Skip to content

Commit c2b5d2b

Browse files
committed
Use "strong" SecureRandom for all long-lived generated keys
1 parent 30d5b45 commit c2b5d2b

14 files changed

Lines changed: 96 additions & 65 deletions

File tree

kse/src/main/java/org/kse/crypto/encryption/AES.java

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@
2222
import java.security.InvalidAlgorithmParameterException;
2323
import java.security.InvalidKeyException;
2424
import java.security.NoSuchAlgorithmException;
25+
import java.security.SecureRandom;
2526

2627
import javax.crypto.BadPaddingException;
2728
import javax.crypto.Cipher;
@@ -38,10 +39,13 @@
3839
/**
3940
* Simplify AES encryption and decryption by wrapping the JCE calls
4041
*/
41-
public class AES {
42+
public final class AES {
4243

4344
public static final int GCM_TAG_LEN = 128;
4445

46+
private AES() {
47+
}
48+
4549
/**
4650
* Encrypt with AES in CBC mode
4751
*
@@ -129,7 +133,7 @@ public static byte[] decryptAesGcm(byte[] encrData, byte[] iv, SecretKey aesKey)
129133
public static SecretKey generateKey(int keyLength) {
130134
try {
131135
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
132-
keyGen.init(keyLength);
136+
keyGen.init(keyLength, SecureRandom.getInstanceStrong());
133137
return keyGen.generateKey();
134138
} catch (NoSuchAlgorithmException e) {
135139
throw new EncryptionException("AES algorithm not available", e);

kse/src/main/java/org/kse/crypto/keypair/KeyPairUtil.java

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,7 @@
5555
import java.security.spec.ECGenParameterSpec;
5656
import java.security.spec.ECParameterSpec;
5757
import java.security.spec.InvalidKeySpecException;
58+
import java.security.spec.NamedParameterSpec;
5859
import java.security.spec.RSAPrivateKeySpec;
5960
import java.security.spec.RSAPublicKeySpec;
6061
import java.security.spec.X509EncodedKeySpec;
@@ -74,6 +75,7 @@
7475
import org.kse.crypto.ecc.CurveSet;
7576
import org.kse.crypto.ecc.EccUtil;
7677
import org.kse.crypto.ecc.EdDSACurves;
78+
import org.kse.utilities.rng.StrongRNG;
7779

7880
/**
7981
* Provides utility methods relating to asymmetric key pairs.
@@ -111,11 +113,8 @@ public static KeyPair generateKeyPair(KeyPairType keyPairType, int keySize, Prov
111113
}
112114
}
113115

114-
// Create a SecureRandom
115-
SecureRandom rand = SecureRandom.getInstance("SHA1PRNG");
116-
117116
// Initialise key pair generator with key strength and randomness
118-
keyPairGen.initialize(keySize, rand);
117+
keyPairGen.initialize(keySize, StrongRNG.newInstance());
119118

120119
// Generate and return the key pair
121120
return keyPairGen.generateKeyPair();
@@ -140,16 +139,17 @@ public static KeyPair generateECKeyPair(String curveName, Provider provider) thr
140139

141140
if (EdDSACurves.ED25519.jce().equals(curveName) || EdDSACurves.ED448.jce().equals(curveName)) {
142141
keyPairGen = KeyPairGenerator.getInstance(curveName, KSE.BC);
142+
keyPairGen.initialize(new ECGenParameterSpec(curveName), StrongRNG.newInstance());
143143
} else if (CurveSet.ECGOST.getAllCurveNames().contains(curveName)) {
144144
KeyPairType keyPairType = KeyPairType.getGostTypeFromCurve(curveName);
145145
keyPairGen = KeyPairGenerator.getInstance(keyPairType.jce(), KSE.BC);
146-
keyPairGen.initialize(new ECGenParameterSpec(curveName), SecureRandom.getInstance("SHA1PRNG"));
146+
keyPairGen.initialize(new ECGenParameterSpec(curveName), StrongRNG.newInstance());
147147
} else if (provider != null) {
148148
keyPairGen = KeyPairGenerator.getInstance(KeyPairType.EC.jce(), provider);
149-
keyPairGen.initialize(new ECGenParameterSpec(curveName), SecureRandom.getInstance("SHA1PRNG"));
149+
keyPairGen.initialize(new ECGenParameterSpec(curveName), StrongRNG.newInstance());
150150
} else {
151151
keyPairGen = KeyPairGenerator.getInstance(KeyPairType.EC.jce(), KSE.BC);
152-
keyPairGen.initialize(new ECGenParameterSpec(curveName), SecureRandom.getInstance("SHA1PRNG"));
152+
keyPairGen.initialize(new ECGenParameterSpec(curveName), StrongRNG.newInstance());
153153
}
154154

155155
// Generate and return the key pair
@@ -179,6 +179,7 @@ public static KeyPair generateKeyPair(KeyPairType keyPairType, Provider provider
179179
} else {
180180
keyPairGen = KeyPairGenerator.getInstance(keyPairType.jce(), KSE.BC);
181181
}
182+
keyPairGen.initialize(new NamedParameterSpec(keyPairType.jce()), SecureRandom.getInstanceStrong());
182183

183184
return keyPairGen.generateKeyPair();
184185
} catch (GeneralSecurityException ex) {

kse/src/main/java/org/kse/crypto/privatekey/MsPvkUtil.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -46,8 +46,8 @@
4646
import org.kse.crypto.keypair.KeyPairType;
4747
import org.kse.crypto.keypair.KeyPairUtil;
4848
import org.kse.gui.passwordmanager.Password;
49-
import org.kse.utilities.PRNG;
5049
import org.kse.utilities.io.UnsignedUtil;
50+
import org.kse.utilities.rng.StrongRNG;
5151

5252
// @formatter:off
5353
/**
@@ -913,7 +913,7 @@ private static byte[] encryptPrivateKeyBlob(byte[] privateKeyBlob, byte[] rc4Key
913913
}
914914

915915
private static byte[] generate16ByteSalt() {
916-
return PRNG.generate(ENCRYPTED_SALT_LENGTH);
916+
return StrongRNG.generate(ENCRYPTED_SALT_LENGTH);
917917
}
918918

919919
private static byte[] getBufferBytes(ByteBuffer bb) {

kse/src/main/java/org/kse/crypto/privatekey/OpenSslPvkUtil.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -64,11 +64,11 @@
6464
import org.kse.crypto.keypair.KeyPairType;
6565
import org.kse.crypto.keypair.KeyPairUtil;
6666
import org.kse.gui.passwordmanager.Password;
67-
import org.kse.utilities.PRNG;
6867
import org.kse.utilities.pem.PemAttribute;
6968
import org.kse.utilities.pem.PemAttributes;
7069
import org.kse.utilities.pem.PemInfo;
7170
import org.kse.utilities.pem.PemUtil;
71+
import org.kse.utilities.rng.StrongRNG;
7272

7373
/**
7474
* Provides utility methods relating to OpenSSL (= PKCS#1 for RSA) encoded private keys.
@@ -537,7 +537,7 @@ handle EC structure first (RFC 5915)
537537
}
538538

539539
private static byte[] generateSalt(int size) {
540-
return PRNG.generate(size);
540+
return StrongRNG.generate(size);
541541
}
542542

543543
private static byte[] deriveKeyFromPassword(Password password, byte[] salt, int keySize) throws CryptoException {

kse/src/main/java/org/kse/crypto/secretkey/SecretKeyUtil.java

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,6 @@
2323
import static org.kse.crypto.KeyType.SYMMETRIC;
2424

2525
import java.security.GeneralSecurityException;
26-
import java.security.SecureRandom;
2726
import java.text.MessageFormat;
2827
import java.util.ResourceBundle;
2928

@@ -33,8 +32,9 @@
3332
import org.kse.KSE;
3433
import org.kse.crypto.CryptoException;
3534
import org.kse.crypto.KeyInfo;
35+
import org.kse.utilities.rng.StrongRNG;
3636

37-
public class SecretKeyUtil {
37+
public final class SecretKeyUtil {
3838
private static ResourceBundle res = ResourceBundle.getBundle("org/kse/crypto/secretkey/resources");
3939

4040
private SecretKeyUtil() {
@@ -51,7 +51,7 @@ private SecretKeyUtil() {
5151
public static SecretKey generateSecretKey(SecretKeyType secretKeyType, int keySize) throws CryptoException {
5252
try {
5353
KeyGenerator keyGenerator = KeyGenerator.getInstance(secretKeyType.jce(), KSE.BC);
54-
keyGenerator.init(keySize, SecureRandom.getInstance("SHA1PRNG"));
54+
keyGenerator.init(keySize, StrongRNG.newInstance());
5555

5656
return keyGenerator.generateKey();
5757
} catch (GeneralSecurityException ex) {

kse/src/main/java/org/kse/crypto/signing/JarSigner.java

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,6 @@
2828
import java.nio.file.StandardCopyOption;
2929
import java.security.PrivateKey;
3030
import java.security.Provider;
31-
import java.security.SecureRandom;
3231
import java.security.cert.X509Certificate;
3332
import java.text.MessageFormat;
3433
import java.util.ArrayList;
@@ -74,6 +73,7 @@
7473
import org.kse.crypto.CryptoException;
7574
import org.kse.crypto.digest.DigestType;
7675
import org.kse.crypto.digest.DigestUtil;
76+
import org.kse.utilities.rng.StrongRNG;
7777

7878
/**
7979
* Class provides functionality to sign JAR files.
@@ -685,8 +685,7 @@ private static byte[] createSignatureBlock(byte[] toSign, PrivateKey privateKey,
685685
Collections.addAll(certList, certificateChain);
686686

687687
DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(KSE.BC).build();
688-
JcaContentSignerBuilder csb = new JcaContentSignerBuilder(signatureType.jce()).setSecureRandom(
689-
SecureRandom.getInstance("SHA1PRNG"));
688+
JcaContentSignerBuilder csb = new JcaContentSignerBuilder(signatureType.jce()).setSecureRandom(StrongRNG.newInstance());
690689
if (provider != null) {
691690
csb.setProvider(provider);
692691
}

kse/src/main/java/org/kse/gui/dialogs/DGeneratingDHParameters.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,6 @@
2929
import java.math.BigInteger;
3030
import java.security.AlgorithmParameterGenerator;
3131
import java.security.AlgorithmParameters;
32-
import java.security.SecureRandom;
3332
import java.util.ResourceBundle;
3433

3534
import javax.crypto.spec.DHParameterSpec;
@@ -53,6 +52,7 @@
5352
import org.kse.gui.error.DError;
5453

5554
import net.miginfocom.swing.MigLayout;
55+
import org.kse.utilities.rng.StrongRNG;
5656

5757
/**
5858
* <h1>DH Parameters generation</h1> The class DGeneratingDHParameters initiates
@@ -192,7 +192,7 @@ private class GenerateDHParameters implements Runnable {
192192
public void run() {
193193
try {
194194
AlgorithmParameterGenerator algGen = AlgorithmParameterGenerator.getInstance("DH", KSE.BC);
195-
algGen.init(keySize, new SecureRandom());
195+
algGen.init(keySize, StrongRNG.newInstance());
196196
AlgorithmParameters dhParams = algGen.generateParameters();
197197
DHParameterSpec dhSpec = dhParams.getParameterSpec(DHParameterSpec.class);
198198

kse/src/main/java/org/kse/gui/password/PasswordDialogHelper.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@
2323
import javax.swing.JPasswordField;
2424

2525
import org.kse.gui.preferences.PreferencesManager;
26-
import org.kse.utilities.PRNG;
26+
import org.kse.utilities.rng.PasswordGenerator;
2727

2828
public class PasswordDialogHelper {
2929
private PasswordDialogHelper() {
@@ -40,7 +40,7 @@ private PasswordDialogHelper() {
4040
*/
4141
public static void preFillPasswordFields(JComponent jpfFirst, JPasswordField jpfConfirm) {
4242
var generatorSettings = PreferencesManager.getPreferences().getPasswordGeneratorSettings();
43-
char[] generatedPassword = PRNG.generatePassword(generatorSettings);
43+
char[] generatedPassword = PasswordGenerator.generatePassword(generatorSettings);
4444
if (jpfFirst instanceof JPasswordQualityField) {
4545
((JPasswordQualityField) jpfFirst).setPassword(generatedPassword);
4646
} else {

kse/src/main/java/org/kse/gui/passwordmanager/PasswordManager.java

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@
4343
import org.kse.gui.preferences.passwordmanager.EncryptedKeyStorePasswords;
4444
import org.kse.gui.preferences.passwordmanager.KeyDerivationSettings;
4545
import org.kse.gui.preferences.passwordmanager.KeyStoreEntryPassword;
46-
import org.kse.utilities.PRNG;
46+
import org.kse.utilities.rng.StrongRNG;
4747

4848
/**
4949
* This class is responsible for encrypting and decrypting keystore and keystore entry passwords, storing them and
@@ -292,14 +292,14 @@ public void save() {
292292
PasswordManagerSettings passwordManagerSettings = preferences.getPasswordManagerSettings();
293293
int parallelism = Runtime.getRuntime().availableProcessors() * 2; // Argon2 recommendation
294294
int keyLengthInBits = KEY_LENGTH_BITS;
295-
byte[] salt = PRNG.generate(SALT_LENGTH_BYTES);
295+
byte[] salt = StrongRNG.generate(SALT_LENGTH_BYTES);
296296
EncryptionAlgorithm encrAlgorithm = AES_GCM;
297297

298298
SecretKey kek = deriveKey(mainPassword, salt, parallelism, passwordManagerSettings, keyLengthInBits);
299299

300300
// generate new AES key for encryption of passwords
301301
SecretKey key = AES.generateKey(KEY_LENGTH_BITS);
302-
byte[] iv = PRNG.generate(encrAlgorithm == AES_GCM ? IV_LENGTH_GCM_BYTES : IV_LENGTH_CBC_BYTES);
302+
byte[] iv = StrongRNG.generate(encrAlgorithm == AES_GCM ? IV_LENGTH_GCM_BYTES : IV_LENGTH_CBC_BYTES);
303303
byte[] encryptedEncryptionKey = encryptKey(key, iv, kek, encrAlgorithm);
304304

305305
var keyDerivationSettings = new KeyDerivationSettings();
@@ -424,7 +424,7 @@ private EncryptedKeyStorePasswordData createEncryptedKeyStorePasswordData(KeySto
424424
SecretKey key,
425425
EncryptionAlgorithm encrAlgorithm) {
426426

427-
byte[] iv = PRNG.generate(encrAlgorithm == AES_GCM ? IV_LENGTH_GCM_BYTES : IV_LENGTH_CBC_BYTES);
427+
byte[] iv = StrongRNG.generate(encrAlgorithm == AES_GCM ? IV_LENGTH_GCM_BYTES : IV_LENGTH_CBC_BYTES);
428428
byte[] encryptedKeyStorePwd = encrAlgorithm == AES_GCM ?
429429
AES.encryptAesGcm(new String(pwdData.getKeyStorePassword()).getBytes(), iv, key) :
430430
AES.encryptAesCbc(new String(pwdData.getKeyStorePassword()).getBytes(), iv, key);
@@ -445,7 +445,7 @@ private EncryptedKeyStorePasswordData createEncryptedKeyStorePasswordData(KeySto
445445

446446
private KeyStoreEntryPassword createEncryptedEntryPwd(String alias, char[] password, SecretKey key,
447447
EncryptionAlgorithm encrAlgorithm) {
448-
byte[] iv = PRNG.generate(encrAlgorithm == AES_GCM ? IV_LENGTH_GCM_BYTES : IV_LENGTH_CBC_BYTES);
448+
byte[] iv = StrongRNG.generate(encrAlgorithm == AES_GCM ? IV_LENGTH_GCM_BYTES : IV_LENGTH_CBC_BYTES);
449449
byte[] encryptedEntryPwd = encrAlgorithm == AES_GCM ?
450450
AES.encryptAesGcm(new String(password).getBytes(), iv, key) :
451451
AES.encryptAesCbc(new String(password).getBytes(), iv, key);

kse/src/main/java/org/kse/gui/preferences/PanelPasswords.java

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@
2828
import static org.kse.gui.util.FontAwesomeGlyph.LOCK_OPEN;
2929
import static org.kse.gui.util.KseColor.GREEN;
3030
import static org.kse.gui.util.KseColor.GREY;
31-
import static org.kse.utilities.PRNG.SPECIAL_CHARACTERS;
31+
import static org.kse.utilities.rng.PasswordGenerator.SPECIAL_CHARACTERS;
3232
import static org.kse.utilities.StringUtils.shortenString;
3333

3434
import java.awt.Color;
@@ -61,7 +61,7 @@
6161
import org.kse.gui.preferences.data.PasswordManagerSettings;
6262
import org.kse.gui.util.FontAwesomeIcon;
6363
import org.kse.gui.util.KseColor;
64-
import org.kse.utilities.PRNG;
64+
import org.kse.utilities.rng.PasswordGenerator;
6565

6666
import net.miginfocom.swing.MigLayout;
6767

@@ -282,7 +282,7 @@ private String createExamplePassword() {
282282
pwdGeneratorSettings.setIncludeDigits(jcbIncludeDigits.isSelected());
283283
pwdGeneratorSettings.setIncludeSpecialCharacters(jcbIncludeSpecialCharacters.isSelected());
284284
return format(res.getString("DPreferences.passwordGenerator.example.text"),
285-
new String(PRNG.generatePassword(pwdGeneratorSettings)));
285+
new String(PasswordGenerator.generatePassword(pwdGeneratorSettings)));
286286
}
287287

288288
private void unlockPasswordManager(PasswordManager passwordManager) {

0 commit comments

Comments
 (0)