Our team is using a SecureRandom to generate a list of key pairs (the SecureRandom is passed to a KeyPairGenerator). We cannot agree on which of the following two options to use:
-
Create a new instance every time we need to generate a key pair
-
Initialize a static instance and use it for all key pairs
Which approach is generally better and why?
ADDED: My gut feeling is that the second option is more secure. But my only argument is a theoretical attack based on the assumption that the pseudorandomness is derived from the current timestamp: someone may see the creation time of the key pair, guess timestamps in the surrounding time interval, compute the possible pseudorandom sequences, and obtain the key material.
ADDED: My assumption about determinism based on a timestamp was wrong. That’s the difference between Random and SecureRandom. So, it looks like the answer is: in terms of security it doesn’t really matter.
Unlike the
java.util.Randomclass, thejava.security.SecureRandomclass must produce non-deterministic output on each call.What that means is, in case of
java.util.Random, if you were to recreate an instance with the same seed each time you needed a new random number, you would essentially get the same result every time. However,SecureRandomis guaranteed to NOT do that – so, creating a single instance or creating a new one each time does not affect the randomness of the random bytes it generates.So, from just normal good coding practices view point, why create too many instances when one will do?