0

I'd like to seed a secure random generator myself using bytes, e.g.:

SecureRandom sha1prng = SecureRandom.getInstance("SHA1PRNG");
sha1prng.setSeed(new byte[] { 2, -4, 127, -54 });
System.out.println(sha1prng.nextLong());

I found a number of examples on the net, and most of them use a byte array of length 20. So, my question is how long should this array actually be? Is there any recommendation naming a lower and an upper limit? Would it make it more unpredictable if I used for instance 1000 bytes rather than just 20?

Cheers, Andy

andy
  • 99
  • 7
  • Why? Try it twice with your current seed. – Elliott Frisch May 07 '14 at 02:29
  • Whatever you do, do not use byte arrays that you find online as seeds. I read somewhere that posting an "ultra safe seed you should always use" is a good way for the poster to indirectly create vulnerabilities in people's applications. – ethanfar May 07 '14 at 05:41

1 Answers1

0

OK, this doesn't seem to be an easy to answer question. From what I found so far, it appears that the required length for this input depends on the actual provider used, in case of the default provider this is probably sun.security.provider.SecureRandom. This implementation uses a MessageDigest with a size of 20 bytes, therefore 20 bytes can be used as input for the setSeed(byte[])-method.

private static final int DIGEST_SIZE = 20;

More wouldn't probably add entropy to it. Other implementations might use even less; I didn't find one that uses more bytes so far.

Sources: http://hg.openjdk.java.net/jdk7/jdk7/jdk/file/tip/src/share/classes/java/security/SecureRandom.java

http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b14/sun/security/provider/SecureRandom.java

--not enough points to add more sources (links)

andy
  • 99
  • 7