我应该播种SecureRandom吗? [英] Should I seed a SecureRandom?
问题描述
在我们的代码库中找到以下代码:
Found the following code in our code base:
public static final int DEFAULT_LENGTH = 16;
private static SecureRandom SR;
static
{
try
{
SecureRandom sd0 = new SecureRandom();
SR = new SecureRandom(sd0.generateSeed(DEFAULT_LENGTH * 2));
}
catch (Exception e){}
}
这里创建了一个默认的 SecureRandom ,然后用于为另一个创建种子,该种子将在稍后的类中使用。这真的有必要吗?第二种方式是否比第一种更好,因为这样做了?
Here a default SecureRandom is created, and then that is used to create a seed for another one which is the one that will be used later in the class. Is this really necessary? Is the second somehow better than the first because this is done?
当第二次生成种子时,给出了字节数,这是否重要?一个 SecureRandom 用不同的字节种子播种可能更好还是更差?用于播种它的字节数是否应该与它将用于什么?
When the seed is generated for the second, the number of bytes is given, is this important? Could a SecureRandom seeded with a different amount of bytes than another potentially be better or worse? Should the number of bytes used to seed it somehow correspond to what it will be used for?
如果未调用setSeed,则第一次调用to nextBytes将强制SecureRandom对象自行播种。如果先前调用了setSeed,则不会发生这种自播种。 - javadoc
自播不够好吗?它取决于它将用于什么?
Is the self-seeding not good enough? Does it depend on what it's going to be used for?
注意:对于某些上下文,它在类中使用,为存储在数据库中的东西创建随机ID。
Note: For some context, it is used in class that creates random ids for stuff stored in a database.
推荐答案
I认为这是完全不必要的,因为你引用的Javadoc清楚地说明:默认构造的 SecureRandom 实例种子本身。写这篇文章的人可能不知道这一点。
I think this is completely unneccessary, because as the Javadoc you quote clearly states: Default-constructed SecureRandom instances seed themselves. The person who wrote this probably didn't know that.
他们实际上也可能通过强制固定的种子长度来降低安全性,这种种子长度对于RNG而言可能不太理想实现。
They might also actually decrease security by forcing a fixed seed length that could be less-than-ideal for the RNG implementation.
最后,假设片段未经更改发布,吞咽的静音异常也不是很好的编码风格。
Finally, assuming the snippet is posted unaltered, the silent exception swallowing isn't very good coding style either.
这篇关于我应该播种SecureRandom吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
