Update #2: JEP 123: SecureRandom First Draft and Implementation.

Weijun Wang weijun.wang at oracle.com
Thu Jan 10 00:56:39 UTC 2013


It seems to me that setting a security property that always point to the 
strongest algorithm is like creating an alias for it. How about we 
generalize this idea?

In java.security,

    alg.alias.securerandom.strongest = SUN:sha1prng

Every other provider-based security class can use it.

Thanks
Max


On 01/09/2013 10:51 PM, Sean Mullan wrote:
> On 01/09/2013 08:37 AM, Xuelei Fan wrote:
>> Form the implementation of SecureRandom.getStrongAlgorithm(), it is
>> possible that returned value are not "strong" (if the related property
>> is not defined).  It's really confusing to the application when it
>> requires a real strong one (for example, for certificate generation),
>> but only get a normal one and the behaviors (blocking or not, strong or
>> weak) of the normal one is unknown.  The horrible thing may be that the
>> caller never know that it is not a "strong" one, as the method name,
>> getStrongAlgorithm, implies that the returned value is "strong" but not
>> weak.
>
> There's an assumption that the securerandom.strongAlgorithm has been
> configured appropriately. For the OpenJDK we will set this property to
> what we think is the strongest algorithm on each platform. Yes, someone
> can later change or unset the property, but this assumes they can modify
> the security properties file, so worse things can happen in that case.
>
> --Sean
>
>>
>> That's another reason that I don't like this new method
>> (SecureRandom.getStrongAlgorithm()). We don't have such problems if we
>> only define the new security property without this new method.
>>
>> Xuelei
>>
>> On 1/9/2013 7:41 PM, Xuelei Fan wrote:
>>> I like this new proposal.  Some minor comments here.
>>>
>>> 1. The name of SecureRandom.getStrongAlgorithm()
>>>
>>>     In the specification of the method and java.security, the word
>>> "strongest" is used to describe the algorithm. While the name use the
>>> word "strong".  I think the method name and specification should use the
>>> same word, "strong" or "strongest". Using both may cause some
>>> miss-understanding.
>>>
>>>     My very first feeling of the "strongest" is that it may depends on
>>> both providers and algorithms. If two providers support the same
>>> "strongest" algorithms, which one is the strongest?  It's a little bit
>>> confusing to me to set security property. I would prefer to use
>>> "strong".
>>>
>>> 2. Do we really need the SecureRandom.getStrongAlgorithm()?
>>>
>>> As the strong algorithm is specified by security property.  I think it
>>> should be enough to use Java.Security.getProperty().  We properly don't
>>> need a new method here.  We properly need to add some additional
>>> description about the default value of strong algorithm that is
>>> recommended to use when the security property is not set.
>>>
>>> Look at the examples,
>>>
>>>    With this method, the application call looks like (1):
>>>      String strongAlg = SecureRandom.getStrongAlgorithm();
>>>      SecureRandom sr = SecureRandom.getInstance(strongAlg);
>>>
>>>    While using security property, the application call (2):
>>>      String strongAlg =
>>>          Security.getProperty("securerandom.strongAlgorithm");
>>>      SecureRandom sr = SecureRandom.getInstance(strongAlg);
>>>      if (strongAlg == null) {
>>>          strongAlg = new SecureRandom().
>>>      } else {
>>>          sr = SecureRandom.getInstance(strongAlg);
>>>      }
>>>
>>> As we have defined security property, the (2) code style is always
>>> useable.  Looks like that the (1) style is not really necessary, because
>>> (2) does the same thing.
>>>
>>> What I want to express here is that we properly don't need to add a new
>>> method to get security property in SecureRandom class.  Adding a new
>>> security property should be enough.
>>>
>>> Please consider it.
>>>
>>> Thanks,
>>> Xuelei
>>>
>>> On 1/9/2013 4:44 PM, Brad Wetmore wrote:
>>>>
>>>> Greetings,
>>>>
>>>> Thanks so much for all of the constructive feedback.  I wasn't terribly
>>>> happy with the previous API proposal, and the comments reflected that.
>>>> Sean Mullan came up with a nice API idea which greatly simplifies the
>>>> goal of helping applications/deployers select a "strong" SecureRandom
>>>> implementation.
>>>>
>>>> I agree with the comments from Xuelei and Micheal StJohns (and others).
>>>>   As Xuelei mentioned, the original scoping a year ago included some of
>>>> those larger configuration ideas, and Michael gave some great
>>>> additional
>>>> food for thought.  With the JDK 8 M6 deadline quickly drawing near, we
>>>> unfortunately don't have time to explore this further, but what I'm
>>>> proposing should complement and not preclude such future work.
>>>>
>>>> As additional goals for this JEP, I wanted to address three problems in
>>>> the current implementation:
>>>>
>>>> 1.  Many customer escalations/complaints of "slow SecureRandom
>>>> performance" because of the limited entropy collection problem on Linux
>>>> boxes, and there's much confusion about how to workaround this problem.
>>>>   (e.g. "file:/dev/./urandom")
>>>>
>>>> 2.  The documentation/configuration in the java.security file does not
>>>> match the implementations, and is very confusing when trying to figure
>>>> out #1 above.
>>>>
>>>> 3.  It's not clear what the four different Oracle JDK SecureRandom
>>>> implementations do. (Solution:  update the Oracle Security Providers
>>>> page.)
>>>>
>>>> I think the current proposal addresses these issues.
>>>>
>>>> The highlights:
>>>>
>>>> A Security property called "securerandom.strongAlgorithm".  There are
>>>> defaults for each supported platform, and deployers can change this
>>>> value if they have access to better ones.
>>>>
>>>> static String SecureRandom.getStrongAlgorithm() which obtains the
>>>> property.  The expected usage:
>>>>
>>>>        *     SecureRandom sr = SecureRandom.getInstance(
>>>>        *         SecureRandom.getStrongAlgorithm());
>>>>        *     ...deleted...
>>>>        *     keyPairGenerator.initialize(2048, sr);
>>>>
>>>> Cleaned out the incorrect information in the java.security files.
>>>>
>>>> The default securerandom.source Security property is set to
>>>> "file:/dev/random" to properly reflect the implementation.  (Ideally,
>>>> I'd like to push this back to earlier JDK's.)
>>>>
>>>> If the java.security.egd/securerandom.source properties are set to
>>>> either "file:/dev/random" or "file:/dev/urandom", NativePRNG will be
>>>> preferred to SHA1PRNG.
>>>>
>>>> NativePRNG now respects the java.security.egd/securerandom.source
>>>> properties.
>>>>
>>>> NativePRNG reads seeds from /dev/random and nextBytes from
>>>> /dev/urandom.
>>>>   I added two new NativePRNG implementations which are completely
>>>> blocking or nonblocking.  The "securerandom.strongAlgorithm" property
>>>> points to the blocking variant.
>>>>
>>>> I still have some cleanup work to do on the NativePRNG.java file, but
>>>> the rest (minus test cases) is ready in the webrev.02 directory.
>>>>
>>>>      http://cr.openjdk.java.net/~wetmore/6425477/
>>>>
>>>> Thanks,
>>>>
>>>> Brad
>>>
>>
>



More information about the security-dev mailing list