Difference between revisions of "Random Number Generator"

From Dogtag
Jump to: navigation, search
m
m (PK11SecureRandom)
Line 16: Line 16:
  
 
JSS provides a FIPS 140-2 compliant random number generator called PK11SecureRandom which can also be used via this API.
 
JSS provides a FIPS 140-2 compliant random number generator called PK11SecureRandom which can also be used via this API.
 
= PK11SecureRandom =
 
 
The [https://hg.mozilla.org/projects/jss/file/tip/org/mozilla/jss/pkcs11/PK11SecureRandom.java PK11SecureRandom] can be used as follows:
 
 
<pre>
 
SecureRandom random = SecureRandom.getInstance("pkcs11prng", "Mozilla-JSS");
 
</pre>
 
 
The "Mozilla-JSS" refers to [https://hg.mozilla.org/projects/jss/file/tip/org/mozilla/jss/JSSProvider.java JSSProvider] which maps the "pkcs11prng" to JSSSecureRandomSpi:
 
 
<pre>
 
public final class JSSProvider extends java.security.Provider {
 
 
    public JSSProvider() {
 
        super("Mozilla-JSS", JSS_VERSION,
 
                "Provides Signature, Message Digesting, and RNG");
 
 
        put("SecureRandom.pkcs11prng",
 
            "org.mozilla.jss.provider.java.security.JSSSecureRandomSpi");
 
    }
 
}
 
</pre>
 
 
The [https://hg.mozilla.org/projects/jss/file/tip/org/mozilla/jss/provider/java/security/JSSSecureRandomSpi.java JSSSecureRandomSpi] uses a random number generator provided by the TokenSupplierManager:
 
 
<pre>
 
JSSSecureRandom engine = TokenSupplierManager.getTokenSupplier().getSecureRNG();
 
</pre>
 
 
The TokenSupplierManager uses [https://hg.mozilla.org/projects/jss/file/tip/org/mozilla/jss/CryptoManager.java CryptoManager] which returns the PK11SecureRandom instance:
 
 
<pre>
 
public final class CryptoManager implements TokenSupplier {
 
 
    protected CryptoManager()  {
 
        TokenSupplierManager.setTokenSupplier(this);
 
        reloadModules();
 
    }
 
 
    public JSSSecureRandom getSecureRNG() {
 
        return new PK11SecureRandom();
 
    }
 
}
 
</pre>
 
  
 
= JSS Subsystem =
 
= JSS Subsystem =

Revision as of 16:01, 29 July 2022

Overview

SecureRandom is a generic Java API to access random number generator functionality.

SecureRandom random = new SecureRandom();

By default SecureRandom will use NativePRNG implementation which uses /dev/urandom for nextBytes() and /dev/random to generateSeed().

The API can be used to access other random number generators using the following interface:

SecureRandom random = SecureRandom.getInstance(algorithm, provider);

SHA1PRNG is a pure Java random number generator. It is not as strong as the algorithms used by approved DRBG mechanisms in NIST SP800-90.

There is a new version of SecureRandom coming in Java 9, JEP-273, which adds SHA-512 and AES-256 based off NIST SP800-90.

JSS provides a FIPS 140-2 compliant random number generator called PK11SecureRandom which can also be used via this API.

JSS Subsystem

PKI Server uses a JSS subsystem to initialize JSS environment.

The random number generator configuration is located in CS.cfg:

jss.random.algorithm=pkcs11prng
jss.random.provider=Mozilla-JSS

It will use PK11SecureRandom by default. See also JSS Subsystem.

Session ID Generator

The session ID generator configuration is stored in the web application context files:

<Manager secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>

See also Tomcat 8 - The Manager Component.

References