We are currently using SecureRandom under java.security package for generating random number to be used as encryption key for users logging into the application. The application in J2EE with app server running on weblogic and linux, We a using generateSeed method for every user login to get a 16 byte key. The performance of generateSeed is very non-deterministic and varies a lot.
I was thinking of an alternate implementation in following lines:
1. Call the generateSeed once during the application startup.
2, Set the secure random object with seed generated in step 1.
2. For each user login. Call the nextBytes method from secure random object to retrieve the next 16 bytes of random number. Make the call to the method syncronized
Does the call to nextBytes method return next random number which is based on the seed that has been in step 1. Is my understanding correct
Is there any foreseeable security issue with this approach. Please give me reference to any relevant documentation as I could not find anything that explains clearly on SecureRandom class java.