Setting the default SecureRandom in BC FIPS provider

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Setting the default SecureRandom in BC FIPS provider

Bhushan Deo
Had a question about setting the default SecureRandom when using the BCFIPS provider. Read the guides but could not come to a conclusion.

I am adding the Fips Provider in code and specifying a DRBG in the config string as follows when my application is initialized:

Security.insertProviderAt(new BouncyCastleFipsProvider("C:DEFRND[HMACSHA512];ENABLE{ALL};"), 2);

Does this ensure that:
1. Elsewhere in the code, getting a SecureRandom using SecureRandom.getInstance("DEFAULT", "BCFIPS"); will return the Fips approved SecureRandom constructed by the provider when it is created? I intend to use this "DEFAULT" SecureRandom to create IV/nonce using the nextBytes method.

2. In this case, since I am not calling CryptoServicesRegistrar.setSecureRandom(), will the same Fips approved SecureRandom built during creation of the provider be used internally for subsequent JCE operations, for example, using Cipher to AES encrypt.

Sincere thanks for your help.

- Bhushan
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting the default SecureRandom in BC FIPS provider

David Hook-3

On 1: Yes - DEFAULT will be based on HmacSHA-512.

0n 2: Yes, unless another SecureRandom is provided to an init method for
one of the JCA/JCE algorithm classes, the SecureRandom used internally
by the BC FIPS provider will always be the same as that returned by DEFAULT.

Regards,

David

On 08/03/17 12:04, Bhushan Deo wrote:

> Had a question about setting the default SecureRandom when using the
> BCFIPS provider. Read the guides but could not come to a conclusion.
>
> I am adding the Fips Provider in code and specifying a DRBG in the
> config string as follows when my application is initialized:
>
> Security.insertProviderAt(new
> BouncyCastleFipsProvider("C:DEFRND[HMACSHA512];ENABLE{ALL};"), 2);
>
> Does this ensure that:
> 1. Elsewhere in the code, getting a SecureRandom using
> SecureRandom.getInstance("DEFAULT", "BCFIPS"); will return the Fips
> approved SecureRandom constructed by the provider when it is created?
> I intend to use this "DEFAULT" SecureRandom to create IV/nonce using
> the nextBytes method.
>
> 2. In this case, since I am not calling
> CryptoServicesRegistrar.setSecureRandom(), will the same Fips approved
> SecureRandom built during creation of the provider be used internally
> for subsequent JCE operations, for example, using Cipher to AES encrypt.
>
> Sincere thanks for your help.
>
> - Bhushan



Loading...