How good is Java’s UUID.randomUUID?

UUID uses java.security.SecureRandom, which is supposed to be “cryptographically strong”. While the actual implementation is not specified and can vary between JVMs (meaning that any concrete statements made are valid only for one specific JVM), it does mandate that the output must pass a statistical random number generator test.

It’s always possible for an implementation to contain subtle bugs that ruin all this (see OpenSSH key generation bug) but I don’t think there’s any concrete reason to worry about Java UUIDs’s randomness.

Leave a Comment