of serving up CSPRNG algorithms. True to its engine form, it implements the standard pair of engine factory methods, for example:
SecureRandom csprng = SecureRandom.getInstance("SHAlPRNG");
Actual random number generation cannot occur until after the engine initializes its internal state, known as establishing a seed value. Think of the seed value as the "starting point" of random number generation. Programmatically, you can establish the seed value by invoking the setSeed(long seed) method immediately after obtaining the CSPRNG instance from the factory method:
csprng.setSeed(31592712351); //Fingers Pounding Keyboard Number
Extracting random bytes from the CSPRNG is done with a call to the nextBytes(byte output) method. The larger the byte passed to the method, the more random bytes the CSPRNG yields.
Of particular noteworthiness is that additional calls to the setSeed(long seed) method after extracting one or more random byte arrays operate in a supplemental nature. In other words, the original seed value is not replaced; attempting to ensure that repeated calls avoid deterministic sequences (patterns) in the generated random values. A deterministic algorithm is an algorithm with no elements of chance, where the result is well determined and nonrandom. Thus, a deterministic algorithm is not well suited for our cryptographic activities because an attacker could potentially determine the sequence of bytes used in the secret key.
It is worth noting that the java.lang.Math class contains a randomQ method. This method is not suitable for cryptographic operations because it uses a deterministic algorithm. The JavaDocs on the function indicate that the pseudo-random values are uniformly distributed between 0.0 and 1.0. True randomness is never uniformly distributed. The speed at which someone types on a keyboard over a period of time, the vibrations of a building as traffic rushes byeach of these are truly random and not uniform in nature. Uniformity only helps strengthen the position of the crypanalyst. Those interested in reading more about the generation of random numbers and nondeterministic algorithms should review the classic work on the topicDonald Knuth's The Art of Computer Programming, Volume 2, (Boston: Addison-Wesley, 1997) Chapter 3, "Random Numbers."