new SecureRandom() should not return SHA1PRNG on JDK 9. If NativePRNG is
the preferred provider, it will be returned. Otherwise, DRBG will be
used. DRBG is preferred to SHA1PRNG on every platform.
Thanks
Max
On 03/17/2017 07:36 AM, Bernd wrote:
Hello,
as a general precaution I wanted to document key generation best
practice. The SHA1PRNG with its small state and single 20 byte seed
always is a bit questionable for generating long term keys. 160 bit
entropy (as long as the SecureRandom instance is used only once) is not
enough for larger RSA Keys or AES192 and 256.
So I was looking for a solution which works on 8 and 9 and involves more
seed/state than the SHA1PRNG. On Windows the Windows-PRNG and on Linux
the NativePRNGs both look better in this regard. The
SecureRandom.getInstanceStrong() automatially uses them.
So while I think in the long run it might be better to wrap those
generators with DRBG some more I think a minimum is to use the strong
variant for key generation. I peeked into keytool to see whats best
practice and I noticed it does unfortunately NOT use the strong variant
or a DRBG configuration:
http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/c95ebfceb394/src/java.base/share/classes/sun/security/tools/keytool/CertAndKeyGen.java#l150
Is it really acceptable for long term keys this way? (I guess no answer
means no :)
Would it be possible to bump the security level for keytool in 9?
Gruss
Bernd
