8
votes

I'm trying to generate cryptographically secure random numbers using Java and using the following code section to create a SecureRandom object to view its provider and algorithm:

Provider prov=new org.spongycastle.jce.provider.BouncyCastleProvider();
Security.insertProviderAt(prov, 1);

SecureRandom sr=new SecureRandom();
srProvider=sr.getProvider().toString();
srAlgorithm=sr.getAlgorithm();

(spongy castle is bouncy castle equivalent for android made by Roberto Tyley - https://github.com/rtyley)

When I display provider and algorithm, it shows: Crypto version 1.0 SHA1PRNG

What surprises me is that the provider isn't Spongycastle even if it is installed as the first provider in the code. I'd like to ask you a) Isn't SecureRandom implemented in Spongy Castle (or Bouncy Castle). b) What "Crypto version 1.0" exactly is (I mean is it Sun JCE provider or what?)

Thanks...

Rubi

2

2 Answers

4
votes

Assuming you are running on Android (you didn't state this explicitly). Bouncy Castle does not provide a SecureRandom implementation. 'Crypto' is the Apache Harmony (on which most of Android's core Java code is based on) JCE provider. There is no Sun JCE code in Android. BTW, the 'Crypto' provider only provides SHA1PRNG (RNG), SHA-1 (hash) and SHA1withDSA (signature) implementations. Everything else is provided by either Bouncy Castle or the OpenSSL-based provider.

Question: Why do you think you need a SecureRandom implementation from Bouncy/Spongy Castle?

4
votes

Bouncy Castle does provide a set of Pseudo Random Number Generators (PRNGs). There are many names for PRNG's; NIST calls them Deterministic Random Bit Generators (DRBGs). They are however only available in the "Lightweight" API of Bouncy Castle, in the package org.bouncycastle.crypto.prng.

However, Bouncy Castle is a software-only implementation of cryptographic algorithms. This means that it doesn't contain a source for entropy. Entropy cannot be generated by software alone as software algorithms themselves are deterministic. So even if the Bouncy Castle provider would register some of the generators in its "BC" provider (or Spongy provider for Android) then it would still have to rely on the same entropy source as the platform SecureRandom implementation.

As the entropy source is likely the culprit for most performance issues, you should not expect wonders of Bouncy Castle with regards to random number generation efficiency.

Currently (v1.54) the Bouncy Castle provider doesn't register any SecureRandom implementations at all, so there's that.