Fw: Update #2: JEP 123: SecureRandom First Draft and Implementation.
Bruce Rich
brich at us.ibm.com
Thu Jan 10 17:48:49 UTC 2013
+1
IBM already has SP800-90a/SHA256/HASH, SP800-90a/SHA384/HASH, and
SP800-90a/SHA512/HASH in our provider, but without standardized names,
they are not very useable for the Java community as a whole.
Bruce A Rich
brich at-sign us dot ibm dot com
----- Forwarded by Bruce Rich/Austin/IBM on 01/10/2013 11:44 AM -----
From: Michael StJohns <mstjohns at comcast.net>
To: Sean Mullan <sean.mullan at oracle.com>, Xuelei Fan
<xuelei.fan at oracle.com>
Cc: OpenJDK Dev list <security-dev at openjdk.java.net>, Brad Wetmore
<bradford.wetmore at oracle.com>
Date: 01/09/2013 09:32 PM
Subject: Re: Update #2: JEP 123: SecureRandom First Draft and
Implementation.
Sent by: security-dev-bounces at openjdk.java.net
At 09:45 AM 1/9/2013, Sean Mullan wrote:
>think it is unlikely that 2 providers would implement the same
SecureRandom algorithm, since the names are not standardized like other
cryptographic algorithms such as SHA-256, RSA, etc.
Can this be fixed? There really should be a flavor for this.
E.g.
SP800-90a/SHA256/HASH
SP800-90A/SHA256/HMAC
SP800-90A/AES/CTR
NRBG/NoisyDiode[/implementation id]
NRBG/RingOscillator[/Implementation id]
There are about 6 classes of NIST "approved" deterministic random number
generators. See
http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexc.pdf.
I wouldn't be surprised to find that multiple providers implement the same
RNGs, but don't have a common name for them. In fact, according to
wikipedia, the underlying function for MSCAPI is the FIPS186-2 appendix
3.1 with SHA1 function.
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20130110/09009800/attachment.htm>
More information about the security-dev
mailing list