is key generation thread-safe?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

is key generation thread-safe?

Lou Wynn

Hi,

I'm using BC in a web project and want to know if the key generation process is thread-safe? For example, for the following code snippet,

1. Security.addProvider(new BouncyCastleProvider());
2. KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
3. keyPairGenerator.initialize(4096);
4. KeyPair keyPair = keyPairGenerator.generateKeyPair();

I'd like to call line 4 for each incoming request and place line 1-3 in the initialization code. Can anyone help me confirm this? If line 4 is not thread-safe, is it sufficient to place the keyPairGenerator variable in a ThreadLocal class?

Merry Christmas!

-- 
Thanks,
Lou
Reply | Threaded
Open this post in threaded view
|

RE: is key generation thread-safe?

Eckenfels. Bernd
Hello,

The (OpenJDK & BC) implementation is thread safe as long as you do not reinitialize it, but then,  why would you even risk it. I haven't found a claim where this is documented/guaranteed.

Just put L2-4 in a per request method and you are safe. The methods are so heavy weight, you won't notice an additional single object generation. And you are on the safe side, not only because of threading, but also possible different initialisation parameters.

Gruss
Bernd
--
http://www.seeburger.com
________________________________________
From: Lou Wynn [[hidden email]]
Sent: Sunday, December 25, 2016 04:47
To: [hidden email]
Subject: [dev-crypto] is key generation thread-safe?

Hi,

I'm using BC in a web project and want to know if the key generation process is thread-safe? For example, for the following code snippet,

1. Security.addProvider(new BouncyCastleProvider());
2. KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
3. keyPairGenerator.initialize(4096);
4. KeyPair keyPair = keyPairGenerator.generateKeyPair();

I'd like to call line 4 for each incoming request and place line 1-3 in the initialization code. Can anyone help me confirm this? If line 4 is not thread-safe, is it sufficient to place the keyPairGenerator variable in a ThreadLocal class?

Merry Christmas!

--
Thanks,
Lou










SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.