com.entrust.toolkit.security.crypto.random

Class FIPS140_2Compliant

java.lang.Object

java.security.SecureRandomSpi

com.entrust.toolkit.security.crypto.random.FIPS140_2Compliant

All Implemented Interfaces:

java.io.Serializable

Direct Known Subclasses:

DRBGusingSHA512, FIPS186_2usingSHA1, X9_31

public abstract class FIPS140_2Compliant
extends java.security.SecureRandomSpi

Defines Entrust's FIPS 140-2 compliant pseudo-random number generator (PRNG) architecture; it contains all the common functionality used by Entrust's FIPS 140-2 compliant PRNG algorithms.

FIPS 140-2 requires that a continuous random number generator test. If a cryptographic module employs Approved or non-Approved RNGs in an Approved mode of operation, the module shall perform the following continuous random number generator test on each RNG that tests for failure to a constant value.

1. If each call to a RNG produces blocks of n bits (where n > 15), the first n-bit block generated after power-up, initialization, or reset shall not be used, but shall be saved for comparison with the next n-bit block to be generated. Each subsequent generation of an n-bit block shall be compared with the previously generated block. The test shall fail if any two compared n-bit blocks are equal.
2. If each call to a RNG produces fewer than 16 bits, the first n bits generated after power-up, initialization, or reset (for some n > 15) shall not be used, but shall be saved for comparison with the next n generated bits. Each subsequent generation of n bits shall be compared with the previously generated n bits. The test fails if any two compared n-bit sequences are equal.

This class only can only be used with RSGs that produce blocks of n bits where n must be greater than 15.

An FIPS 140-2 compliant PRNG algorithm instance of a algorithm can be obtained using the Java Cryptography Architecture (JCA), by requesting the '<algorithm>' PRNG from the Entrust cryptographic service provider. This can be done using the following call:

SecureRandom.getInstance("<algorithm>", "Entrust");

FIPS 140-2:

This class is part of the Toolkit's FIPS 140-2 cryptographic module and contains APIs that are considered part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; refer to the API documentation for further details

Since:

7.0

See Also:

FIPS 140-2, Serialized Form

Method Summary

Methods

Modifier and Type	Method and Description
protected byte[]	engineGenerateSeed(int numBytes) Returns the given number of seed bytes.
protected void	engineNextBytes(byte[] bytes) Generates a user-specified number of random bytes.
protected abstract void	engineSetSeed(byte[] seed) Reseeds this random object.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

engineNextBytes

protected final void engineNextBytes(byte[] bytes)
                              throws java.lang.SecurityException

Generates a user-specified number of random bytes.

For every block of data that is generated, the FIPS 140-2 Continuous random number generator test is run.

FIPS 140-2:

FIPS Service: Random Number Generation

This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:

• control input interface (API call)
• data output interface (parameters)
• status output interface (exceptions)

Specified by:

engineNextBytes in class java.security.SecureRandomSpi

Parameters:

bytes - [FIPS 140-2 data output] the array to be filled in with random bytes

Throws:

Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations

java.lang.SecurityException

engineGenerateSeed

protected final byte[] engineGenerateSeed(int numBytes)

Returns the given number of seed bytes.

Generates a cryptographically strong seed of the specified length.This call may be used to seed other random number generators.

FIPS 140-2:

FIPS Service: Random Number Generation

This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:

• control input interface (API call)
• data input interface (parameters)
• data output interface (return value)
• status output interface (exceptions)

Specified by:

engineGenerateSeed in class java.security.SecureRandomSpi

Parameters:

numBytes - [FIPS 140-2 data input] the number of seed bytes to generate

Returns:

[FIPS 140-2 data output] [FIPS 140-2 CSP] the seed bytes

Throws:

Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations

engineSetSeed

protected abstract void engineSetSeed(byte[] seed)

Reseeds this random object.

The given seed supplements, rather than replaces, the existing seed. Thus, repeated calls are guaranteed never to reduce randomness.

This implementation DOES NOT allow the caller to set the initial seed, even when the caller follows the call to SecureRandom.getInstance() method with a call to the setSeed() method. This ensures that it is impossible to have an initial seed that is not cryptographically strong.

The seed that is passed in is not used directly; instead the seed is hashed before prior to use. The hashing is done because the entropy of the provided seed may not be spread evenly through all of the seed bits (no way to guarantee a cryptographically strong seed will be passed in the API). By passing the seed through a hash (message digest) algorithm, the entropy is spread (more or less) evenly through all of the bits.

Once the provided seed has been hashed, the result is used to supplement (not replace) the existing internal seed data. Following this call, the seed passed is NOT automatically wiped from memory; this SHOULD be done manually. All internal temporary data used is in this call is also automatically wiped following usage.

FIPS 140-2:

FIPS Service: Modify Object

This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:

• control input interface (API call)
• data input interface (parameters)
• status output interface (exceptions)

Specified by:

engineSetSeed in class java.security.SecureRandomSpi

Parameters:

seed - [FIPS 140-2 data input] [FIPS 140-2 CSP] the seed.

Throws:

Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations