Issues with random seeding under FIPS

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Issues with random seeding under FIPS

George Stanchev-2
Hello,

We ran into some issues while running embedded JVM in FIPS approved only mode under IIS using BCFIPS. I was hoping someone can help me understand the process of seeding the SecureRandom under FIPS with default configuration (no C: configuration string given to BCPROV). Java is also running with "securerandom.strongAlgorithms=DEFAULT:BCFIPS". Looking at thread dump [1], "main" has something that looks like recursion kicked off by the JceSecurity constructor. It is 34 levels deep. It looks like back and forth between Java's SecureRandom and BC. It looks like "defRandom = CryptoServicesRegistrar.getSecureRandom();" on line 363 of BouncyCastleFipsProvider.java throws IllegalStateException because "CryptoServicesRegistrar.defaultSecureRandom" is not set. This makes it go into "SecureRandom sourceOfEntropy = getDefaultEntropySource();" below which in turns calls "return getCoreSecureRandom();" and SecureRandom.getInstanceStrong() via reflection which kicks of the recursion again. But then after 34 iterations or so, it magically comes out of it and in [2] we see it made it to line 391 where it calls "int securityStrength = ((FipsSecureRandom)defRandom).getSecurityStrength();"

I couldn't find anywhere in the code where CryptoServicesRegistrar.setSecureRandom is called and I cannot find any other way that I see it coming out of that recursive loop...

George

[1]

              ....<30+ identical cycled frames like below>....
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$4.run(BouncyCastleFipsProvider.java:456)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$4.run(BouncyCastleFipsProvider.java:451)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getCoreSecureRandom(BouncyCastleFipsProvider.java:450)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.access$200(BouncyCastleFipsProvider.java:68)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(BouncyCastleFipsProvider.java:421)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(BouncyCastleFipsProvider.java:413)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultEntropySource(BouncyCastleFipsProvider.java:412)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(BouncyCastleFipsProvider.java:372)
        - locked <0x00000000f1062548> (a org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider)
        at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(ProvRandom.java:22)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(BouncyCastleFipsProvider.java:790)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
        at java.security.SecureRandom.getInstance(SecureRandom.java:339)
        at java.security.SecureRandom.getInstanceStrong(SecureRandom.java:644)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$4.run(BouncyCastleFipsProvider.java:456)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$4.run(BouncyCastleFipsProvider.java:451)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getCoreSecureRandom(BouncyCastleFipsProvider.java:450)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.access$200(BouncyCastleFipsProvider.java:68)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(BouncyCastleFipsProvider.java:421)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(BouncyCastleFipsProvider.java:413)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultEntropySource(BouncyCastleFipsProvider.java:412)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(BouncyCastleFipsProvider.java:372)
        - locked <0x00000000f1062548> (a org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider)
        at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(ProvRandom.java:22)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(BouncyCastleFipsProvider.java:790)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
        at java.security.SecureRandom.getInstance(SecureRandom.java:288)
        at java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:205)
        at java.security.SecureRandom.<init>(SecureRandom.java:162)
        at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:56)
        at javax.crypto.Cipher.getInstance(Cipher.java:514)
              ....<skipped>....


[2]

        - locked <0x00000000fba65ec0> (a org.bouncycastle.crypto.fips.DRBGPseudoRandom)
        at java.security.SecureRandom.nextBytes(SecureRandom.java:468)
        at org.bouncycastle.jcajce.provider.ProvRandom$1$1.engineNextBytes(ProvRandom.java:35)
        at java.security.SecureRandom.nextBytes(SecureRandom.java:468)
        at org.bouncycastle.crypto.util.BasicEntropySourceProvider$1.getEntropy(BasicEntropySourceProvider.java:56)
        at org.bouncycastle.crypto.fips.ContinuousTestingEntropySource.getEntropy(ContinuousTestingEntropySource.java:36)
        - locked <0x00000000fbba6348> (a org.bouncycastle.crypto.fips.ContinuousTestingEntropySource)
        at org.bouncycastle.crypto.fips.HashSP800DRBG.getEntropy(HashSP800DRBG.java:340)
        at org.bouncycastle.crypto.fips.HashSP800DRBG.init(HashSP800DRBG.java:160)
        at org.bouncycastle.crypto.fips.HashSP800DRBG.<init>(HashSP800DRBG.java:132)
        at org.bouncycastle.crypto.fips.FipsDRBG$HashDRBGProvider.get(FipsDRBG.java:357)
        at org.bouncycastle.crypto.fips.DRBGPseudoRandom.lazyInitDRBG(DRBGPseudoRandom.java:50)
        at org.bouncycastle.crypto.fips.DRBGPseudoRandom.getSecurityStrength(DRBGPseudoRandom.java:40)
        - locked <0x00000000fbba5f78> (a org.bouncycastle.crypto.fips.DRBGPseudoRandom)
        at org.bouncycastle.crypto.fips.FipsSecureRandom.getSecurityStrength(FipsSecureRandom.java:70)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(BouncyCastleFipsProvider.java:391)
        - locked <0x00000000f1062548> (a org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider)
        at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(ProvRandom.java:22)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(BouncyCastleFipsProvider.java:790)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
        at java.security.SecureRandom.getInstance(SecureRandom.java:339)
        at java.security.SecureRandom.getInstanceStrong(SecureRandom.java:644)
        at sun.reflect.GeneratedMethodAccessor1.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)

Reply | Threaded
Open this post in threaded view
|

Re: Issues with random seeding under FIPS

David Hook-3

securerandom.strongAlgorithms=DEFAULT:BCFIPS

Should be changed back - pointing to the native PRNG. The default BCFIPS
SecureRandom uses the seed generator that secure random provides for
seeding.

Regards,

David

On 24/1/20 9:19 am, George Stanchev wrote:

> Hello,
>
> We ran into some issues while running embedded JVM in FIPS approved only mode under IIS using BCFIPS. I was hoping someone can help me understand the process of seeding the SecureRandom under FIPS with default configuration (no C: configuration string given to BCPROV). Java is also running with "securerandom.strongAlgorithms=DEFAULT:BCFIPS". Looking at thread dump [1], "main" has something that looks like recursion kicked off by the JceSecurity constructor. It is 34 levels deep. It looks like back and forth between Java's SecureRandom and BC. It looks like "defRandom = CryptoServicesRegistrar.getSecureRandom();" on line 363 of BouncyCastleFipsProvider.java throws IllegalStateException because "CryptoServicesRegistrar.defaultSecureRandom" is not set. This makes it go into "SecureRandom sourceOfEntropy = getDefaultEntropySource();" below which in turns calls "return getCoreSecureRandom();" and SecureRandom.getInstanceStrong() via reflection which kicks of the recursion again. But then after 34 iterations or so, it magically comes out of it and in [2] we see it made it to line 391 where it calls "int securityStrength = ((FipsSecureRandom)defRandom).getSecurityStrength();"
>
> I couldn't find anywhere in the code where CryptoServicesRegistrar.setSecureRandom is called and I cannot find any other way that I see it coming out of that recursive loop...
>
> George
>
> [1]
>
>               ....<30+ identical cycled frames like below>....
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$4.run(BouncyCastleFipsProvider.java:456)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$4.run(BouncyCastleFipsProvider.java:451)
> at java.security.AccessController.doPrivileged(Native Method)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getCoreSecureRandom(BouncyCastleFipsProvider.java:450)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.access$200(BouncyCastleFipsProvider.java:68)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(BouncyCastleFipsProvider.java:421)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(BouncyCastleFipsProvider.java:413)
> at java.security.AccessController.doPrivileged(Native Method)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultEntropySource(BouncyCastleFipsProvider.java:412)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(BouncyCastleFipsProvider.java:372)
> - locked <0x00000000f1062548> (a org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider)
> at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(ProvRandom.java:22)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(BouncyCastleFipsProvider.java:790)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
> at java.security.SecureRandom.getInstance(SecureRandom.java:339)
> at java.security.SecureRandom.getInstanceStrong(SecureRandom.java:644)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$4.run(BouncyCastleFipsProvider.java:456)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$4.run(BouncyCastleFipsProvider.java:451)
> at java.security.AccessController.doPrivileged(Native Method)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getCoreSecureRandom(BouncyCastleFipsProvider.java:450)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.access$200(BouncyCastleFipsProvider.java:68)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(BouncyCastleFipsProvider.java:421)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(BouncyCastleFipsProvider.java:413)
> at java.security.AccessController.doPrivileged(Native Method)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultEntropySource(BouncyCastleFipsProvider.java:412)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(BouncyCastleFipsProvider.java:372)
> - locked <0x00000000f1062548> (a org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider)
> at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(ProvRandom.java:22)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(BouncyCastleFipsProvider.java:790)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
> at java.security.SecureRandom.getInstance(SecureRandom.java:288)
> at java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:205)
> at java.security.SecureRandom.<init>(SecureRandom.java:162)
> at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:56)
> at javax.crypto.Cipher.getInstance(Cipher.java:514)
>               ....<skipped>....
>
>
> [2]
>
> - locked <0x00000000fba65ec0> (a org.bouncycastle.crypto.fips.DRBGPseudoRandom)
> at java.security.SecureRandom.nextBytes(SecureRandom.java:468)
> at org.bouncycastle.jcajce.provider.ProvRandom$1$1.engineNextBytes(ProvRandom.java:35)
> at java.security.SecureRandom.nextBytes(SecureRandom.java:468)
> at org.bouncycastle.crypto.util.BasicEntropySourceProvider$1.getEntropy(BasicEntropySourceProvider.java:56)
> at org.bouncycastle.crypto.fips.ContinuousTestingEntropySource.getEntropy(ContinuousTestingEntropySource.java:36)
> - locked <0x00000000fbba6348> (a org.bouncycastle.crypto.fips.ContinuousTestingEntropySource)
> at org.bouncycastle.crypto.fips.HashSP800DRBG.getEntropy(HashSP800DRBG.java:340)
> at org.bouncycastle.crypto.fips.HashSP800DRBG.init(HashSP800DRBG.java:160)
> at org.bouncycastle.crypto.fips.HashSP800DRBG.<init>(HashSP800DRBG.java:132)
> at org.bouncycastle.crypto.fips.FipsDRBG$HashDRBGProvider.get(FipsDRBG.java:357)
> at org.bouncycastle.crypto.fips.DRBGPseudoRandom.lazyInitDRBG(DRBGPseudoRandom.java:50)
> at org.bouncycastle.crypto.fips.DRBGPseudoRandom.getSecurityStrength(DRBGPseudoRandom.java:40)
> - locked <0x00000000fbba5f78> (a org.bouncycastle.crypto.fips.DRBGPseudoRandom)
> at org.bouncycastle.crypto.fips.FipsSecureRandom.getSecurityStrength(FipsSecureRandom.java:70)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(BouncyCastleFipsProvider.java:391)
> - locked <0x00000000f1062548> (a org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider)
> at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(ProvRandom.java:22)
> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(BouncyCastleFipsProvider.java:790)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
> at java.security.SecureRandom.getInstance(SecureRandom.java:339)
> at java.security.SecureRandom.getInstanceStrong(SecureRandom.java:644)
> at sun.reflect.GeneratedMethodAccessor1.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
>