Home / Security / Strong random generation
Security beginner

Strong random generation

Get the platform's strongest SecureRandom implementation.

Code Comparison
✕ Java 8 
// Default algorithm — may not be
// the strongest available
SecureRandom random =
    new SecureRandom();
byte[] bytes = new byte[32];
random.nextBytes(bytes);
✓ Java 9+ 
// Platform's strongest algorithm
SecureRandom random =
    SecureRandom.getInstanceStrong();
byte[] bytes = new byte[32];
random.nextBytes(bytes);
Why the modern way wins
🛡️

Strongest available

Automatically selects the best algorithm for the platform.

📖

Explicit intent

Clearly communicates that strong randomness is required.

🔧

Configurable

Administrators can change the strong algorithm via security properties.

Old Approach
new SecureRandom()
Modern Approach
getInstanceStrong()
Since JDK
9
Difficulty
beginner
JDK Support
Strong random generation
Available

Widely available since JDK 9 (Sept 2017)

How it works

getInstanceStrong() returns the SecureRandom implementation configured as the strongest on the platform. This is controlled by the securerandom.strongAlgorithms security property.

Related patterns

Security advanced

PEM encoding/decoding

Java 8
String pem = "-----BEGIN CERTIFICATE-----\n"
    + Base64.getMimeEncoder()
        .encodeToString(
            cert.getEncoded())
    + "\n-----END CERTIFICATE-----";
Java 25
// Encode to PEM
String pem = PEMEncoder.of()
    .encodeToString(cert);
// Decode from PEM
var cert = PEMDecoder.of()
    .decode(pemString);
Hover to see modern ➜
JDK 25+
Security advanced

Key Derivation Functions

Java 8
SecretKeyFactory factory =
    SecretKeyFactory.getInstance(
        "PBKDF2WithHmacSHA256");
KeySpec spec = new PBEKeySpec(
    password, salt, 10000, 256);
SecretKey key =
    factory.generateSecret(spec);
Java 25
KDF kdf = KDF.getInstance("HKDF-SHA256");
SecretKey key = kdf.deriveKey(
    "AES",
    KDF.HKDFParameterSpec
        .ofExtract()
        .addIKM(inputKey)
        .addSalt(salt)
        .thenExpand(info, 32)
        .build()
);
Hover to see modern ➜
JDK 25+
Security intermediate

TLS 1.3 by default

Java 8
SSLContext ctx =
    SSLContext.getInstance("TLSv1.2");
ctx.init(null, trustManagers, null);
SSLSocketFactory factory =
    ctx.getSocketFactory();
// Must specify protocol version
Java 11+
// TLS 1.3 is the default!
var client = HttpClient.newBuilder()
    .sslContext(SSLContext.getDefault())
    .build();
// Already using TLS 1.3
Hover to see modern ➜
JDK 11+
Share 𝕏 🦋 in