Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8051408

JEP 273: DRBG-Based SecureRandom Implementations

    Details

    • Author:
      Weijun Wang
    • JEP Type:
      Feature
    • Exposure:
      Open
    • Subcomponent:
    • Scope:
      SE
    • Discussion:
      security dash dev at openjdk dot java dot net
    • Effort:
      M
    • Duration:
      M
    • Alert Status:
       Green
    • JEP Number:
      273

      Description

      Summary

      Implement the three Deterministic Random Bit Generator (DRBG) mechanisms described in NIST 800-90Ar1.

      Non-Goals

      Provide API for Source of Entropy Input (SEI), or implement approved SEI on all platforms, where "approved" means approved by NIST or FIPS.

      Motivation

      The JDK has two kinds of SecureRandom implementations. One is platform-dependent and based on native calls or OS devices such as reading /dev/{u}random on Unix, using the CryptoAPI on Windows, and using various preconfigured PKCS11 libraries. The latest releases of Solaris, Linux and Windows already support DRBG, but older releases and embedded systems might not. The other kind is a pure Java implementation that uses an older SHA1-based RNG implementation, which is not as strong as the algorithms used by approved DRBG mechanisms.

      The DRBG mechanisms developed and approved by NIST (as in SP 800-90Ar1) use modern algorithms as strong as SHA-512 and AES-256. Each of these mechanisms can be configured with different security strengths and features to match user requirements. Support for these mechanisms is becoming very important in some environments, especially for the U.S. Government.

      Description

      According to NIST SP 800-90, a random bit generator (RBG, 800-90C) is constructed with a source of entropy input (800-90B and 800-90C) and a DRBG mechanism (800-90Ar1). The source of entropy input provides fresh randomness (entropy) as a seed to the DRBG mechanism, which is then able to continuously generate "random" bit sequences.

      APIs

      • New methods for SecureRandom matching 800-90C, which allows configuration of a SecureRandom object and specifying additional input in the course of seeding, reseeding, and random-bit generation.

      • New methods in SecureRandomSpi, to implement the new methods above.

      • A new SecureRandomParameters interface so that additional input can be provided to the new SecureRandom methods.

      These new APIs should be generalized enough for any SecureRandom flavors (not just DRBG) and can be added to SecureRandom and SecureRandomSpi.

      • A new DrbgParameters class (and its inner classes) implementing SecureRandomParameters to be used by DRBG.

      Implementation

      • Implement the three DRBG mechanisms (Hash_DRBG, HMAC_DRBG, CTR_DRBG) in 800-90Ar1 (on all platforms).

      By-products

      Testing

        Issue Links

          Activity

          Show
          weijun Weijun Wang added a comment - Changesets pushed: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/2d42c4cfd5ac http://closedjdk.us.oracle.com/jdk9/dev/jdk/test/closed/rev/5fd82f64510c

            People

            • Assignee:
              weijun Weijun Wang
              Reporter:
              jeff Jeff Dinkins
              Owner:
              Weijun Wang
              Reviewed By:
              Brian Goetz, Sean Mullan
              Endorsed By:
              Brian Goetz
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Integration Due: