< prev index next >
src/java.base/share/conf/security/java.security
Print this page
rev 13987 : 8051408: NIST SP 800-90A SecureRandom implementations
*** 118,144 ****
#
# Sun Provider SecureRandom seed source.
#
! # Select the primary source of seed data for the "SHA1PRNG" and
# "NativePRNG" SecureRandom implementations in the "Sun" provider.
# (Other SecureRandom implementations might also use this property.)
#
# On Unix-like systems (for example, Solaris/Linux/MacOS), the
! # "NativePRNG" and "SHA1PRNG" implementations obtains seed data from
# special device files such as file:/dev/random.
#
# On Windows systems, specifying the URLs "file:/dev/random" or
# "file:/dev/urandom" will enable the native Microsoft CryptoAPI seeding
! # mechanism for SHA1PRNG.
#
# By default, an attempt is made to use the entropy gathering device
# specified by the "securerandom.source" Security property. If an
# exception occurs while accessing the specified URL:
#
! # SHA1PRNG:
# the traditional system/thread activity algorithm will be used.
#
# NativePRNG:
# a default value of /dev/random will be used. If neither
# are available, the implementation will be disabled.
--- 118,144 ----
#
# Sun Provider SecureRandom seed source.
#
! # Select the primary source of seed data for the "DRBG", "SHA1PRNG" and
# "NativePRNG" SecureRandom implementations in the "Sun" provider.
# (Other SecureRandom implementations might also use this property.)
#
# On Unix-like systems (for example, Solaris/Linux/MacOS), the
! # "NativePRNG", "DRBG", and "SHA1PRNG" implementations obtains seed data from
# special device files such as file:/dev/random.
#
# On Windows systems, specifying the URLs "file:/dev/random" or
# "file:/dev/urandom" will enable the native Microsoft CryptoAPI seeding
! # mechanism for DRBG and SHA1PRNG.
#
# By default, an attempt is made to use the entropy gathering device
# specified by the "securerandom.source" Security property. If an
# exception occurs while accessing the specified URL:
#
! # DRBG and SHA1PRNG:
# the traditional system/thread activity algorithm will be used.
#
# NativePRNG:
# a default value of /dev/random will be used. If neither
# are available, the implementation will be disabled.
*** 152,162 ****
# Specifying this System property will override the
# "securerandom.source" Security property.
#
# In addition, if "file:/dev/random" or "file:/dev/urandom" is
# specified, the "NativePRNG" implementation will be more preferred than
! # SHA1PRNG in the Sun provider.
#
securerandom.source=file:/dev/random
#
# A list of known strong SecureRandom implementations.
--- 152,162 ----
# Specifying this System property will override the
# "securerandom.source" Security property.
#
# In addition, if "file:/dev/random" or "file:/dev/urandom" is
# specified, the "NativePRNG" implementation will be more preferred than
! # DRBG and SHA1PRNG in the Sun provider.
#
securerandom.source=file:/dev/random
#
# A list of known strong SecureRandom implementations.
*** 167,183 ****
#
# This is a comma-separated list of algorithm and/or algorithm:provider
# entries.
#
#ifdef windows
! securerandom.strongAlgorithms=Windows-PRNG:SunMSCAPI,SHA1PRNG:SUN
#endif
#ifndef windows
securerandom.strongAlgorithms=NativePRNGBlocking:SUN
#endif
#
# Class to instantiate as the javax.security.auth.login.Configuration
# provider.
#
login.configuration.provider=sun.security.provider.ConfigFile
--- 167,235 ----
#
# This is a comma-separated list of algorithm and/or algorithm:provider
# entries.
#
#ifdef windows
! securerandom.strongAlgorithms=Windows-PRNG:SunMSCAPI,DRBG:SUN
#endif
#ifndef windows
securerandom.strongAlgorithms=NativePRNGBlocking:SUN
#endif
#
+ # Sun provider DRBG configuration and default instantiation request.
+ #
+ # NIST SP 800-90Ar1 lists several DRBG mechanisms, each can be configured with
+ # a DRBG algorithm name, and can be instantiated with a security strength,
+ # prediction resistance support, etc. This property defines the configuration
+ # and the default instantiation request of "DRBG" SecureRandom implemented in
+ # the SUN provider. Applications can request different instantiation parameters
+ # like security strength/capability/personalization strings using
+ # the getInstance(...,SecureRandomInstantiateParameters,...) APIs, but
+ # other settings such as the mechanism and DRBG algorithm names are not
+ # configurable by any API.
+ #
+ # Please note that the SUN implementation of DRBG always supports reseeding.
+ #
+ # The value of this property is a slash-separated list of all configurable
+ # aspects. The aspects can appear in any order but the same aspect can only
+ # appear at most once. Its BNF-style definition is:
+ #
+ # Value:
+ # aspect { "," aspect }
+ #
+ # aspect:
+ # mech_name | algorithm_name | strength | capability | df
+ #
+ # mech_name: default "Hash_DRBG"
+ # "Hash_DRBG" | "HMAC_DRBG" | "CTR_DRBG"
+ #
+ # algorithm_name: For Hash_DRBG and HMAC_DRBG, default to "SHA-256".
+ # For CTR_DRBG, default to "AES-128" when using the limited
+ # cryptographic policy files, or "AES-256" for unlimited.
+ # Any supported MessageDigest or Cipher algorithm name as described
+ # in Section 10 of SP 800-90Ar1
+ #
+ # strength: default "128", or "112" if mech_name is CTR_DRBG
+ # and algorithm_name is "3 Key TDEA"
+ # "112" | "128" | "192" | "256"
+ #
+ # pr: default "none"
+ # "pr_and_reseed" | "reseed_only" | "none"
+ #
+ # df: default "use_df", only applicable to CTR_DRBG
+ # "use_df" | "no_df"
+ #
+ # Examples,
+ # drbg=Hash_DRBG,SHA-1,112,none
+ # drbg=CTR_DRBG,AES-256,256,pr_and_reseed,use_df
+ #
+ # The default value is an empty string, which is equivalent to
+ # drbg=Hash_DRBG,SHA-256,128,none
+ drbg=
+
+ #
# Class to instantiate as the javax.security.auth.login.Configuration
# provider.
#
login.configuration.provider=sun.security.provider.ConfigFile
< prev index next >