18 April 2019

Directly or indirectly every developer uses random number generation during application development by different reasons:

• cryptography
• simulations
• game engines
• UUID generation

and many more...

In Java we have insecure: java.util.Random and secure: java.security.SecureRandom random generators. Main differences between is

• Size - 48(Random) vs 128(SecureRandom) bits, so the chances of repeating for last one are smaller.
• Seed Generation - Random uses the system clock and, so can be reproduced. SecureRandom takes random data from your OS (hardware)
• Security - Consequently, the java.util.Random class must not be used either for security-critical applications or for protecting sensitive data.

As result of above, for described reasons using of SecureRandom much preferable. You may never get performance issues with it until you need for number of random numbers which can be generated per time unit. Especially on cloud environment because of poor entropy.

Simple ussage and speed comparison example:

public class RandomGenerationTest {

    private static int count = 100_000_000;

    public static void main(String... s) throws Exception {
        System.out.println("Start...");
        doGeneration(new Random());
        doGeneration(new SecureRandom());
    }

    private static void doGeneration(Random random) {
        long time = System.currentTimeMillis();
        for (int i = 0; i < count; i++) {
            random.nextInt();
        }
        time = System.currentTimeMillis() - time;
        System.out.println(String.format("Generation of %s random numbers with %s time %s ms.", count, random.getClass().getName() ,time));
    }
}

Generation of 100000000 random numbers with java.util.Random time 930 ms.
Generation of 100000000 random numbers with java.security.SecureRandom time 22036 ms.

By default SecureRandom will use random data from Linux kernel entropy pool /dev/random. So in case pool went empty - next generation can be delayed for several minutes. You also can switch to the pseudo random number generator /dev/urandom which is can be must faster (non blocking) but little bit less secure.

To make Java use /dev/urandom you need to change securerandom.source property in the file jre/lib/security/java.security

securerandom.source=file:/dev/urandom

The entropy gathering device can also be specified with the System property java.security.egd. For example:

java -Djava.security.egd=file:/dev/urandom MainClass

To check how much random data is currently available in the entropy pool, use next command:

cat /proc/sys/kernel/random/entropy_avail

Every number lower than 1.000 can be considered too low for normal operation; if you request more data than available the requesting process will block. To increase entropy of Linux environment you can use HArdware Volatile Entropy Gathering and Expansion with haveged open source implementation

apt-get install haveged

It will use additional hardware(CPU) statistic to increase entropy and as result speedup your application.

---

© 2019 | Mixed with Bootstrap v3.1.1 | Baked with JBake v2.6.4