Java: SecureRandom.getInstanceStrong() vs new SecureRandom()

Question

Given SecureRandom class is considered suitable for use in cryptography, I consider new SecureRandom() to be secure (funny term, isn't it?).

If new SecureRandom() already is secure, what would be the benefit of using SecureRandom.getInstanceStrong() instead?

Is this same kind of difference as between /dev/urandom and /dev/random?

I'm debating this in the following scenario, where I'm mostly concerned about making IV random (for use with AES-GCM):

private final SecureRandom secureRandom = new SecureRandom();
[...]
private byte[] getIv() {
    int ivLength = 12;
    byte[] iv = new byte[ivLength];
    secureRandom.nextBytes(iv);
    return iv;
}

score 3 · Answer 1 · edited Dec 28 '21 at 06:33

3

SecureRandom.getInstanceStrong() will ensure that a strong algorithm (securerandom.strongAlgorithms) will is used.

It is available since Java version 8. Check your version before starting to use.
If no such algorithm is available in running VM, it will throw NoSuchAlgorithmException.
This failure is a better practice instead of defaulting into weak security.

edited Dec 28 '21 at 06:33

kelalaka

49,797
12
123
211

answered Dec 27 '21 at 19:10

cactusresistance

31
5

Java: SecureRandom.getInstanceStrong() vs new SecureRandom()

1 Answers1