And just a followup: it is interesting to note, that this Utility is still used as default random source for Key Generators and DSA Signatures. I would expect those need to refer to SecureRandom.getInstanceStrong() instead? (the string instance getter is nowhere used?) Bernd