Example 46 with KeyPairGenerator
use of java.security.KeyPairGenerator in project wycheproof by google.
the class DsaTest method testTiming.
/**
* This test checks for potential of a timing attack. The test generates a number of signatures,
* selects a fraction of them with a small timing and then compares the values k for the selected
* signatures with a normal distribution. The test fails if these ks are much smaller than
* expected. An implementation flaw that can lead to a test failure is to compute the signature
* with a modular exponentiation with a runtime that depend on the length of the exponent.
*
* <p>A failing test simply means that the timing can be used to get information about k. Further
* analysis is necessary to determine if the bias is exploitable and how many timings are
* necessary for an attack. A passing test does not mean that the implementation is secure against
* timing attacks. The test only catches relatively big timing differences. It requires high
* confidence to fail. Noise on the test machine can prevent that a relation between timing and k
* can be detected.
*
* <p>Claims of what is exploitable: http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf 30
* signatures are sufficient to find the private key if the attacker knows 8 bits of each k.
* http://eprint.iacr.org/2004/277.pdf 27 signatures are sufficient if 8 bits of each k is known.
* Our own old experiments (using 1GB memory on a Pentium-4? CPU): 2^11 signatures are sufficient
* with a 3 bit leakage. 2^15 signatures are sufficient with a 2 bit leakage. 2^24 signatures are
* sufficient with a 1 bit leakage. Estimate for biased generation in the NIST standard: e.g. 2^22
* signatures, 2^40 memory, 2^64 time
*
* <p><b>Sample output for the SUN provider:</b> <code>
* count:50000 cutoff:4629300 relative average:0.9992225872624547 sigmas:0.3010906585642381
* count:25000 cutoff:733961 relative average:0.976146066585879 sigmas:6.532668708070148
* count:12500 cutoff:688305 relative average:0.9070352192339134 sigmas:18.00255238454385
* count:6251 cutoff:673971 relative average:0.7747148791368986 sigmas:30.850903417893825
* count:3125 cutoff:667045 relative average:0.5901994097874541 sigmas:39.67877152897901
* count:1563 cutoff:662088 relative average:0.4060286694971057 sigmas:40.67294313795137
* count:782 cutoff:657921 relative average:0.2577955312387898 sigmas:35.94906247333319
* count:391 cutoff:653608 relative average:0.1453438859272699 sigmas:29.271192100879457
* count:196 cutoff:649280 relative average:0.08035497211567771 sigmas:22.300206785132406
* count:98 cutoff:645122 relative average:0.05063589092661368 sigmas:16.27820353139225
* count:49 cutoff:641582 relative average:0.018255560447883384 sigmas:11.903018745467488
* count:25 cutoff:638235 relative average:0.009082660721102722 sigmas:8.581595888660086
* count:13 cutoff:633975 relative average:0.0067892346039088326 sigmas:6.20259924188633
* </code>
*
* <p><b>What this shows:</b> The first line uses all 50'000 signatures. The average k of these
* signatures is close to the expected value q/2. Being more selective gives us signatures with a
* more biased k. For example, the 196 signatures with the fastest timing have about a 3-bit bias.
* From this we expect that 2^19 signatures and timings are sufficient to find the private key.
*
* <p>A list of problems caught by this test:
* <ul>
* <li> CVE-2016-5548 OpenJDK8's DSA is vulnerable to timing attacks.
* <li> CVE-2016-1000341 BouncyCastle before v 1.56 is vulnernerable to timing attacks.
* </ul>
*/
@SlowTest(providers = { ProviderType.BOUNCY_CASTLE, ProviderType.OPENJDK, ProviderType.SPONGY_CASTLE })
@SuppressWarnings("InsecureCryptoUsage")
public void testTiming() throws Exception {
ThreadMXBean bean = ManagementFactory.getThreadMXBean();
if (!bean.isCurrentThreadCpuTimeSupported()) {
System.out.println("getCurrentThreadCpuTime is not supported. Skipping");
return;
}
String hashAlgorithm = "SHA-1";
String message = "Hello";
byte[] messageBytes = message.getBytes("UTF-8");
byte[] digest = MessageDigest.getInstance(hashAlgorithm).digest(messageBytes);
BigInteger h = new BigInteger(1, digest);
KeyPairGenerator generator = java.security.KeyPairGenerator.getInstance("DSA");
generator.initialize(1024);
KeyPair keyPair = generator.generateKeyPair();
DSAPrivateKey priv = (DSAPrivateKey) keyPair.getPrivate();
Signature signer = Signature.getInstance("SHA1WITHDSA");
signer.initSign(priv);
// The timings below are quite noisy. Thus we need a large number of samples.
int samples = 50000;
long[] timing = new long[samples];
BigInteger[] k = new BigInteger[samples];
for (int i = 0; i < samples; i++) {
long start = bean.getCurrentThreadCpuTime();
signer.update(messageBytes);
byte[] signature = signer.sign();
timing[i] = bean.getCurrentThreadCpuTime() - start;
k[i] = extractK(signature, h, priv, false);
}
long[] sorted = Arrays.copyOf(timing, timing.length);
Arrays.sort(sorted);
// Here we are only interested in roughly the 8 most significant bits of the ks.
// Hence, using double is sufficiently precise.
double q = priv.getParams().getQ().doubleValue();
double expectedAverage = q / 2;
double maxSigmas = 0;
System.out.println("testTiming: SHA1WITHDSA");
for (int idx = samples - 1; idx > 10; idx /= 2) {
long cutoff = sorted[idx];
int count = 0;
double total = 0;
for (int i = 0; i < samples; i++) {
if (timing[i] <= cutoff) {
total += k[i].doubleValue();
count += 1;
}
}
double expectedStdDev = q / Math.sqrt(12 * count);
double average = total / count;
// Number of standard deviations that the average is away from
// the expected value:
double sigmas = (expectedAverage - average) / expectedStdDev;
if (sigmas > maxSigmas) {
maxSigmas = sigmas;
}
System.out.println("count:" + count + " cutoff:" + cutoff + " relative average:" + (average / expectedAverage) + " sigmas:" + sigmas);
}
// than 10^{-10}.
if (maxSigmas >= 7) {
fail("Signatures with short timing have a biased k");
}
}
Also used :
ThreadMXBean(java.lang.management.ThreadMXBean)
KeyPair(java.security.KeyPair)
KeyPairGenerator(java.security.KeyPairGenerator)
Signature(java.security.Signature)
BigInteger(java.math.BigInteger)
DSAPrivateKey(java.security.interfaces.DSAPrivateKey)
SlowTest(com.google.security.wycheproof.WycheproofRunner.SlowTest)
Example 47 with KeyPairGenerator
use of java.security.KeyPairGenerator in project gitblit by gitblit.
the class X509Utils method newKeyPair.
/**
* Generate a new keypair.
*
* @return a keypair
* @throws Exception
*/
private static KeyPair newKeyPair() throws Exception {
KeyPairGenerator kpGen = KeyPairGenerator.getInstance(KEY_ALGORITHM, BC);
kpGen.initialize(KEY_LENGTH, new SecureRandom());
return kpGen.generateKeyPair();
}
Also used :
SecureRandom(java.security.SecureRandom)
KeyPairGenerator(java.security.KeyPairGenerator)
Example 48 with KeyPairGenerator
use of java.security.KeyPairGenerator in project error-prone by google.
the class InsecureCipherModePositiveCases method keyOperations.
public void keyOperations(StringProvider provider) {
KeyFactory keyFactory;
KeyAgreement keyAgreement;
KeyPairGenerator keyPairGenerator;
final String dh = "DH";
try {
// BUG: Diagnostic contains: compile-time constant
keyFactory = KeyFactory.getInstance(provider.get());
// BUG: Diagnostic contains: Diffie-Hellman on prime fields
keyFactory = KeyFactory.getInstance(dh);
// BUG: Diagnostic contains: DSA
keyAgreement = KeyAgreement.getInstance("DSA");
// BUG: Diagnostic contains: compile-time constant
keyAgreement = KeyAgreement.getInstance(provider.get());
// BUG: Diagnostic contains: Diffie-Hellman on prime fields
keyPairGenerator = KeyPairGenerator.getInstance(dh);
// BUG: Diagnostic contains: compile-time constant
keyPairGenerator = KeyPairGenerator.getInstance(provider.get());
} catch (NoSuchAlgorithmException e) {
// We don't handle any exception as this code is not meant to be executed.
}
}
Also used :
KeyPairGenerator(java.security.KeyPairGenerator)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
KeyAgreement(javax.crypto.KeyAgreement)
KeyFactory(java.security.KeyFactory)
Example 49 with KeyPairGenerator
use of java.security.KeyPairGenerator in project wycheproof by google.
the class EcKeyTest method testDefaultKeyGeneration.
/**
* Checks that the default key size for ECDSA is up to date.
* The test uses NIST SP 800-57 part1 revision 4, Table 2, page 53
* http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf
* for the minimal key size of EC keys.
* Nist recommends a minimal security strength of 112 bits for the time until 2030.
* To achieve this security strength EC keys of at least 224 bits are required.
*/
public void testDefaultKeyGeneration() throws Exception {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
KeyPair keyPair = keyGen.generateKeyPair();
ECPublicKey pub = (ECPublicKey) keyPair.getPublic();
int keySize = EcUtil.fieldSizeInBits(pub.getParams().getCurve());
if (keySize < 224) {
fail("Expected a default key size of at least 224 bits. Size of generate key is " + keySize);
}
}
Also used :
KeyPair(java.security.KeyPair)
ECPublicKey(java.security.interfaces.ECPublicKey)
KeyPairGenerator(java.security.KeyPairGenerator)
ECPoint(java.security.spec.ECPoint)
Example 50 with KeyPairGenerator
use of java.security.KeyPairGenerator in project wycheproof by google.
the class EcKeyTest method testEncodedPrivateKey.
public void testEncodedPrivateKey() throws Exception {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
keyGen.initialize(EcUtil.getNistP256Params());
KeyPair keyPair = keyGen.generateKeyPair();
ECPrivateKey priv = (ECPrivateKey) keyPair.getPrivate();
byte[] encoded = priv.getEncoded();
System.out.println("Encoded ECPrivateKey:" + TestUtil.bytesToHex(encoded));
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(encoded);
KeyFactory kf = KeyFactory.getInstance("EC");
ECPrivateKey decoded = (ECPrivateKey) kf.generatePrivate(spec);
assertEquals(priv.getS(), decoded.getS());
assertEquals(priv.getParams().getCofactor(), decoded.getParams().getCofactor());
assertEquals(priv.getParams().getCurve(), decoded.getParams().getCurve());
assertEquals(priv.getParams().getGenerator(), decoded.getParams().getGenerator());
assertEquals(priv.getParams().getOrder(), decoded.getParams().getOrder());
}
Also used :
ECPrivateKey(java.security.interfaces.ECPrivateKey)
KeyPair(java.security.KeyPair)
PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec)
KeyPairGenerator(java.security.KeyPairGenerator)
KeyFactory(java.security.KeyFactory)
Aggregations
KeyPairGenerator (java.security.KeyPairGenerator)197
KeyPair (java.security.KeyPair)145
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)43
SecureRandom (java.security.SecureRandom)39
PublicKey (java.security.PublicKey)27
PrivateKey (java.security.PrivateKey)26
X509Certificate (java.security.cert.X509Certificate)23
KeyFactory (java.security.KeyFactory)21
IOException (java.io.IOException)19
BigInteger (java.math.BigInteger)17
GeneralSecurityException (java.security.GeneralSecurityException)15
Signature (java.security.Signature)15
Date (java.util.Date)15
Cipher (javax.crypto.Cipher)15
KeyAgreement (javax.crypto.KeyAgreement)15
RSAPublicKey (java.security.interfaces.RSAPublicKey)14
X500Principal (javax.security.auth.x500.X500Principal)13
ECPrivateKey (java.security.interfaces.ECPrivateKey)12
ECPublicKey (java.security.interfaces.ECPublicKey)12
HashMap (java.util.HashMap)11
