SecureRandom.getInstance("SHA1PRNG") is deprecated

Question

SecureRandom.getInstance("SHA1PRNG") is deprecated

Zeus64 opened this issue 7 years ago · 2 comments

I don't understand, i see in the code :
SecureRandom.getInstance("SHA1PRNG")

but when i read https://android-developers.googleblog.com/2016/06/security-crypto-provider-deprecated-in.html

They say SHA1PRNG algorithm is not cryptographically strong and have been deprecated !

Answer 1 · 2018-11-29T05:53:15.000Z

SecureRandom.getInstance("SHA1PRNG", "Crypto") is depricated and not SecureRandom.getInstance("SHA1PRNG"). so you can still use SecureRandom.getInstance("SHA1PRNG")

Answer 2 · 2019-10-14T20:25:49.000Z

Thanks for the feedback. For background, there was an Android entropy bug in ancient history, and Google provides a workaround that's incorporated into our library and is still availability for backward compatibility. I believe that the SHA1PRNG code gets called only on old versions of Android.

Longer term, we want to analyze whether any of the backward compatibility code is still necessary; based on whether & how many devices are still using older versions of Android. The AES library would be significantly simpler without that backward compatibility PRNG fix.