Skip to content

MASTG-BEST-0001: Use Secure Random Number Generator APIs

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

java.security.SecureRandom uses SHA1PRNG by default to produce non-deterministic results from a seed based on system thread timing obtained from dev/urandom. This seeding occurs automatically during object construction or acquisition, eliminating the need for explicit seeding of the PRNG.

The default constructor is usually sufficient for generating secure random values. However, while other constructors are available for advanced use cases, their improper use could reduce the randomness of the output. Therefore, non-default constructors should be used with caution.

Tests

MASTG-TEST-0205: Non-random Sources Usage MASTG-TEST-0204: Insecure Random API Usage