High-quality random numbers are essential for cryptography, secure key generation, and other security-sensitive applications. Standard pseudo-random number generators (PRNGs) produce predictable sequences based on a seed, making systems vulnerable. Java’s SecureRandom class, in contrast, generates cryptographically secure random numbers by using entropy from external sources.
On Linux, the behaviour of SecureRandom depends on the underlying entropy source, which can be blocking or non-blocking. Understanding this difference is crucial for both security and performance.
1. Understanding SecureRandom
SecureRandom in Java is designed to generate cryptographically secure random numbers. Unlike basic PRNGs, which produce deterministic outputs based on a seed, SecureRandom can incorporate entropy from external sources, such as user input, hardware events, or system-provided randomness. This entropy forms what is called the entropy pool, which helps ensure that the generated numbers are unpredictable.
However, the behaviour of SecureRandom on Linux can vary depending on the underlying system’s entropy sources and whether they are blocking or non-blocking.
2. Entropy Sources on Linux
Linux provides two primary sources of random numbers:
/dev/random(blocking): Pulls from the kernel’s entropy pool and blocks when insufficient entropy is available. This ensures very high-quality randomness but may cause delays in applications requiring large amounts of data./dev/urandom(non-blocking): Also uses the kernel’s entropy pool but does not block when depleted. It reuses existing entropy, providing high-performance random numbers suitable for most cryptographic use cases.
3. SecureRandom Algorithms
Java allows choosing between different SecureRandom algorithms, some of which are blocking, others non-blocking. Examples include:
NativePRNG: May block depending on system entropy availability.NativePRNGNonBlocking: A non-blocking implementation using/dev/urandom.SHA1PRNG: A deterministic, purely algorithmic PRNG that is fast but does not rely on OS entropy.
We can explicitly select the algorithm using:
SecureRandom secureRandom = SecureRandom.getInstance("NativePRNGBlocking"); // may block
SecureRandom secureRandom = SecureRandom.getInstance("NativePRNGNonBlocking"); // does not block
Listing All Available SecureRandom Algorithms
We can programmatically check all available SecureRandom algorithms on our system using the following Java code:
public class ListSecureRandomAlgorithms {
public static void main(String[] args) {
Set<String> algorithms = new TreeSet<>();
Provider[] providers = Security.getProviders();
for (Provider provider : providers) {
for (Provider.Service service : provider.getServices()) {
if (service.getType().equals("SecureRandom")) {
algorithms.add(service.getAlgorithm());
}
}
}
System.out.println("Available SecureRandom algorithms on this system:");
for (String algorithm : algorithms) {
System.out.println("- " + algorithm);
}
// Generate 16 random bytes using a non-blocking algorithm
try {
SecureRandom secureRandom = SecureRandom.getInstance("NativePRNGNonBlocking");
byte[] randomBytes = new byte[16];
secureRandom.nextBytes(randomBytes);
System.out.println("\nGenerated 16 random bytes:");
for (byte b : randomBytes) {
System.out.printf("%02x ", b);
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
This program queries the Java Security API to discover which SecureRandom implementations are available at runtime. It iterates through all installed security providers and filters services of type SecureRandom, collecting their algorithm names into a sorted set for readability.
After listing the available algorithms, the example explicitly selects NativePRNGNonBlocking, which is backed by Linux’s /dev/urandom. It then generates 16 cryptographically secure random bytes and prints them in hexadecimal format.
A typical output on a Linux system may look like this:
Available SecureRandom algorithms on this system: - DRBG - NativePRNG - NativePRNGBlocking - NativePRNGNonBlocking - SHA1PRNG Generated 16 random bytes: fd 9b d2 f5 f1 b5 2e 39 88 e7 39 1e f7 82 a5 04
The algorithm list shows the different SecureRandom implementations available on the system. NativePRNGBlocking uses a blocking entropy source, usually /dev/random, and may pause when entropy is low. NativePRNGNonBlocking relies on /dev/urandom, allowing continuous random generation without blocking, while NativePRNG may block depending on current entropy availability.
Other algorithms are independent of Linux entropy devices. SHA1PRNG is a fast, deterministic, software-based generator, whereas DRBG is a standards-based deterministic random bit generator introduced in newer Java versions with strong cryptographic properties.
The generated hexadecimal values represent 16 random bytes produced by NativePRNGNonBlocking. The output changes on every run, confirming the non-deterministic nature of cryptographically secure randomness.
This method allows us to verify which SecureRandom implementations are available on our Linux systems and choose the most appropriate algorithm based on security and performance requirements.
4. Conclusion
On Linux, SecureRandom can behave differently depending on the chosen algorithm and underlying entropy source. By understanding blocking vs non-blocking behaviour, we can make informed decisions to balance security and performance. Using the included code, you can inspect all available algorithms on your system and experiment with generating secure random numbers safely and efficiently.
5. Download the Source Code
This article explored the performance of Java SecureRandom on Linux.
You can download the full source code of this example here: java securerandom performance linux
