Of course there is the danger that you are expending effort writing something that may be more complex and less secure than existing classes and methods (while I don't have the instructions in front of me, I think there is a warning that points can be deducted if you reinvent the wheel). As an example, have you looked at the
SecureRandom class (that has existed since JDK 1.4)?
Just as an aside, I recall a few years back someone claimed that security through cookies was error prone, and therefore they verified ownership using other methods, and always returned 0 as the lock cookie.
I think they passed too (but their code for ownership and documentation on why they did this must have been good).
Regards, Andrew