0

SMEs, I have been following on various thread on SO how to make SecureRandom (java) deterministic with the help of a good entropy, but secret string as seed. Closest I got so far is the FixedRandom in bouncycastle which extends SecureRandom and provide nextBytes and getSeed based on the "secret" but long string of bytes w entropy.

I would be super grateful if someone can point me on how to override setSeed of SecureRandom properly so the seed is what I set and doesnt get any entropy from urandom or system os parameters

I definitely get the "if we make it deterministic, an attacker can brute force". My use case is different, no data or info in my app fly over the Internet.

tech_geek
  • 147
  • 2
  • 11
  • Is there a reason not to extend SecureRandom and overload all of the public methods to delegate to a Random instance with a fixed seed? (apart from the obvious reason that it's insecure) – dnault May 14 '20 at 02:13
  • Maybe it would help if we understood why you want to do this. – dnault May 14 '20 at 02:14
  • Yes, that’s the direction, as FixedSecureRandom does extend the SecureRandom and has some already built in functions that @ override the public funcs of the secure-random. The only one I am not so sure is @Override public void setSeed( ...) ; this is what I am not so sure ; idea is to generate a strong entropy string outside and then feed it to FixedSecureRandom. Maintaining the secrecy of the string generated outside is while another issue I have to deal with, but in my use case, it can be done. Thanks in advance! – tech_geek May 14 '20 at 08:03

0 Answers0