This is easily achievable without any external libraries.
1. Cryptographic Pseudo Random Data Generation
First you need a cryptographic PRNG. Java has SecureRandom for that typically uses the best entropy source on the machine (e.g. /dev/random) . Read more here.
SecureRandom rnd = new SecureRandom();
byte[] token = new byte[byteLength];
rnd.nextBytes(token);
Note: SecureRandom is the slowest, but most secure way in Java of generating random bytes. I do however recommend NOT considering performance here since it usually has no real impact on your application unless you have to generate millions of tokens per second.
2. Required Space of Possible Values
Next you have to decide "how unique" your token needs to be. The whole and only point of considering entropy is to make sure that the system can resist brute force attacks: the space of possible values must be so large that any attacker could only try a negligible proportion of the values in non-ludicrous time1. Unique identifiers such as random UUID have 122bit of entropy (ie. 2^122 = 5.3x10^36) - the chance of collision is "*(...) for there to be a one in a billion chance of duplication, 103 trillion version 4 UUIDs must be generated2". We will choose 128 bit since it fits exactly into 16 bytes and is seen as highly sufficient for being unique for basically every, but the most extreme, use cases and you don't have to think about duplicates. Here is a simple comparison table of entropy including simple analysis of the birthday problem.
For simple requirements 8 or 12 byte length might suffice, but with 16 bytes you are on the "safe side".
And that's basically it. Last thing is to think about encoding so it can be represented as a printable text (read, a String).
3. Binary to Text Encoding
Typical encodings include:
Base64every character encodes 6bit creating a 33% overhead. Fortunately there are standard implementations in Java 8+ and Android. With older Java you can use any of the numerous third party libraries. If you want your tokens to be url safe use the url-safe version of RFC4648 (which usually is supported by most implementations). Example encoding 16 bytes with padding:XfJhfv3C0P6ag7y9VQxSbw==Base32every character encodes 5bit creating a 40% overhead. This will useA-Zand2-7making it reasonably space efficient while being case-insensitive alpha-numeric. There is no standard implementation in the JDK. Example encoding 16 bytes without padding:WUPIL5DQTZGMF4D3NX5L7LNFOYBase16(hex) every character encodes 4bit requiring 2 characters per byte (ie. 16 byte create a string of length 32). Therefore hex is less space efficient thanBase32but is safe to use in most cases (url) since it only uses0-9andAtoF. Example encoding 16 bytes:4fa3dd0f57cb3bf331441ed285b27735. See a SO discussion about converting to hex here.
Additional encodings like Base85 and the exotic Base122 exist with better/worse space efficiency. You can create your own encoding (which basically most answers in this thread do) but I would advise against it, if you don't have very specific requirements. See more encoding schemes in the Wikipedia article.
4. Summary and Example
- Use
SecureRandom - Use at least 16 bytes (2^128) of possible values
- Encode according to your requirements (usually
hexorbase32if you need it to be alpha-numeric)
Don't
- ... use your home brew encoding: better maintainable and readable for others if they see what standard encoding you use instead of weird for loops creating chars at a time.
- ... use UUID: it has no guarantees on randomness; you are wasting 6bits of entropy and have verbose string representation
Example: Hex Token Generator
public static String generateRandomHexToken(int byteLength) {
SecureRandom secureRandom = new SecureRandom();
byte[] token = new byte[byteLength];
secureRandom.nextBytes(token);
return new BigInteger(1, token).toString(16); //hex encoding
}
//generateRandomHexToken(16) -> 2189df7475e96aa3982dbeab266497cd
Example: Base64 Token Generator (Url Safe)
public static String generateRandomBase64Token(int byteLength) {
SecureRandom secureRandom = new SecureRandom();
byte[] token = new byte[byteLength];
secureRandom.nextBytes(token);
return Base64.getUrlEncoder().withoutPadding().encodeToString(token); //base64 encoding
}
//generateRandomBase64Token(16) -> EEcCCAYuUcQk7IuzdaPzrg
Example: Java CLI Tool
If you want a ready-to-use cli tool you may use dice: https://github.com/patrickfav/dice