Daniel Griffin Daniel Griffin - 3 months ago 10
Java Question

Seeding SecureRandom from user touch events in Android

I'm creating Android app that will generate securely random 256 bit keys. I would also like the user to have the option of generating random bytes from tapping / dragging on the screen that will seed the random number generator (kind of like how TrueCrypt generates its keys). It looks like

SecureRandom
is my best bet, but I'm having trouble understanding the
setSeed(byte[])
method.

Here is the documentation:


Reseeds this random object. The given seed supplements, rather than replaces, the existing seed. Thus, repeated calls are guaranteed never to reduce randomness.


I'm planning on taking the X and Y coordinates of the user's touch events and hashing them, then feeding the bytes from the hash repeatedly into
setSeed
.

My question is, will subsequent calls to
setSeed
strengthen the existing "randomness" or will it be more or less useless? Or is there a better way to achieve this that I'm completely missing?

Answer

Yes, "more or less useless".

From the docs:

"any seed material passed to a SecureRandom object must be unpredictable", mouse movement probably does not meet that standard.

Generally CPRNGs continually add seeding from events on the device, you will not do better.

Also from the docs:

void setSeed (long seed)
Reseeds this random object, using the eight bytes contained in the given long seed. The given seed supplements, rather than replaces, the existing seed. Thus, repeated calls are guaranteed never to reduce randomness.

So go ahead, you will do no harm but it is doubtful if you will improve anything.

Comments