Re: Use of Bouncy Castle DRBG in Apache MINA SSHD

Mon, 14 Dec 2020 05:30:02 -0800 

On a perhaps-related note, I would love to see a way to specify a random 
factory either by setting a Java system property or implementing a method in 
SecurityProviderRegistrar (or both). My organization implemented a 
SecurityProviderRegistrar for Bouncy Castle FIPS, but MINA SSHD is still using 
the JCE SecureRandom, because I can’t find a non-invasive** way to give it a 
FIPSSecureRandom.

What are the thoughts here on my submitting a patch that 1) adds something like 
this to the SecurityProviderRegistrar interface:

default RandomFactory getRandomFactory() {
    return null;
}

And then 2) updates SecurityUtils.getRandomFactory() to check a system property 
org.apache.sshd.security.random_factory first, then check the registrars?

**We aren’t using MINA SSHD directly. We’re using it by way of its inclusion in 
BitBucket Server for SSHD access to repositories. So we can’t control how the 
SSHD code is used in order to e.g. call setRandomFactory. Our only areas of 
control are Java system properties and our 
BouncyCastleFIPSSecurityProviderRegistrar implementation.

Nick

> On Dec 14, 2020, at 7:00 AM, Alejandro Fabio Masino <amas...@atsec.com> wrote:
> 
> Hi,
> 
> I'm reviewing the source code of Apache MINA 2.0.21 and SSHD 2.5.1, in
> order to find out how Apache MINA uses Bouncy Castle for random numbers.
> 
> As far as I could see, Apache MINA SSHD verifies whether the BC provider
> is registered, and if so, it uses the needed crypto algorithms.
> 
> However, I don't see any reference to instantiate the DRBG. Instead,
> Apache Mina seems to initialize the randomFactory by using the
> VMPCRandomGenerator() method implemented in BC, instead of the DRBG
> implementations.
> 
> Is there any way to override this setting from the calling application,
> that is, using one of the SP800-90A DRBG methods implemented in Bouncy
> Castle for SSH key exchange?
> 
> Thanks,
> Alejandro
> 
> -- 
> Alejandro Masino
> atsec information security corporation
> http://www.atsec.com
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@mina.apache.org
> For additional commands, e-mail: users-h...@mina.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@mina.apache.org
For additional commands, e-mail: users-h...@mina.apache.org

Reply via email to