Design review: JEP 273: DRBG-Based SecureRandom Implementations

Wang Weijun weijun.wang at oracle.com
Sat Nov 21 14:00:50 UTC 2015


> On Nov 21, 2015, at 8:59 AM, Wang Weijun <weijun.wang at oracle.com> wrote:
> 
> That said, I re-read SP 800-90A again and seems there is a feature I haven't supported yet. The full generate function is
> 
>   Generate_function (state_handle, requested_number_of_bits, requested_security_strength,
>     prediction_resistance_request, additional_input):
> 
> So requested_security_strength and prediction_resistance_request can be specified for each generate call. I think this is useful if people want to use a single SecureRandom object to generate different purposes of random bits. CAVP does not include this case so I haven't noticed this at the beginning.

Read again.

For requested_security_strength, the function only needs to check if it is greater than the strength requested at getInstance() (or configure). If yes, fail with "I cannot do that", otherwise, the output will not be downgraded into a lower security strength. For prediction_resistance_request, if it's true, the call is equivalent to reseed(additional_input) plus nextBytes(bytes).

Therefore even if a DRBG is created without prediction_resistance, the caller can just call reseed+nextBytes itself. There is no need to add a new nextBytes(bytes,params) method.

Thanks
Max




More information about the security-dev mailing list