0

I've been writing javax.crypto.Cipher code and have had many questions answered by StackOverflow so I appreciate the information contained in this site. I did have a question I have not found an answer to on this site.

The following code generates a SecretkeySpec:

try {
        keyGen = KeyGenerator.getInstance("AES");
}
catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
}

secureRandomCipher = new SecureRandom();
seed = new Random().nextLong();
secureRandomCipher.setSeed(seed);

try {
    secureRandomIV = SecureRandom.getInstance("SHA1PRNG");
}
catch (NoSuchAlgorithmException noSuchAlgorithm) {
    System.out.println(noSuchAlgorithm.getMessage());
}

keyGen.init(128, secureRandomCipher);
Key encryptionKey = keyGen.generateKey();

encryptionKey is a SecretKeySpec with an "AES" algorithm.

Should I be explicit about the use of the 'SecretKeySpec' such as 

Key decryptionKey = new SecretKeySpec(encryptionKey.getEncoded(), encryptionKey.getAlgorithm());

or is what I am doing above sufficient. I can see an advantage from a code length point of view.

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
Mushy
  • 2,535
  • 10
  • 33
  • 54
  • 1
    I have a really bad feeling about the `Random` and `SecureRandom` juggling you're doing there. At best this is just some code that is grown historically, but at worst this is an active backdoor (encryption easily crackable in seconds). Please use one `SecureRandom` instance and don't seed it with anything. – Artjom B. Jun 13 '16 at 20:25
  • @Artjom B. Thank you for your feedback. I have removed the `Random` seed and am just using `SecureRandom` without a constructor initializer. – Mushy Jun 14 '16 at 12:45

0 Answers0