I am using Java 1.7 and as the code below demonstrates (compiled with Oracle's Java 7 compiler in Ubuntu) seeding java.security.SecureRandom appears to be unneccessary as the code produces two different BigIntegers for the starting value of the two pseudo-random sequences:
import java.security.SecureRandom;
import java.math.BigInteger;
public class SessionIdTest {
public static void main (String args[]) {
long seed = System.currentTimeMillis();
{
SecureRandom random = new SecureRandom();
random.setSeed(seed);
BigInteger a = new BigInteger(130, random);
System.out.println(a);
}
{
SecureRandom random = new SecureRandom();
random.setSeed(seed);
BigInteger a = new BigInteger(130, random);
System.out.println(a);
}
}
}
What's the purpose of setSeed then? Or is SecureRandom also using, in addition to the seed, some other source of randomness?
解决方案
The javadoc says:
Many SecureRandom implementations are in the form of a pseudo-random number generator (PRNG), which means they use a deterministic algorithm to produce a pseudo-random sequence from a true random seed. Other implementations may produce true random numbers, and yet others may use a combination of both techniques.
So, counting on a secure random to generate a deterministic sequence of values by seeding it won't necessarily work, as documented.