Achieve more randomness through user input in Java

Question

I want to achieve more randomness in my key generation implemented in java since the key strength is depending on it.

I want to use the java.security.KeyPairGenerator to create private and public keys. A seed can be defined with the SecureRandom object.

  SecureRandom random = new SecureRandom();
  byte[] rand = new byte[8]; // or only one byte

Imagine I create the random byte[] as follows:

// new KeyPress registered
long currentTime = System.currentTimeMillis();
long time = currentTime - lastTime;
lastTime = currentTime;
byte = time % Byte.MAX_VALUE;
// add byte to array or to the SecureRandom object
random.setSeed(byte);

The initialize method allows to add the seed to the generator object. This should increase the randomness of the keys.

// adds the seed to the generator
keyGen.initialize(4096, random);

The question is shall I set the seed of the key generator after all user inputs or after for example 8 bytes? I know that the randomness gained here depends on the precision of the system clock. But I assume that the currentTimeMillis() method is precise.

Do you think this is a solution for more randomness? Or do you think this does not change anything?

EDIT 1 03.12.13 First, thank you for your comments and thoughts! @Quincunx "I would say that SecureRandom is probably random enough." Enough for what? I mean I think it depends on what you need it for. Right? And the question was how can I even increase the randomness?! @IT-Pro yeah, I could use the square of the time, but I think the user input is more random, right? Did you mean by saying after user input to collect an array of bytes and pass it after the user finished all his inputs to the generator?

EDIT 2 03.12.13 @Erickson I think what you are saying is not true! "these system level devices are already gathering entropy from key presses" Can you please share a link to this? You might have some more understanding in this topic than me, but please, if you say something like that I would like to read some more details about it!

Answer 1

This isn't necessary. It won't hurt your security, but it will hurt the readability—and credibility—of your code.

Providers of SecureRandom will seed the generator for you. The SUN provider and other quality providers will use a source of entropy from the underlying system, like /dev/random or /dev/urandom; these system level devices are already gathering entropy from key presses and other, less predictable source, or even from truly random physical processes.

So, I would suggest that you not bother. At best, key press timing will only give you a bit or two of entropy per key press, and that's only if the system source hasn't already included that event.

Answer 2

You could always take the cube root of currentTimeMillis()*currentTimeMillis()

That's a pretty random seed.

And yes. It seems that after user input is the best solution.