javacryptographyshaprng

Using SecureRandom with SHA-256


I have been using SecureRandom with a seeded SHA1PRNG algorithm to create shared randomness between two processes. I recently learned that SHA1 is being deprecated according to NIST's standards, so we are making an effort to switch to SHA256. The problem I've discovered is that SecureRandom ONLY supports SHA1PRNG, at least according to Oracle's documentation. I was wondering if there's a way to use SecureRandom with SHA256, or probably better, what is a suitable alternative to using SecureRandom?


Solution

  • David, as I understand you are referring to this document: http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

    May be, I am missing something. However, what it says:

    From January 1, 2011 through December 31, 2013, the use of SHA-1 is deprecated 
    for digital signature generation. The user must accept risk when SHA-1 is used, 
    particularly when approaching the December 31, 2013 upper limit.
    

    However, below it says

    For all other hash function applications, the use of SHA-1 is acceptable. The 
    other applications include HMAC, Key Derivation Functions (KDFs), Random Number 
    Generation (RNGs and RBGs), and hash-only applications (e.g., hashing passwords 
    and using SHA-1 to compute a checksum, such as the approved integrity technique 
    specified in Section 4.6.1 of [FIPS 140-2]). 
    

    So, as I understand SHA1 is ok for random number generation.