BC-FIPS version, SecureRandom's algorithm

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

BC-FIPS version, SecureRandom's algorithm

Phil Edwards
Two questions regarding the use of bc-fips[-debug]-1.0.0.jar in
standard edition Java:

1)  After the Provider instance is created, its getVersion()/getInfo()
return values report a version of 0.90 even though the file and all
the documentation indicate v1.0.0.  Is this a known oddity or am I
doing something weirdly wrong?

2)  Using a configuration string at provider construction, I can later
pass "DEFAULT" plus the instance of the BC provider to
SecureRandom.getInstance(), no problems.  The only hitch is that
querying the SecureRandom instance's getAlgorithm() returns "DEFAULT".
Well, okay, fair enough, that's what I passed and that's how the
Provider framework does its thing.  But I was hoping that using a
configuration string of (for example)

    C:DEFRND[HMACSHA512];ENABLE{ALL};

would yield a SecRand instance whose getAlgorithm() reflected the
HMACSHA512 in some way.  Is there an API to discover or otherwise
reach back and get stuff from the initial configuration string?  Or
some other way of programmatically finding the algorithm?

(The user guide recommends that SecRand instances be created via
approaches like FipsDRBG.whatever.fromEntropySource.... but in our
particular case that would be possible, strictly speaking, but really
difficult.  The limitation is on our end, not yours.)


Many thanks for all your efforts.
Phil

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BC-FIPS version, SecureRandom's algorithm

David Hook

On 1) It's a known oddity - we realized we hadn't moved it the day
following submission. In a situation like FIPS far too late. Even a
simple change requires a letter from the lab, a minimum 2 week turn
around with NIST and additional fees...

On 2) unfortunately this information is hidden inside the SPI layer in
the provider. There's no way of getting access to it.

On the thanks, you are welcome, but do not forget all the work on this
effort is also funded using support contracts and if we cannot get this
to pay for itself it is unlikely we will be able to keep it going.

Regards,

David

On 30/12/16 10:00, Phil Edwards wrote:

> Two questions regarding the use of bc-fips[-debug]-1.0.0.jar in
> standard edition Java:
>
> 1)  After the Provider instance is created, its getVersion()/getInfo()
> return values report a version of 0.90 even though the file and all
> the documentation indicate v1.0.0.  Is this a known oddity or am I
> doing something weirdly wrong?
>
> 2)  Using a configuration string at provider construction, I can later
> pass "DEFAULT" plus the instance of the BC provider to
> SecureRandom.getInstance(), no problems.  The only hitch is that
> querying the SecureRandom instance's getAlgorithm() returns "DEFAULT".
> Well, okay, fair enough, that's what I passed and that's how the
> Provider framework does its thing.  But I was hoping that using a
> configuration string of (for example)
>
>     C:DEFRND[HMACSHA512];ENABLE{ALL};
>
> would yield a SecRand instance whose getAlgorithm() reflected the
> HMACSHA512 in some way.  Is there an API to discover or otherwise
> reach back and get stuff from the initial configuration string?  Or
> some other way of programmatically finding the algorithm?
>
> (The user guide recommends that SecRand instances be created via
> approaches like FipsDRBG.whatever.fromEntropySource.... but in our
> particular case that would be possible, strictly speaking, but really
> difficult.  The limitation is on our end, not yours.)
>
>
> Many thanks for all your efforts.
> Phil
>
>


Loading...