JCA FIPS approved mode

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

JCA FIPS approved mode

Spaulding
I'm attempting to create a test program to setup BCFIPS in approved mode
using Java and the JCA\JCE API.  I have a few questions\concerns that I'm
hoping somebody can help with.

I will list the steps and concerns if there are any at that point:
1) in the java code, Security.addProvider(new BouncyCastleFipsProvider()).
Q) I've seen examples calling the default constructor and others calling
with a setting for a DRBG.  Which is actually the correct way?

2) next, I check CryptoServicesRegistrar.isInApprovedOnlyMode(), and it
returns false.
I also check FipsStatus.isReady(), and it returns true.

3) I then set CryptoServicesRegistrar.setApprovedOnlyMode(true).
I check, and it believes we are now in approved only mode.

4) I then get an instance of a KeyGenerator.
KeyGenerator.getInstance("AES", "BCFIPS");

5) Create a SecureRandom instance, and init the keyGenerator instance
keyGenerator.init(256, sr);
This throws a FipsUnapprovedOperationError: Attempt to createkey with
unapproved RNG: AES.

6) I searched around for solutions and stumbled upon one that had me create
an EntropySourceProvider, create a FipsDRBG builder from that, and then
build a FipsSecureRandom from the builder.
EntropySourceProvider eSource = new BasicEntropySourceProvider(new
SecureRandom(), true);
FipsDRBG.Builder dBuilder =
FipsDRBG.SHA512_HMAC.fromEntropySource(eSource).setSecurityStrength(256).setEntropyBitsRequired(256).setPersonalizationString(aByteArray);
FipsSecureRandom fsr = dBuilder.build(anotherByteArray,true);

After that, I performed keyGenerator.init(256, fsr);
This works.


So, my questions are these:
Is there a way to fully utilize BCFIPS in approved mode via the JCA\JCE API
without having to reference any of the BCFIPS specific classes (other than
adding the Provider at the beginning)?

If not, is my solution correct in #6?

Lastly, when utilizing the JCA\JCE API for encryption, decryption, and key
generation, are there recommendations of caching objects such as Cipher (it
appears yes on this one, because as I understand, after a doFinal() is
performed, the Cipher returns back to its state just after initialization -
unless we are using a different key), but what about KeyGenerator or
SecureRandom?



--
Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html

Reply | Threaded
Open this post in threaded view
|

Re: JCA FIPS approved mode

David Hook-3

SecureRandom.getInstance("DEFAULT", "BCFIPS");

will return an appropriate SecureRandom. The DEFAULT secure random is
the one that
is used if you do not pass a SecureRandom to the init() method.

Number 6 is also correct though.

Regards,

David

On 13/04/18 01:10, Spaulding wrote:

> I'm attempting to create a test program to setup BCFIPS in approved mode
> using Java and the JCA\JCE API.  I have a few questions\concerns that I'm
> hoping somebody can help with.
>
> I will list the steps and concerns if there are any at that point:
> 1) in the java code, Security.addProvider(new BouncyCastleFipsProvider()).
> Q) I've seen examples calling the default constructor and others calling
> with a setting for a DRBG.  Which is actually the correct way?
>
> 2) next, I check CryptoServicesRegistrar.isInApprovedOnlyMode(), and it
> returns false.
> I also check FipsStatus.isReady(), and it returns true.
>
> 3) I then set CryptoServicesRegistrar.setApprovedOnlyMode(true).
> I check, and it believes we are now in approved only mode.
>
> 4) I then get an instance of a KeyGenerator.
> KeyGenerator.getInstance("AES", "BCFIPS");
>
> 5) Create a SecureRandom instance, and init the keyGenerator instance
> keyGenerator.init(256, sr);
> This throws a FipsUnapprovedOperationError: Attempt to createkey with
> unapproved RNG: AES.
>
> 6) I searched around for solutions and stumbled upon one that had me create
> an EntropySourceProvider, create a FipsDRBG builder from that, and then
> build a FipsSecureRandom from the builder.
> EntropySourceProvider eSource = new BasicEntropySourceProvider(new
> SecureRandom(), true);
> FipsDRBG.Builder dBuilder =
> FipsDRBG.SHA512_HMAC.fromEntropySource(eSource).setSecurityStrength(256).setEntropyBitsRequired(256).setPersonalizationString(aByteArray);
> FipsSecureRandom fsr = dBuilder.build(anotherByteArray,true);
>
> After that, I performed keyGenerator.init(256, fsr);
> This works.
>
>
> So, my questions are these:
> Is there a way to fully utilize BCFIPS in approved mode via the JCA\JCE API
> without having to reference any of the BCFIPS specific classes (other than
> adding the Provider at the beginning)?
>
> If not, is my solution correct in #6?
>
> Lastly, when utilizing the JCA\JCE API for encryption, decryption, and key
> generation, are there recommendations of caching objects such as Cipher (it
> appears yes on this one, because as I understand, after a doFinal() is
> performed, the Cipher returns back to its state just after initialization -
> unless we are using a different key), but what about KeyGenerator or
> SecureRandom?
>
>
>
> --
> Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html
>
>


Reply | Threaded
Open this post in threaded view
|

Re: JCA FIPS approved mode

Spaulding
Thank you David. SecureRandom.getInstance("DEFAULT", "BCFIPS"); resolved my
need to utilize BC specific classes.  I appreciate the help!



--
Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html