- java.lang.Object
-
- java.security.DrbgParameters
-
public class DrbgParameters extends Object
This class specifies the parameters used by a DRBG (Deterministic Random Bit Generator).According to NIST Special Publication 800-90A Revision 1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators (800-90Ar1),
A DRBG is based on a DRBG mechanism as specified in this Recommendation and includes a source of randomness. A DRBG mechanism uses an algorithm (i.e., a DRBG algorithm) that produces a sequence of bits from an initial value that is determined by a seed that is determined from the output of the randomness source."
The 800-90Ar1 specification allows for a variety of DRBG implementation choices, such as:
- an entropy source,
- a DRBG mechanism (for example, Hash_DRBG),
- a DRBG algorithm (for example, SHA-256 for Hash_DRBG and AES-256
for CTR_DRBG. Please note that it is not the algorithm used in
SecureRandom.getInstance(java.lang.String), which we will call a SecureRandom algorithm below), - optional features, including prediction resistance and reseeding supports,
- highest security strength.
These choices are set in each implementation and are not directly managed by the
SecureRandomAPI. Check your DRBG provider's documentation to find an appropriate implementation for the situation.On the other hand, the 800-90Ar1 specification does have some configurable options, such as:
- required security strength,
- if prediction resistance is required,
- personalization string and additional input.
A DRBG instance can be instantiated with parameters from an
DrbgParameters.Instantiationobject and other information (for example, the nonce, which is not managed by this API). This maps to theInstantiate_functiondefined in NIST SP 800-90Ar1.A DRBG instance can be reseeded with parameters from a
DrbgParameters.Reseedobject. This maps to theReseed_functiondefined in NIST SP 800-90Ar1. CallingSecureRandom.reseed()is equivalent to callingSecureRandom.reseed(SecureRandomParameters)with the effective instantiated prediction resistance flag (as returned bySecureRandom.getParameters()) with no additional input.A DRBG instance generates data with additional parameters from a
DrbgParameters.NextBytesobject. This maps to theGenerate_functiondefined in NIST SP 800-90Ar1. CallingSecureRandom.nextBytes(byte[])is equivalent to callingSecureRandom.nextBytes(byte[], SecureRandomParameters)with the effective instantiated strength and prediction resistance flag (as returned bySecureRandom.getParameters()) with no additional input.A DRBG should be implemented as a subclass of
SecureRandomSpi. It is recommended that the implementation contain the 1-arg constructor that takes aDrbgParameters.Instantiationargument. If implemented this way, this implementation can be chosen by anySecureRandom.getInstance()method. If it is chosen by aSecureRandom.getInstance()with aSecureRandomParametersparameter, the parameter is passed into this constructor. If it is chosen by aSecureRandom.getInstance()without aSecureRandomParametersparameter, the constructor is called with anullargument and the implementation should choose its own parameters. ItsSecureRandom.getParameters()must always return a non-null effectiveDrbgParameters.Instantiationobject that reflects how the DRBG is actually instantiated. A caller can use this information to determine whether aSecureRandomobject is a DRBG and what features it supports. Please note that the returned value does not necessarily equal to theDrbgParameters.Instantiationobject passed into theSecureRandom.getInstance()call. For example, the requested capability can beDrbgParameters.Capability.NONEbut the effective value can beDrbgParameters.Capability.RESEED_ONLYif the implementation supports reseeding. The implementation must implement theSecureRandomSpi.engineNextBytes(byte[], SecureRandomParameters)method which takes aDrbgParameters.NextBytesparameter. Unless the result ofSecureRandom.getParameters()has its capability beingNONE, it must implementSecureRandomSpi.engineReseed(SecureRandomParameters)which takes aDrbgParameters.Reseedparameter.On the other hand, if a DRBG implementation does not contain a constructor that has an
DrbgParameters.Instantiationargument (not recommended), it can only be chosen by aSecureRandom.getInstance()without aSecureRandomParametersparameter, but will not be chosen if agetInstancemethod with aSecureRandomParametersparameter is called. If implemented this way, itsSecureRandom.getParameters()must returnnull, and it does not need to implement eitherSecureRandomSpi.engineNextBytes(byte[], SecureRandomParameters)orSecureRandomSpi.engineReseed(SecureRandomParameters).A DRBG might reseed itself automatically if the seed period is bigger than the maximum seed life defined by the DRBG mechanism.
A DRBG implementation should support serialization and deserialization by retaining the configuration and effective parameters, but the internal state must not be serialized and the deserialized object must be reinstantiated.
Examples:
SecureRandom drbg; byte[] buffer = new byte[32]; // Any DRBG is OK drbg = SecureRandom.getInstance("DRBG"); drbg.nextBytes(buffer); SecureRandomParameters params = drbg.getParameters(); if (params instanceof DrbgParameters.Instantiation) { DrbgParameters.Instantiation ins = (DrbgParameters.Instantiation) params; if (ins.getCapability().supportsReseeding()) { drbg.reseed(); } } // The following call requests a weak DRBG instance. It is only // guaranteed to support 112 bits of security strength. drbg = SecureRandom.getInstance("DRBG", DrbgParameters.instantiation(112, NONE, null)); // Both the next two calls will likely fail, because drbg could be // instantiated with a smaller strength with no prediction resistance // support. drbg.nextBytes(buffer, DrbgParameters.nextBytes(256, false, "more".getBytes())); drbg.nextBytes(buffer, DrbgParameters.nextBytes(112, true, "more".getBytes())); // The following call requests a strong DRBG instance, with a // personalization string. If it successfully returns an instance, // that instance is guaranteed to support 256 bits of security strength // with prediction resistance available. drbg = SecureRandom.getInstance("DRBG", DrbgParameters.instantiation( 256, PR_AND_RESEED, "hello".getBytes())); // Prediction resistance is not requested in this single call, // but an additional input is used. drbg.nextBytes(buffer, DrbgParameters.nextBytes(-1, false, "more".getBytes())); // Same for this call. drbg.reseed(DrbgParameters.reseed(false, "extra".getBytes()));- Implementation Requirements:
- By convention, a provider should name its primary DRBG implementation
with the
standard
SecureRandomalgorithm name "DRBG". - Implementation Note:
- The following notes apply to the "DRBG" implementation in the SUN provider
of the JDK reference implementation.
This implementation supports the Hash_DRBG and HMAC_DRBG mechanisms with DRBG algorithm SHA-224, SHA-512/224, SHA-256, SHA-512/256, SHA-384 and SHA-512, and CTR_DRBG (both using derivation function and not using derivation function) with DRBG algorithm AES-128, AES-192 and AES-256.
The mechanism name and DRBG algorithm name are determined by the security property
securerandom.drbg.config. The default choice is Hash_DRBG with SHA-256.For each combination, the security strength can be requested from 112 up to the highest strength it supports. Both reseeding and prediction resistance are supported.
Personalization string is supported through the
DrbgParameters.Instantiationclass and additional input is supported through theDrbgParameters.NextBytesandDrbgParameters.Reseedclasses.If a DRBG is not instantiated with a
DrbgParameters.Instantiationobject explicitly, this implementation instantiates it with a default requested strength of 128 bits, no prediction resistance request, and no personalization string. These default instantiation parameters can also be customized with thesecurerandom.drbg.configsecurity property.This implementation reads fresh entropy from the system default entropy source determined by the security property
securerandom.source.Calling
SecureRandom.generateSeed(int)will directly read from this system default entropy source.This implementation has passed all tests included in the 20151104 version of The DRBG Test Vectors.
- Since:
- 9
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classDrbgParameters.CapabilityThe reseedable and prediction resistance capabilities of a DRBG.static classDrbgParameters.InstantiationDRBG parameters for instantiation.static classDrbgParameters.NextBytesDRBG parameters for random bits generation.static classDrbgParameters.ReseedDRBG parameters for reseed.
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static DrbgParameters.Instantiationinstantiation(int strength, DrbgParameters.Capability capability, byte[] personalizationString)Generates aDrbgParameters.Instantiationobject.static DrbgParameters.NextBytesnextBytes(int strength, boolean predictionResistance, byte[] additionalInput)Generates aDrbgParameters.NextBytesobject.static DrbgParameters.Reseedreseed(boolean predictionResistance, byte[] additionalInput)Generates aDrbgParameters.Reseedobject.
-
-
-
Method Detail
-
instantiation
public static DrbgParameters.Instantiation instantiation(int strength, DrbgParameters.Capability capability, byte[] personalizationString)
Generates aDrbgParameters.Instantiationobject.- Parameters:
strength- security strength in bits, -1 for default strength if used ingetInstance.capability- capabilitypersonalizationString- personalization string as a byte array, can benull. The content of this byte array will be copied.- Returns:
- a new
Instantiationobject - Throws:
NullPointerException- ifcapabilityisnullIllegalArgumentException- ifstrengthis less than -1
-
nextBytes
public static DrbgParameters.NextBytes nextBytes(int strength, boolean predictionResistance, byte[] additionalInput)
Generates aDrbgParameters.NextBytesobject.- Parameters:
strength- requested security strength in bits. If set to -1, the effective strength will be used.predictionResistance- prediction resistance requestedadditionalInput- additional input, can benull. The content of this byte array will be copied.- Returns:
- a new
NextBytesobject - Throws:
IllegalArgumentException- ifstrengthis less than -1
-
reseed
public static DrbgParameters.Reseed reseed(boolean predictionResistance, byte[] additionalInput)
Generates aDrbgParameters.Reseedobject.- Parameters:
predictionResistance- prediction resistance requestedadditionalInput- additional input, can benull. The content of this byte array will be copied.- Returns:
- a new
Reseedobject
-
-