Where can I get a reliable source of entropy (real randomness byte[])?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP



Where can I get a reliable source of entropy (real randomness byte)?



Currently, I'm looking for a way to increase the quality of randomness in my Android application (a card game). Previously, it was estimated that for my situation (52! permutation) at least 226 bits of entropy (226 random bits) are needed..


Android



I'm planning to use this byte as a seed for SecureRandom:


byte


SecureRandom


SecureRandom random = new SecureRandom();
random.setSeed(/* insert seed here, byte */)



The question is -- Where can I reliably get random bits in this amount (at least 226 bits) on Android, preferably without requiring any permissions and without internet. Also, it should work regardless of device and API level.


Android





Please, don't repeat the android tag in the title.
– Kling Klang
Aug 10 at 13:19





"...preferably without requiring any permissions and without internet..." I very much doubt you can. You'd need permissions to use the mic to pick up ambient noise, for instance, or internet to use random.org or similar...
– T.J. Crowder
Aug 10 at 13:20


random.org





@KlingKlang - But I'm looking for an answer specifically for Android. Is this not correct to state it in the title?
– Serj Ardovic
Aug 10 at 13:20





@KlingKlang - Alright, thank you for your guidance..
– Serj Ardovic
Aug 10 at 13:22





SecureRandom uses /dev/random on Linux and most likely Android.
– Peter Lawrey
Aug 10 at 13:24


SecureRandom


/dev/random




2 Answers
2



On Java 8+ you can use


SecureRandom rand = SecureRandom.getInstanceStrong();



To get the strongest randomness available on your platform. To be explicit you can use


SecureRandom rand = SecureRandom.getInstance("NativePRNGBlocking");



which use the entropy of /dev/random on Linux like systems. However, I expect it will fail if not available.


/dev/random



https://www.synopsys.com/blogs/software-security/proper-use-of-javas-securerandom/



Alternatively



You could create randomness based on the user's input by taking a SHA256 or higher of the System.nanoTime() of previous events.


System.nanoTime()



Without being able to access the mic (which would require permissions) or grab bytes from random.org (which would require internet), the only thing that I can think of is the user him/herself: Present a blank square the user moves their finger across, instructing them to do it as randomly as possible, ideally for several seconds, and use that touch data. (I seem to recall an app I used to use — TrueCrypt? — did this.) You might even throw some pseudo-randomness on top of their human-randomness to try to avoid people gaming the system with extraordinarily precise repeatable movements.


random.org



If you relax your requirements a bit, you can probably get some quite good entropy from the mic (ambient noise) and/or accelerometer. And of course, if you request network access, you can download truly random data from http://random.org.





If they don't care about permissions, getting a byte stream from the mic or ACCELEROMETER data, then adding that to a pseudo random number would seem to work well.
– Josh White
Aug 10 at 13:31





Very nice point, perhaps I could generate random bytes based on the actions in the previous round of the game..
– Serj Ardovic
Aug 10 at 13:34






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

Firebase Auth - with Email and Password - Check user already registered

Image
Clash Royale CLAN TAG #URR8PPP Firebase Auth - with Email and Password - Check user already registered I want to check when a user attempts to signup with createUserWithEmailAndPassword() in Firebase user Authentication method, this user is already registered with my app. createUserWithEmailAndPassword() 8 Answers 8 To detect whether a user with that email address already exists, you can detect when the call to createUserWithEmailAndPassword () fails with auth/email-already-in-use . I see that @Srinivasan just posted an answer for this. createUserWithEmailAndPassword () auth/email-already-in-use Alternatively, you can detect that an email address is already used by calling fetchSignInMethodsForEmail() (previous called fetchProvidersForEmail() ). fetchSignInMethodsForEmail() fetchProvidersForEmail() When the user trying to create an user with same email address, the task response will be "Response: The email address is already in use by another account." mFirebas...
Read more

Dynamically update html content plain JS

Image
Clash Royale CLAN TAG #URR8PPP Dynamically update html content plain JS So I have a script bound in my index.html, which literally has to fetch an array of jsons from an api, then dynamically update my page when get response. But as a result I'm getting an as the only update of my page. here is my script fetch(url) .then((resp) => resp.json()) .then((resp) => resp.results.forEach(item => fetch(item.url) .then((response)=> response.json()) .then((response) => pokeArr.push(response)) .catch(console.log) ) ).catch(console.log) const filler = () => if(!pokeArr) return 0 pokeArr.map((i,j)=> return `<tr>$i.name</tr>` ) const pokeindex = () => document.getElementById('a').appendChild(document.createElement(filler())) pokeindex() When I'm consoling it, I can see in the console all the responses I get, so I'm at least doing the fetching part right. What's parberakan ? What's pokeArr ? – T.J. Crowder Aug 8 at 12...
Read more

Creating a leaderboard in HTML/JS

Image
Clash Royale CLAN TAG #URR8PPP Creating a leaderboard in HTML/JS I'm trying to create a top 10 leaderboard, for now, I've only implemented 3 players, but I'm coming across an issue. My script doesn't seem to be outputting anything on webpage. The purpose of the script is to compare 3 arrays, player1,player2,and player3 solely based off of score. Which is the 2nd index of each array. I want the script to list the players in order of highest score. This method doesn't really seem to be efficient, especially when I'll have to add 7 more players. Could someone suggest perhaps an easier approach, as well as show me why my script wont output the info. Here's the JS function leaderboard() { var player1 = name:"Thomas",date:"01/23/18",score:"201"; var player2 = name:"Michael",date:"03/24/17",score:"943"; var player3 = Name:"Lisa",date:"06/04/18",Score:"79"; if(player1[2]...
Read more