Fw: Update #2: JEP 123: SecureRandom First Draft and Implementation.

Bruce Rich brich at us.ibm.com
Thu Jan 10 17:48:49 UTC 2013


+1

IBM already has SP800-90a/SHA256/HASH, SP800-90a/SHA384/HASH, and 
SP800-90a/SHA512/HASH in our provider, but without standardized names, 
they are not very useable for the Java community as a whole.

Bruce A Rich
brich at-sign us dot ibm dot com

----- Forwarded by Bruce Rich/Austin/IBM on 01/10/2013 11:44 AM -----

From:   Michael StJohns <mstjohns at comcast.net>
To:     Sean Mullan <sean.mullan at oracle.com>, Xuelei Fan 
<xuelei.fan at oracle.com>
Cc:     OpenJDK Dev list <security-dev at openjdk.java.net>, Brad Wetmore 
<bradford.wetmore at oracle.com>
Date:   01/09/2013 09:32 PM
Subject:        Re: Update #2: JEP 123: SecureRandom First Draft and 
Implementation.
Sent by:        security-dev-bounces at openjdk.java.net



At 09:45 AM 1/9/2013, Sean Mullan wrote:
>think it is unlikely that 2 providers would implement the same 
SecureRandom algorithm, since the names are not standardized like other 
cryptographic algorithms such as SHA-256, RSA, etc.

Can this be fixed?  There really should be a flavor for this.


E.g. 

SP800-90a/SHA256/HASH
SP800-90A/SHA256/HMAC
SP800-90A/AES/CTR
NRBG/NoisyDiode[/implementation id]
NRBG/RingOscillator[/Implementation id]

There are about 6 classes of NIST "approved" deterministic random number 
generators.  See 
http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexc.pdf.



I wouldn't be surprised to find that multiple providers implement the same 
RNGs, but don't have a common name for them.  In fact, according to 
wikipedia, the underlying function for MSCAPI is the FIPS186-2 appendix 
3.1 with SHA1 function. 

Mike



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20130110/09009800/attachment.htm>


More information about the security-dev mailing list