Custom Random number generator

DidiSoft OpenPGP Library for Java uses by default an instance of java.security.SecureRandom when encrypting pgp messages and constructing the random session key and when creating new OpenPGP keys.

Due to historical reasons, there was a bug in the JVM default random number generator implementation on some variations of the Linux platform and in order to address it, we were using a workaround that was based on SecureRandom.getInstance(“SHA1PRNG”).

This is no longer the case but the JDK is evolving and as of JDK version 1.8 and above there is a new method SecureRandom.getInstanceStrong(). In order to allow flexibility and customization of the random number source used by the library classes (which is a key component in cryptography) as of version 3.1.2.6 there is a mechanism to plug your own random number source that will affect all subsequent cryptography operations performed by the library.

Plugin your own random number source

A simple interface has been added that returns an instance of java.security.SecureRandom:

1
2
3
4
5
6
7
package com.didisoft.pgp;
 
import java.security.SecureRandom;
 
public interface SecureRandomSource {
	public SecureRandom getSecureRandom();
}

As noted above our current default implementation relies on the default instance of java.security.SecureRandom. If you decide that you need another implementation then you have to create a class that implements the interface and pass an instance to the method setRandomSource of the service class com.didisoft.pgp.bc.IOUtil before using any other methods of the library (usually this shall be done in the initialization part of your application):

Example

Let’s suppose that we want to utilize a random number source available from SecureRandom.getInstanceStrong() (available in JDK 1.8 and above only). In that case, we have to implement SecureRandomSource :

1
2
3
4
5
6
7
8
9
import java.security.SecureRandom;
import java.security.SecureRandom;
import com.didisoft.pgp.SecureRandomSource;
 
public class MyStrongSecureRandomSource implements SecureRandomSource {
 public SecureRandom getSecureRandom() {
	return SecureRandom.getInstanceStrong();	
 }
}

At our application initialization code we have to invoke:

1
com.didisoft.pgp.bc.IOUtil.setRandomSource(new MyStrongSecureRandomSource());

From then on the library classes will utilize the SecureRandom provided by MyStrongSecureRandomSource.