LeakWatch

Example: Pseudorandom Number Generators

The Java API contains a class, java.util.Random, for pseudorandomly generating numbers. This class implements a linear congruential generator, which does not provide high-quality randomness; there may therefore be a relationship between consecutive integers generated by this class. The Java API also provides another class, java.security.SecureRandom, which instead generates random numbers in a cryptographically strong way. The situation becomes worse when cryptographically-insecure pseudorandom number generators (PRNGs) are used to seed other cryptographically-insecure pseudorandom number generators, as thius example demonstrates.

This example consists of two classes. The first class, LowEntropyRandom, uses java.util.Random to generate a random integer between 0 and 199 and uses this integer to seed a second instance of java.util.Random, which in turn is used to generate two random integers between 0 and 9 (r1 and r2). The second class, LowEntropySecureRandom, is the same as the first class, except that it uses java.security.SecureRandom in place of java.util.Random. In both classes, r1 is shown to an adversary and r2 is kept secret — LeakWatch estimates the amount of information the adversary learns about the second randomly-generated integer by observing the first. An information leak here would suggest that the adversary may be able to guess the future output of the PRNG and therefore compromise its randomness.

LeakWatch estimates that there is an information leak of ≈0.5 bits in LowEntropyRandom, and no information leak in LowEntropySecureRandom.

This example is also available as a dataset for leakiEst, another of our information leakage analysis tools.