I wonder if you realize that sr.setSeed(seed) does *NOT*, repeat *NOT* set a SecureRandom to produce a predictable series of values?
Not only would that no longer be secure, it's not what setSeed() does for a SecureRandom. Instead, it supplements the existing seed (which is beyond your control when created as below). You'd have to supply the seed in the constructor. And if you are expecting SecureRandom to produce the same series of values (as seen by KeyGenerator), or KeyGenerator to produce the same key, between two versions of the OS, you're relying on something which is not documented. Reproducability is just not part of their job. I strongly suspect (and fear) that you're screwed, and your users are likely screwed as well. Sorry to deliver bad news. If you like, post more about what you're doing and maybe we can help you figure out the way forward. On Dec 10, 11:30 am, Steve Hugg <hun...@fasterlight.com> wrote: > More debugging on this issue... > > I am using this method to generate keys from a passphrase: > > KeyGenerator kgen = KeyGenerator.getInstance("AES", "BC"); > SecureRandom sr = SecureRandom.getInstance("SHA1PRNG", > "Crypto"); > sr.setSeed(seed); > kgen.init(128, sr); > SecretKey skey = kgen.generateKey(); > byte[] raw = skey.getEncoded(); > > This results in a different key for a given passphrase on 2.3 than it > does on 1.5-2.2. > > Froyo returns this information for KeyGenerator and SecureRandom > objects: > > AES BC version 1.34 > SHA1PRNG Crypto version 1.0 > > Gingerbread returns: > > AES BC version 1.45 > SHA1PRNG Crypto version 1.0 -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en