Issue with Entropy exhaustion in java fips

classic Classic list List threaded Threaded
2 messages Options
Jon
Reply | Threaded
Open this post in threaded view
|

Issue with Entropy exhaustion in java fips

Jon

Hi all,

I’ve been doing a bunch of performance testing with a code base that I’m attached to and I’ve noticed that using the BC fips security provider my code exhausts the entropy available on my intel haswell linux machines. This is using the 1.0.2 version of the library.
Ex.
cat /proc/sys/kernel/random/entropy_avail
Shows values under 10 while my code it running.

When I use the system default security provider the available number never drops below 3000. I mention the cpu arch because I’ve also tried this on a Skylake machine and I do not see the entropy exhaustion there and I believe that’s down to intel providing hardware random number generation on Broadwell and later.

I’m adding BC as my default provider via
Security.insertProviderAt(new BouncyCastleFipsProvider(), 1);
Pretty much at the entry point to my program. So, my question is; am I simply misconfiguring something here? I saw a bug around this in the release notes here
https://www.bouncycastle.org/fips-java/RELEASE_NOTES.md
Is this a known issue for 1.0.2 as well?
The current known issues list is blank
https://www.bouncycastle.org/fips-java/BC-FJA-KnownIssues-1.0.2.csv

Thanks,
Jon
Reply | Threaded
Open this post in threaded view
|

Re: Issue with Entropy exhaustion in java fips

Lothar Kimmeringer-4
Hi,

Am 30.10.2019 um 22:00 schrieb Jon Moroney:
> Hi all,
> [same mail as 20 hours before]

in case you haven't received the answers of 24 hours ago via mail, you
can read them at the mail-list-archive of your choice, e.g.
http://bouncy-castle.1462172.n4.nabble.com/ENTROPY-EXHAUSTION-IN-JAVA-FIPS-td4659780.html

For some reason BC's own mail list archive stopped archiving february last year.


Cheers, Lothar