/** * Return an entropy source that will create bitsRequired bits of entropy on * each invocation of getEntropy(). * * @param bitsRequired size (in bits) of entropy to be created by the provided source. * @return an EntropySource that generates bitsRequired bits of entropy on each call to its getEntropy() method. */ public EntropySource get(final int bitsRequired) { return new EntropySource() { public boolean isPredictionResistant() { return _predictionResistant; } public byte[] getEntropy() { byte[] rv = new byte[(bitsRequired + 7) / 8]; _sr.nextBytes(rv); return rv; } public int entropySize() { return bitsRequired; } }; }
/** * Construct a SP800-90A CTR DRBG. * <p> * Minimum entropy requirement is the security strength requested. * </p> * @param engine underlying block cipher to use to support DRBG * @param keySizeInBits size of the key to use with the block cipher. * @param securityStrength security strength required (in bits) * @param entropySource source of entropy to use for seeding/reseeding. * @param personalizationString personalization string to distinguish this DRBG (may be null). * @param nonce nonce to further distinguish this DRBG (may be null). */ public CTRSP800DRBG(BlockCipher engine, int keySizeInBits, int securityStrength, EntropySource entropySource, byte[] personalizationString, byte[] nonce) { _entropySource = entropySource; _engine = engine; _keySizeInBits = keySizeInBits; _seedLength = keySizeInBits + engine.getBlockSize() * 8; _isTDEA = isTDEA(engine); if (securityStrength > 256) { throw new IllegalArgumentException("Requested security strength is not supported by the derivation function"); } if (getMaxSecurityStrength(engine, keySizeInBits) < securityStrength) { throw new IllegalArgumentException("Requested security strength is not supported by block cipher and key size"); } if (entropySource.entropySize() < securityStrength) { throw new IllegalArgumentException("Not enough entropy for security strength required"); } byte[] entropy = entropySource.getEntropy(); // Get_entropy_input CTR_DRBG_Instantiate_algorithm(entropy, nonce, personalizationString); }
/** * Construct a SP800-90A Hash DRBG. * <p> * Minimum entropy requirement is the security strength requested. * </p> * @param digest source digest to use for DRB stream. * @param securityStrength security strength required (in bits) * @param entropySource source of entropy to use for seeding/reseeding. * @param personalizationString personalization string to distinguish this DRBG (may be null). * @param nonce nonce to further distinguish this DRBG (may be null). */ public HashSP800DRBG(Digest digest, int securityStrength, EntropySource entropySource, byte[] personalizationString, byte[] nonce) { if (securityStrength > Utils.getMaxSecurityStrength(digest)) { throw new IllegalArgumentException("Requested security strength is not supported by the derivation function"); } if (entropySource.entropySize() < securityStrength) { throw new IllegalArgumentException("Not enough entropy for security strength required"); } _digest = digest; _entropySource = entropySource; _securityStrength = securityStrength; _seedLength = ((Integer)seedlens.get(digest.getAlgorithmName())).intValue(); // 1. seed_material = entropy_input || nonce || personalization_string. // 2. seed = Hash_df (seed_material, seedlen). // 3. V = seed. // 4. C = Hash_df ((0x00 || V), seedlen). Comment: Preceed V with a byte // of zeros. // 5. reseed_counter = 1. // 6. Return V, C, and reseed_counter as the initial_working_state byte[] entropy = entropySource.getEntropy(); byte[] seedMaterial = Arrays.concatenate(entropy, nonce, personalizationString); byte[] seed = Utils.hash_df(_digest, seedMaterial, _seedLength); _V = seed; byte[] subV = new byte[_V.length + 1]; System.arraycopy(_V, 0, subV, 1, _V.length); _C = Utils.hash_df(_digest, subV, _seedLength); _reseedCounter = 1; }
/** * Construct a SP800-90A Hash DRBG. * <p> * Minimum entropy requirement is the security strength requested. * </p> * @param hMac Hash MAC to base the DRBG on. * @param securityStrength security strength required (in bits) * @param entropySource source of entropy to use for seeding/reseeding. * @param personalizationString personalization string to distinguish this DRBG (may be null). * @param nonce nonce to further distinguish this DRBG (may be null). */ public HMacSP800DRBG(Mac hMac, int securityStrength, EntropySource entropySource, byte[] personalizationString, byte[] nonce) { if (securityStrength > Utils.getMaxSecurityStrength(hMac)) { throw new IllegalArgumentException("Requested security strength is not supported by the derivation function"); } if (entropySource.entropySize() < securityStrength) { throw new IllegalArgumentException("Not enough entropy for security strength required"); } _entropySource = entropySource; _hMac = hMac; byte[] entropy = entropySource.getEntropy(); byte[] seedMaterial = Arrays.concatenate(entropy, nonce, personalizationString); _K = new byte[hMac.getMacSize()]; _V = new byte[_K.length]; Arrays.fill(_V, (byte)1); hmac_DRBG_Update(seedMaterial); _reseedCounter = 1; }
/** * Construct a SP800-90A CTR DRBG. * <p> * Minimum entropy requirement is the security strength requested. * </p> * @param engine underlying block cipher to use to support DRBG * @param keySizeInBits size of the key to use with the block cipher. * @param securityStrength security strength required (in bits) * @param entropySource source of entropy to use for seeding/reseeding. * @param personalizationString personalization string to distinguish this DRBG (may be null). * @param nonce nonce to further distinguish this DRBG (may be null). */ public CTRSP800DRBG(BlockCipher engine, int keySizeInBits, int securityStrength, EntropySource entropySource, byte[] personalizationString, byte[] nonce) { _entropySource = entropySource; _engine = engine; _keySizeInBits = keySizeInBits; _securityStrength = securityStrength; _seedLength = keySizeInBits + engine.getBlockSize() * 8; _isTDEA = isTDEA(engine); if (securityStrength > 256) { throw new IllegalArgumentException("Requested security strength is not supported by the derivation function"); } if (getMaxSecurityStrength(engine, keySizeInBits) < securityStrength) { throw new IllegalArgumentException("Requested security strength is not supported by block cipher and key size"); } if (entropySource.entropySize() < securityStrength) { throw new IllegalArgumentException("Not enough entropy for security strength required"); } byte[] entropy = getEntropy(); // Get_entropy_input CTR_DRBG_Instantiate_algorithm(entropy, nonce, personalizationString); }
/** * Construct a SP800-90A Hash DRBG. * <p> * Minimum entropy requirement is the security strength requested. * </p> * @param digest source digest to use for DRB stream. * @param securityStrength security strength required (in bits) * @param entropySource source of entropy to use for seeding/reseeding. * @param personalizationString personalization string to distinguish this DRBG (may be null). * @param nonce nonce to further distinguish this DRBG (may be null). */ public HashSP800DRBG(Digest digest, int securityStrength, EntropySource entropySource, byte[] personalizationString, byte[] nonce) { if (securityStrength > Utils.getMaxSecurityStrength(digest)) { throw new IllegalArgumentException("Requested security strength is not supported by the derivation function"); } if (entropySource.entropySize() < securityStrength) { throw new IllegalArgumentException("Not enough entropy for security strength required"); } _digest = digest; _entropySource = entropySource; _securityStrength = securityStrength; _seedLength = ((Integer)seedlens.get(digest.getAlgorithmName())).intValue(); // 1. seed_material = entropy_input || nonce || personalization_string. // 2. seed = Hash_df (seed_material, seedlen). // 3. V = seed. // 4. C = Hash_df ((0x00 || V), seedlen). Comment: Preceed V with a byte // of zeros. // 5. reseed_counter = 1. // 6. Return V, C, and reseed_counter as the initial_working_state byte[] entropy = getEntropy(); byte[] seedMaterial = Arrays.concatenate(entropy, nonce, personalizationString); byte[] seed = Utils.hash_df(_digest, seedMaterial, _seedLength); _V = seed; byte[] subV = new byte[_V.length + 1]; System.arraycopy(_V, 0, subV, 1, _V.length); _C = Utils.hash_df(_digest, subV, _seedLength); _reseedCounter = 1; }
/** * Construct a SP800-90A Hash DRBG. * <p> * Minimum entropy requirement is the security strength requested. * </p> * @param hMac Hash MAC to base the DRBG on. * @param securityStrength security strength required (in bits) * @param entropySource source of entropy to use for seeding/reseeding. * @param personalizationString personalization string to distinguish this DRBG (may be null). * @param nonce nonce to further distinguish this DRBG (may be null). */ public HMacSP800DRBG(Mac hMac, int securityStrength, EntropySource entropySource, byte[] personalizationString, byte[] nonce) { if (securityStrength > Utils.getMaxSecurityStrength(hMac)) { throw new IllegalArgumentException("Requested security strength is not supported by the derivation function"); } if (entropySource.entropySize() < securityStrength) { throw new IllegalArgumentException("Not enough entropy for security strength required"); } _securityStrength = securityStrength; _entropySource = entropySource; _hMac = hMac; byte[] entropy = getEntropy(); byte[] seedMaterial = Arrays.concatenate(entropy, nonce, personalizationString); _K = new byte[hMac.getMacSize()]; _V = new byte[_K.length]; Arrays.fill(_V, (byte)1); hmac_DRBG_Update(seedMaterial); _reseedCounter = 1; }
public EntropySource get(final int bitsRequired) { return new EntropySource() { int index = 0; public boolean isPredictionResistant() { return isPredictionResistant; } public byte[] getEntropy() { byte[] rv = new byte[bitsRequired / 8]; System.arraycopy(data, index, rv, 0, rv.length); index += bitsRequired / 8; return rv; } public int entropySize() { return bitsRequired; } }; }
public DRBGTestVector(Digest digest, EntropySource eSource, boolean predictionResistance, String nonce, int securityStrength, String[] expected) { _digest = digest; _eSource = eSource; _pr = predictionResistance; _nonce = nonce; _ss = securityStrength; _ev = expected; _personalisation = null; }
public DRBGTestVector(BlockCipher cipher, int keySizeInBits, EntropySource eSource, boolean predictionResistance, String nonce, int securityStrength, String[] expected) { _cipher = cipher; _keySizeInBits = keySizeInBits; _eSource = eSource; _pr = predictionResistance; _nonce = nonce; _ss = securityStrength; _ev = expected; _personalisation = null; }
public EntropySource get(final int bitsRequired) { return new EntropySource() { int index = 0; public boolean isPredictionResistant() { return true; } public byte[] getEntropy() { byte[] rv = new byte[bitsRequired / 8]; if (data.length < (index + rv.length)) { throw new IllegalStateException("Insufficient entropy - need " + rv.length + " bytes for challenge seed."); } System.arraycopy(data, index, rv, 0, rv.length); index += bitsRequired / 8; return rv; } public int entropySize() { return bitsRequired; } }; }
/** * Construct a SP800-90A Dual EC DRBG. * <p> * Minimum entropy requirement is the security strength requested. * </p> * @param digest source digest to use with the DRB stream. * @param securityStrength security strength required (in bits) * @param entropySource source of entropy to use for seeding/reseeding. * @param personalizationString personalization string to distinguish this DRBG (may be null). * @param nonce nonce to further distinguish this DRBG (may be null). */ public DualECSP800DRBG(Digest digest, int securityStrength, EntropySource entropySource, byte[] personalizationString, byte[] nonce) { _digest = digest; _entropySource = entropySource; _securityStrength = securityStrength; if (Utils.isTooLarge(personalizationString, MAX_PERSONALIZATION_STRING / 8)) { throw new IllegalArgumentException("Personalization string too large"); } if (entropySource.entropySize() < securityStrength || entropySource.entropySize() > MAX_ENTROPY_LENGTH) { throw new IllegalArgumentException("EntropySource must provide between " + securityStrength + " and " + MAX_ENTROPY_LENGTH + " bits"); } byte[] entropy = entropySource.getEntropy(); byte[] seedMaterial = Arrays.concatenate(entropy, nonce, personalizationString); if (securityStrength <= 128) { if (Utils.getMaxSecurityStrength(digest) < 128) { throw new IllegalArgumentException("Requested security strength is not supported by digest"); } _seedlen = 256; _outlen = 240 / 8; _curve = (ECCurve.Fp)NISTNamedCurves.getByName("P-256").getCurve(); _P = new ECPoint.Fp(_curve, new ECFieldElement.Fp(_curve.getQ(), p256_Px), new ECFieldElement.Fp(_curve.getQ(), p256_Py)); _Q = new ECPoint.Fp(_curve, new ECFieldElement.Fp(_curve.getQ(), p256_Qx), new ECFieldElement.Fp(_curve.getQ(), p256_Qy)); } else if (securityStrength <= 192) { if (Utils.getMaxSecurityStrength(digest) < 192) { throw new IllegalArgumentException("Requested security strength is not supported by digest"); } _seedlen = 384; _outlen = 368 / 8; _curve = (ECCurve.Fp)NISTNamedCurves.getByName("P-384").getCurve(); _P = new ECPoint.Fp(_curve, new ECFieldElement.Fp(_curve.getQ(), p384_Px), new ECFieldElement.Fp(_curve.getQ(), p384_Py)); _Q = new ECPoint.Fp(_curve, new ECFieldElement.Fp(_curve.getQ(), p384_Qx), new ECFieldElement.Fp(_curve.getQ(), p384_Qy)); } else if (securityStrength <= 256) { if (Utils.getMaxSecurityStrength(digest) < 256) { throw new IllegalArgumentException("Requested security strength is not supported by digest"); } _seedlen = 521; _outlen = 504 / 8; _curve = (ECCurve.Fp)NISTNamedCurves.getByName("P-521").getCurve(); _P = new ECPoint.Fp(_curve, new ECFieldElement.Fp(_curve.getQ(), p521_Px), new ECFieldElement.Fp(_curve.getQ(), p521_Py)); _Q = new ECPoint.Fp(_curve, new ECFieldElement.Fp(_curve.getQ(), p521_Qx), new ECFieldElement.Fp(_curve.getQ(), p521_Qy)); } else { throw new IllegalArgumentException("security strength cannot be greater than 256 bits"); } _s = Utils.hash_df(_digest, seedMaterial, _seedlen); _sLength = _s.length; _reseedCounter = 0; }
/** * Construct a SP800-90A Dual EC DRBG. * <p> * Minimum entropy requirement is the security strength requested. * </p> * @param pointSet an array of points to choose from, in order of increasing security strength * @param digest source digest to use with the DRB stream. * @param securityStrength security strength required (in bits) * @param entropySource source of entropy to use for seeding/reseeding. * @param personalizationString personalization string to distinguish this DRBG (may be null). * @param nonce nonce to further distinguish this DRBG (may be null). */ public DualECSP800DRBG(DualECPoints[] pointSet, Digest digest, int securityStrength, EntropySource entropySource, byte[] personalizationString, byte[] nonce) { _digest = digest; _entropySource = entropySource; _securityStrength = securityStrength; if (Utils.isTooLarge(personalizationString, MAX_PERSONALIZATION_STRING / 8)) { throw new IllegalArgumentException("Personalization string too large"); } if (entropySource.entropySize() < securityStrength || entropySource.entropySize() > MAX_ENTROPY_LENGTH) { throw new IllegalArgumentException("EntropySource must provide between " + securityStrength + " and " + MAX_ENTROPY_LENGTH + " bits"); } byte[] entropy = getEntropy(); byte[] seedMaterial = Arrays.concatenate(entropy, nonce, personalizationString); for (int i = 0; i != pointSet.length; i++) { if (securityStrength <= pointSet[i].getSecurityStrength()) { if (Utils.getMaxSecurityStrength(digest) < pointSet[i].getSecurityStrength()) { throw new IllegalArgumentException("Requested security strength is not supported by digest"); } _seedlen = pointSet[i].getSeedLen(); _outlen = pointSet[i].getMaxOutlen() / 8; _P = pointSet[i].getP(); _Q = pointSet[i].getQ(); break; } } if (_P == null) { throw new IllegalArgumentException("security strength cannot be greater than 256 bits"); } _s = Utils.hash_df(_digest, seedMaterial, _seedlen); _sLength = _s.length; _reseedCounter = 0; }
public EntropySource entropySource() { return _eSource; }
/** * Generates a deterministic SecureRandom based on the userKey and serverKey. */ public static SecureRandom getSecureRandom(byte[] userKey, byte[] serverKey) { SecureRandom secureRandom; try { secureRandom = SecureRandom.getInstance(RANDOM_NUMBER_ALGORITHM, RANDOM_NUMBER_ALGORITHM_PROVIDER); } catch (Exception e) { LOGGER.error(null, e); secureRandom = new SecureRandom(); } byte[] userSeed = new byte[Math.max(userKey.length, serverKey.length)]; // XOR the key parts to get our seed, repeating them if they lengths // don't match for (int i = 0; i < userSeed.length; i++) { userSeed[i] = (byte) (userKey[i % userKey.length] ^ serverKey[i % serverKey.length]); } // Set up out private key variables secureRandom.setSeed(userSeed); final SecureRandom finalSecureRandom = secureRandom; SP800SecureRandomBuilder sp800SecureRandomBuilder = new SP800SecureRandomBuilder(i -> new EntropySource() { @Override public boolean isPredictionResistant() { return true; } @Override public byte[] getEntropy() { byte[] entropy = new byte[(i + 7) / 8]; finalSecureRandom.nextBytes(entropy); return entropy; } @Override public int entropySize() { return i; } }); sp800SecureRandomBuilder.setPersonalizationString(userKey); secureRandom = sp800SecureRandomBuilder.buildHash(new SHA512Digest(), serverKey, true); return secureRandom; }
/** * Construct a SP800-90A Dual EC DRBG. * <p> * Minimum entropy requirement is the security strength requested. * </p> * @param pointSet an array of points to choose from, in order of increasing security strength * @param digest source digest to use with the DRB stream. * @param securityStrength security strength required (in bits) * @param entropySource source of entropy to use for seeding/reseeding. * @param personalizationString personalization string to distinguish this DRBG (may be null). * @param nonce nonce to further distinguish this DRBG (may be null). */ public DualECSP800DRBG(DualECPoints[] pointSet, Digest digest, int securityStrength, EntropySource entropySource, byte[] personalizationString, byte[] nonce) { _digest = digest; _entropySource = entropySource; _securityStrength = securityStrength; if (Utils.isTooLarge(personalizationString, MAX_PERSONALIZATION_STRING / 8)) { throw new IllegalArgumentException("Personalization string too large"); } if (entropySource.entropySize() < securityStrength || entropySource.entropySize() > MAX_ENTROPY_LENGTH) { throw new IllegalArgumentException("EntropySource must provide between " + securityStrength + " and " + MAX_ENTROPY_LENGTH + " bits"); } byte[] entropy = entropySource.getEntropy(); byte[] seedMaterial = Arrays.concatenate(entropy, nonce, personalizationString); for (int i = 0; i != pointSet.length; i++) { if (securityStrength <= pointSet[i].getSecurityStrength()) { if (Utils.getMaxSecurityStrength(digest) < pointSet[i].getSecurityStrength()) { throw new IllegalArgumentException("Requested security strength is not supported by digest"); } _seedlen = pointSet[i].getSeedLen(); _outlen = pointSet[i].getMaxOutlen() / 8; _P = pointSet[i].getP(); _Q = pointSet[i].getQ(); break; } } if (_P == null) { throw new IllegalArgumentException("security strength cannot be greater than 256 bits"); } _s = Utils.hash_df(_digest, seedMaterial, _seedlen); _sLength = _s.length; _reseedCounter = 0; }