PREDICTABLE RSA KEY GENERATION

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

PREDICTABLE RSA KEY GENERATION

Pasquale Ranalli
I am looking for assistance with generating RSA keys in a predictable fashion via a Java code base.  I have been doing this for years by seeding SecureRandom before calling KeyGenerator.initialize(bits, secureRandom) but it appears that after BC version 1.51 this began causing different results.  In other words, I am unable to generate the same RSA keypair using the same seed between versions 1.51 and anything later. 

The reasoning behind this is the avoidance of storing RSA keys on a file system and dynamically generating them as-needed.  The merits of this may be in question, but I have been tasked with attempting to continue this behavior while upgrading to BC 1.55.  Is there a way for me to get the same results from 1.55 as I do in 1.51?  Or is this just an example of a situation where seeding SecureRandom is not guaranteed?  If the latter, is there a different way of generating a predictable RSA key pair? 

Thanks for your help,
Pasquale



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: PREDICTABLE RSA KEY GENERATION

Eckenfels. Bernd
Can you show how you request the SecureRandom instance and how you seed it? Most implementations do not replace the seeding but append it. They also have a very small window before they are auto-seeded. For the DRBG you need to als swtich off prediction resistance and re-seeding.

Gruss
Bernd

--
http://www.seeburger.com

From: Pasquale Ranalli [[hidden email]]
Sent: Thursday, March 30, 2017 17:13
To: [hidden email]
Subject: [dev-crypto] PREDICTABLE RSA KEY GENERATION

I am looking for assistance with generating RSA keys in a predictable fashion via a Java code base.  I have been doing this for years by seeding SecureRandom before calling KeyGenerator.initialize(bits, secureRandom) but it appears that after BC version 1.51 this began causing different results.  In other words, I am unable to generate the same RSA keypair using the same seed between versions 1.51 and anything later. 

The reasoning behind this is the avoidance of storing RSA keys on a file system and dynamically generating them as-needed.  The merits of this may be in question, but I have been tasked with attempting to continue this behavior while upgrading to BC 1.55.  Is there a way for me to get the same results from 1.55 as I do in 1.51?  Or is this just an example of a situation where seeding SecureRandom is not guaranteed?  If the latter, is there a different way of generating a predictable RSA key pair? 

Thanks for your help,
Pasquale








     


SEEBURGER AG   Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:   Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1  
D-75015 Bretten Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0 Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de Registergericht/Commercial Register:
e-mail: [hidden email] HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.

This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PREDICTABLE RSA KEY GENERATION

Pasquale Ranalli
The code is below, where "PROVIDER" is new BouncyCastleProvider() and is added via static initialization. 

private static KeyPair generateKeyPair(String index) {
try {
int bits = 4096;
byte[] seed = index.getBytes("UTF-8");
KeyPairGenerator keyGen = KeyPairGenerator.getInstance(RSA, PROVIDER);
SecureRandom hash = SecureRandom.getInstance("SHA1PRNG", "SUN");
hash.setSeed(seed);
keyGen.initialize(bits, hash);

return keyGen.genKeyPair();
}

I appreciate your input,

Pasquale Ranalli



From: "Eckenfels. Bernd" <[hidden email]>
To: "Pasquale Ranalli" <[hidden email]>, "dev-crypto" <[hidden email]>
Sent: Thursday, March 30, 2017 3:14:16 PM
Subject: RE: PREDICTABLE RSA KEY GENERATION
Can you show how you request the SecureRandom instance and how you seed it? Most implementations do not replace the seeding but append it. They also have a very small window before they are auto-seeded. For the DRBG you need to als swtich off prediction resistance and re-seeding.

Gruss
Bernd

--
http://www.seeburger.com


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PREDICTABLE RSA KEY GENERATION

Michael Rogers
Hi Pasquale,

You could handle this by implementing your own deterministic
SecureRandom, something like the following untested example:

https://gist.github.com/akwizgran/a87a379068f2bbb51e536cb00df96373

Cheers,
Michael

On 30/03/17 21:17, Pasquale Ranalli wrote:

> The code is below, where "PROVIDER" is new BouncyCastleProvider() and is
> added via static initialization.
>
> private static KeyPair generateKeyPair(String index) {
> try {
> int bits = 4096;
> byte[] seed = index.getBytes("UTF-8");
> KeyPairGenerator keyGen = KeyPairGenerator.getInstance(RSA, PROVIDER);
> SecureRandom hash = SecureRandom.getInstance("SHA1PRNG", "SUN");
> hash.setSeed(seed);
> keyGen.initialize(bits, hash);
>
> return keyGen.genKeyPair();
> }
>
> I appreciate your input,
>
> Pasquale Ranalli
>
>
> ------------------------------------------------------------------------
>
>     *From: *"Eckenfels. Bernd" <[hidden email]>
>     *To: *"Pasquale Ranalli" <[hidden email]>, "dev-crypto"
>     <[hidden email]>
>     *Sent: *Thursday, March 30, 2017 3:14:16 PM
>     *Subject: *RE: PREDICTABLE RSA KEY GENERATION
>
>     Can you show how you request the SecureRandom instance and how you
>     seed it? Most implementations do not replace the seeding but append
>     it. They also have a very small window before they are auto-seeded.
>     For the DRBG you need to als swtich off prediction resistance and
>     re-seeding.
>
>     Gruss
>     Bernd
>
>     --
>     http://www.seeburger.com
>
>

0x9FC527CC.asc (4K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PREDICTABLE RSA KEY GENERATION

Pasquale Ranalli
Michael,

It looks like that will work for me.  My early testing verifies that I'm able to generate the same keys across versions now.  I'm not able to generate identical keys to what I was previously using, but I can easily re-encrypt my data with the new methodology. 

I really appreciate your help, thank you! 

Pasquale Ranalli
Renaissance Technologies LLC
Non-Research Infrastructure
800 Third Ave., 34th Floor
New York, NY 10022
212.836.2912 || x2912
[hidden email]


From: "Michael Rogers" <[hidden email]>
To: "Pasquale Ranalli" <[hidden email]>, "Bernd" <[hidden email]>
Cc: "dev-crypto" <[hidden email]>
Sent: Friday, March 31, 2017 6:23:43 AM
Subject: Re: [dev-crypto] Re: PREDICTABLE RSA KEY GENERATION
Hi Pasquale,

You could handle this by implementing your own deterministic
SecureRandom, something like the following untested example:

https://gist.github.com/akwizgran/a87a379068f2bbb51e536cb00df96373

Cheers,
Michael

On 30/03/17 21:17, Pasquale Ranalli wrote:

> The code is below, where "PROVIDER" is new BouncyCastleProvider() and is
> added via static initialization.
>
> private static KeyPair generateKeyPair(String index) {
> try {
> int bits = 4096;
> byte[] seed = index.getBytes("UTF-8");
> KeyPairGenerator keyGen = KeyPairGenerator.getInstance(RSA, PROVIDER);
> SecureRandom hash = SecureRandom.getInstance("SHA1PRNG", "SUN");
> hash.setSeed(seed);
> keyGen.initialize(bits, hash);
>
> return keyGen.genKeyPair();
> }
>
> I appreciate your input,
>
> Pasquale Ranalli
>
>
> ------------------------------------------------------------------------
>
>     *From: *"Eckenfels. Bernd" <[hidden email]>
>     *To: *"Pasquale Ranalli" <[hidden email]>, "dev-crypto"
>     <[hidden email]>
>     *Sent: *Thursday, March 30, 2017 3:14:16 PM
>     *Subject: *RE: PREDICTABLE RSA KEY GENERATION
>
>     Can you show how you request the SecureRandom instance and how you
>     seed it? Most implementations do not replace the seeding but append
>     it. They also have a very small window before they are auto-seeded.
>     For the DRBG you need to als swtich off prediction resistance and
>     re-seeding.
>
>     Gruss
>     Bernd
>
>     --
>     http://www.seeburger.com
>
>
Loading...