On 12/04/2014 09:20 AM, Peter Levart wrote:
So what we have here is two desires:
- we want a resource-friendly / with as little dependencies as
possible way to generate some unique seed, with implicit fall-back
which need not be secure
- we want a resource-friendly / with as little dependencies as
possible way to generate secure random bytes that can be
pseudo-random, but still secure, with explicit failure mode
I'll try to address this dichotomy in the next iteration of the API.
I tried and found out that it is not that easy. The fall-back strategy
is dependent on the use case and is better left to the consumer of
SystemRandom which is just an interface to OS provided secure PRNG. The
fact that we want to use it for seeding other PRNGs is just a coincidence.
Regarding the fall-back strategy: Besides System.currentTime() and
System.nanoTime(), the following could be used in addition, to spice it
up, and don't seem like dependencies that couldn't be handled:
Runtime.getRuntime().freeMemory()
Unsafe.getUnsafe().getLoadAverage()
Thread.currentThread().getId()
Regards, Peter
