Currently `Util.java` uses the SHA1PRNG algorithm by Sun/Oracle
to get randomness for `nextBytes` etc. - from the documentation"
```
** On Solaris, Linux, and OS X, if the entropy gathering device in
java.security is set to file:/dev/urandom or file:/dev/random, then
NativePRNG is preferred to SHA1PRNG. Otherwise, SHA1PRNG is preferred.
```
and:
```
The following algorithms are available in the SUN provider:
[...]
SecureRandom
{
SHA1PRNG (Initial seeding is currently done via a combination of system attributes and the java.security entropy gathering device)
NativePRNG (nextBytes() uses /dev/urandom, generateSeed() uses /dev/random)
NativePRNGBlocking (nextBytes() and generateSeed() use /dev/random)
NativePRNGNonBlocking (nextBytes() and generateSeed() use /dev/urandom)
}
```
via: https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SecureRandomImp
Using `/dev/urandom` (non-blocking, reworked in new linux kernel
releases) also reflects the opinion of many leading cryptographers over
any other solution of PRNGs out there, here's two blog posts to
underline this/my statement:
- https://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/
- https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/
- https://www.2uo.de/myths-about-urandom
Since we're not re-seeding a lot we're good using a blocking /dev/random
for seed generation (which is thus also more secure) and a faster, newly
re-written implementation of /dev/urandom for random bytes. I think this
is the best choice we have available here.
I did also give a talk on the subject matter, in case you're interested
a year ago: https://www.youtube.com/watch?v=Yx4RroggBzI (including
mentioned changes to Linux's CSPRNG design).
