From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <java-prs-return-7040-listarch-java-prs=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 7636 invoked by alias); 22 Oct 2005 00:52:21 -0000
Mailing-List: contact java-prs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:java-prs-subscribe@gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/java-prs/>
List-Post: <mailto:java-prs@gcc.gnu.org>
List-Help: <mailto:java-prs-help@gcc.gnu.org>, <http://gcc.gnu.org/ml/#faqs>
Sender: java-prs-owner@gcc.gnu.org
Received: (qmail 7516 invoked by uid 48); 22 Oct 2005 00:52:21 -0000
Date: Sat, 22 Oct 2005 00:52:00 -0000
Subject: [Bug java/24481]  New: SecureRandom.setSeed has no impact
X-Bugzilla-Reason: CC
Message-ID: <bug-24481-11561@http.gcc.gnu.org/bugzilla/>
Reply-To: gcc-bugzilla@gcc.gnu.org
To: java-prs@gcc.gnu.org
From: "jrandom-gcc at i2p dot net" <gcc-bugzilla@gcc.gnu.org>
X-SW-Source: 2005-q4/txt/msg00182.txt.bz2
List-Id: <java-prs.sourceware.org>

java.security.SecureRandom in GCJ 4.0.2 has no impact, so SecureRandom always
uses the same weak seed.  This has obvious security issues, though they'd take
a targetted attack to mount (e.g. force a JVM restart so the SecureRandom
reverts to the default seed - "new java.util.Random(0l).nextBytes(new
byte[20])", per gnu.java.security.provider.SHA1PRNG.ensureIsSeeded()).

jrandom@betty ~/dev/i2p/native $ gcj -o seed --main=seed seed.java
jrandom@betty ~/dev/i2p/native $ ./seed
Byte difference in a seeded PRNG: 0
Seed data:
8bc7ec2ec7c4f87a13ec6120616ead831baeaf40dfd0804c534145ddbd12c580926578f8e0fea3b8b69287e26841a91cfca9a63fa95e453494f495ff14c82
jrandom@betty ~/dev/i2p/native $ cat seed.java
import java.security.SecureRandom;

public class seed {
  public static void main(String args[]) {
    SecureRandom r = new SecureRandom();
    byte unseededBuf[] = new byte[64];
    r.nextBytes(unseededBuf);

    r = new SecureRandom();
    byte seededBuf[] = new byte[64];
    r.setSeed(unseededBuf);
    r.nextBytes(seededBuf);

    int diffs = 0;
    for (int i = 0; i < 64; i++) {
      if (seededBuf[i] != unseededBuf[i])
        diffs++;
    }
    System.out.println("Byte difference in a seeded PRNG: " + diffs);
    System.out.print("Seed data: ");
    for (int i = 0; i < 64; i++)
      System.out.print(Integer.toHexString((int)(unseededBuf[i]&0xFF)));
    System.out.println();
  }
}

The secureRandom.getProvider().toString() returns
"gnu.java.security.provider.Gnu: name=GNU version=1.0", which in turn uses the
SHA1PRNG (in the 4.0.2 release, at least).  The odd part is that the provider
should be taking into account the seed - engineSetSeed *looks* right, and
java.security.SecureRandom.java's setSeed just calls the spi.engineSetSeed, so
I'm not sure whats going on here.

=jr


-- 
           Summary: SecureRandom.setSeed has no impact
           Product: gcc
           Version: 4.0.2
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: java
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: jrandom-gcc at i2p dot net


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24481