Thanks Bruce/Michael,
FYI, I've created:
8006041: Create SecureRandom standard algorithm names.
against JDK 8 to track this issue, and I had previously filed:
8003584: Consider adding a more modern SecureRandom implementation
to add the SP800-90a algorithms in JDK.
Brad
On 1/10/2013 9:48 AM, Bruce Rich wrote:
+1
IBM already has SP800-90a/SHA256/HASH, SP800-90a/SHA384/HASH, and
SP800-90a/SHA512/HASH in our provider, but without standardized names,
they are not very useable for the Java community as a whole.
Bruce A Rich
brich at-sign us dot ibm dot com
- Forwarded by Bruce Rich/Austin/IBM on 01/10/2013 11:44 AM -
From: Michael StJohns mstjo...@comcast.net
To: Sean Mullan sean.mul...@oracle.com, Xuelei Fan
xuelei@oracle.com
Cc: OpenJDK Dev list security-dev@openjdk.java.net, Brad Wetmore
bradford.wetm...@oracle.com
Date: 01/09/2013 09:32 PM
Subject: Re: Update #2: JEP 123: SecureRandom First Draft and
Implementation.
Sent by: security-dev-boun...@openjdk.java.net
At 09:45 AM 1/9/2013, Sean Mullan wrote:
think it is unlikely that 2 providers would implement the same
SecureRandom algorithm, since the names are not standardized like other
cryptographic algorithms such as SHA-256, RSA, etc.
Can this be fixed? There really should be a flavor for this.
E.g.
SP800-90a/SHA256/HASH
SP800-90A/SHA256/HMAC
SP800-90A/AES/CTR
NRBG/NoisyDiode[/implementation id]
NRBG/RingOscillator[/Implementation id]
There are about 6 classes of NIST approved deterministic random number
generators. See
http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexc.pdf.
I wouldn't be surprised to find that multiple providers implement the
same RNGs, but don't have a common name for them. In fact, according to
wikipedia, the underlying function for MSCAPI is the FIPS186-2 appendix
3.1 with SHA1 function.
Mike