Details
-
JEP
-
Resolution: Delivered
-
P2
-
Weijun Wang
-
Feature
-
Open
-
SE
-
-
M
-
M
-
273
Description
Summary
Implement the three Deterministic Random Bit Generator (DRBG) mechanisms described in NIST 800-90Ar1.
Non-Goals
Provide API for Source of Entropy Input (SEI), or implement approved SEI on all platforms, where "approved" means approved by NIST or FIPS.
Motivation
The JDK has two kinds of SecureRandom
implementations. One is
platform-dependent and based on native calls or OS devices such as
reading /dev/{u}random
on Unix, using the CryptoAPI on Windows, and
using various preconfigured PKCS11 libraries. The latest releases of
Solaris, Linux and Windows
already support DRBG, but older releases and embedded systems might
not. The other kind is a pure Java implementation that uses
an older SHA1-based RNG implementation, which is not as strong as the
algorithms used by approved DRBG mechanisms.
The DRBG mechanisms developed and approved by NIST (as in SP 800-90Ar1) use modern algorithms as strong as SHA-512 and AES-256. Each of these mechanisms can be configured with different security strengths and features to match user requirements. Support for these mechanisms is becoming very important in some environments, especially for the U.S. Government.
Description
According to NIST SP 800-90, a random bit generator (RBG, 800-90C) is constructed with a source of entropy input (800-90B and 800-90C) and a DRBG mechanism (800-90Ar1). The source of entropy input provides fresh randomness (entropy) as a seed to the DRBG mechanism, which is then able to continuously generate "random" bit sequences.
APIs
New methods for
SecureRandom
matching 800-90C, which allows configuration of aSecureRandom
object and specifying additional input in the course of seeding, reseeding, and random-bit generation.New methods in
SecureRandomSpi
, to implement the new methods above.A new
SecureRandomParameters
interface so that additional input can be provided to the newSecureRandom
methods.
These new APIs should be generalized enough for any SecureRandom
flavors
(not just DRBG) and can be added to SecureRandom
and SecureRandomSpi
.
- A new
DrbgParameters
class (and its inner classes) implementingSecureRandomParameters
to be used by DRBG.
Implementation
- Implement the three DRBG mechanisms (Hash_DRBG, HMAC_DRBG, CTR_DRBG) in 800-90Ar1 (on all platforms).
By-products
SHA-512/224 and SHA-512/256 secure hash algorithms as described in FIPS 180-4.
Testing
The DRBG implementations must pass the CAVP test vectors.
SHA-512/224 and SHA-512/256 test vectors.
An informal test vector for HmacSHA512/224 and HmacSHA512/256.
Attachments
Issue Links
- duplicates
-
JDK-7169846 Support SHA-512/224 and SHA-512/256 digests in FIPS 180-4
- Closed
-
JDK-8075455 Consider implementing SP800-90A Random Number Generator
- Closed
-
JDK-8003584 Consider adding a more modern SecureRandom implementation
- Resolved
- relates to
-
JDK-8158534 DrbgParameters strength parameter is underspecified if < -1
- Resolved
-
JDK-8169312 SecureRandom::getSeed(num) not specified if num is negative
- Resolved
-
JDK-8158442 SecureRandomParameters missing "@since 9"
- Closed
-
JDK-8158589 Possible integer overflow issues for DRBG
- Closed
-
JDK-8003584 Consider adding a more modern SecureRandom implementation
- Resolved
-
JDK-8155696 Implement DRBG health tests
- Closed
-
JDK-7169846 Support SHA-512/224 and SHA-512/256 digests in FIPS 180-4
- Closed
1.
|
Dev Task: Design | Resolved | Weijun Wang | 2016-01-29 | |
2.
|
Dev Task: Implementation | Resolved | Weijun Wang | 2016-02-05 | |
3.
|
Test Task: Develop new tests for JEP 273: DRBG-Based SecureRandom Implementations | Resolved | Sibabrata Sahoo | 2016-05-20 | |
4.
|
Test Task: Update existing tests for JEP 273: DRBG-Based SecureRandom Implementations | Closed | Sibabrata Sahoo | 2016-04-15 |