What actual algorithm is used by SecureRandom.getInstance(“DRBG”)?

筅森魡賤 提交于 2019-12-23 01:36:17

问题


Java 9 (JSR 379) introduces the NIST DRBG's as specified in JEP 273. However, the NIST document SP 800-90Ar1 (NIST Special Publication 800-90A Revision 1: Recommendation for Random Number Generation Using Deterministic Random Bit Generators) specifies a total of tree mechanisms:

Implement the three DRBG mechanisms (Hash_DRBG, HMAC_DRBG, CTR_DRBG) in 800-90Ar1 (on all platforms).

However, although you might expect that we would now have three methods to create such secure random algorithms:

  1. SecureRandom.getInstance("Hash_DRBG")
  2. SecureRandom.getInstance("HMAC_DRBG")
  3. SecureRandom.getInstance("CTR_DRBG")

possibly with various configuration parameters, we seem to have only one:

  1. SecureRandom.getInstance("DRBG")

So how can the developer configure and detect which one of the algorithms is used?


回答1:


From the JEP

A new SecureRandomParameters interface so that additional input can be provided to the new SecureRandom methods.

From there we get to DrbgParameters which says

Implementation Note:

The following notes apply to the "DRBG" implementation in the SUN provider of the JDK reference implementation. This implementation supports the Hash_DRBG and HMAC_DRBG mechanisms with DRBG algorithm SHA-224, SHA-512/224, SHA-256, SHA-512/256, SHA-384 and SHA-512, and CTR_DRBG (both using derivation function and not using derivation function) with DRBG algorithm AES-128, AES-192 and AES-256.

The mechanism name and DRBG algorithm name are determined by the security property securerandom.drbg.config. The default choice is Hash_DRBG with SHA-256.

So, implementation dependent and with default impl, switchable only with a property.




回答2:


Use Security.SetProperties before calling SecureRandom:

Security.setProperty("securerandom.drbg.config", "Hash_DRBG");

SecureRandom random = SecureRandom.getInstance("DRBG");

For more information this article provides some in-depth info: https://metebalci.com/blog/everything-about-javas-securerandom/



来源:https://stackoverflow.com/questions/58304220/what-actual-algorithm-is-used-by-securerandom-getinstancedrbg

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!