SecureRandom:初始化一次还是每次都需要?

2022-01-10 00:00:00 random cryptography security java

我们的团队正在使用 SecureRandom 生成密钥对列表(SecureRandom 被传递给 KeyPairGenerator).我们无法就使用以下两个选项中的哪一个达成一致:

Our team is using a SecureRandom to generate a list of key pairs (the SecureRandom is passed to a KeyPairGenerator). We cannot agree on which of the following two options to use:

  1. 每次我们需要生成密钥对时都创建一个新实例

  1. Create a new instance every time we need to generate a key pair

初始化一个静态实例并将其用于所有密钥对

Initialize a static instance and use it for all key pairs

哪种方法通常更好,为什么?

添加:我的直觉是第二种选择更安全.但我唯一的论点是基于伪随机性源自当前时间戳的假设的理论攻击:有人可能会看到密钥对的创建时间,猜测周围时间间隔内的时间戳,计算可能的伪随机序列,并获得关键材料.

ADDED: My gut feeling is that the second option is more secure. But my only argument is a theoretical attack based on the assumption that the pseudorandomness is derived from the current timestamp: someone may see the creation time of the key pair, guess timestamps in the surrounding time interval, compute the possible pseudorandom sequences, and obtain the key material.

补充:我关于基于时间戳的确定性的假设是错误的.这就是 Random 和 SecureRandom 之间的区别.所以,看起来答案是:就安全性而言,这并不重要.

ADDED: My assumption about determinism based on a timestamp was wrong. That's the difference between Random and SecureRandom. So, it looks like the answer is: in terms of security it doesn't really matter.

推荐答案

java.util.Random 类不同,java.security.SecureRandom 类必须产生非- 每次调用的确定性输出.

Unlike the java.util.Random class, the java.security.SecureRandom class must produce non-deterministic output on each call.

这意味着,在 java.util.Random 的情况下,如果您每次需要一个新的随机数时都使用相同的种子重新创建一个实例,那么您基本上会得到 same 每次结果.但是,SecureRandom 保证不会这样做 - 因此,每次创建单个实例或创建一个新实例 not 不会影响它生成的随机字节的随机性.

What that means is, in case of java.util.Random, if you were to recreate an instance with the same seed each time you needed a new random number, you would essentially get the same result every time. However, SecureRandom is guaranteed to NOT do that - so, creating a single instance or creating a new one each time does not affect the randomness of the random bytes it generates.

那么,从正常的良好编码实践的角度来看,为什么要创建太多实例呢?

So, from just normal good coding practices view point, why create too many instances when one will do?

相关文章