Security Analysis of Java SecureRandom Library

Abstract

Java is one of the most used programming languages. Developers use java language in all of their projects, embedded systems or as a background service provider for different frontend applications. In today's world where security gains importance day by day, the reliability of security libraries of programming languages is also gaining importance. One of the common research area of computer security is random number generation. Most of the cryptographic applications require random numbers. Many different approaches exist for secure random number generation. However, most of them are academic for today. For this reason, it is more common to use libraries that are available in programming languages. In this study, a comprehensive analysis of Java SecureRandom library by means of security is presented. NIST 800-22 test suit is used for randomness tests.

Keywords

• SecureRandom
• Java Security
• NIST 800-22
• Randomness Tests

Java SecureRandom Kütüphanesi Güvenlik Analizi

Öz

Java en çok kullanılan programlama dillerinden biridir. Geliştiriciler java dilini projelerinin tamamında, gömülü sistemlerde veya farklı arayüz projeleri için servis katmanında kullanmaktadırlar. Güvenliğin her geçen gün önem kazandığı günümüzde, programlama dillerinin güvenliğinin bütünlüğü önem kazanmaktadır. Rasgele sayı üretimi, bilgisayar güvenliğinin en önemli araştırma alanlarından biridir. Bir çok kriptografik uygulama rasgele sayılara ihtiyaç duyar. Güvenli rasgele sayı üretimi konusunda bir çok çalışma yapılmıştır. Fakat bunların bir çoğu günümüz için akademik seviyede kalmaktadır. Bu sebeple programlama dillerinin içerisinde hazır bulunan kütüphanelerin kullanımı daha yaygındır. Bu çalışmada, Java SecureRandom kütüphanesinin güvenlik anlamında detaylı bir analizi sunulmuştur. Rassallık testleri için NIST 800-22 Rev1a test ortamı kullanılmıştır.

Anahtar Kelimeler

• SecureRandom
• Java Güvenlik
• NIST 800-22
• Rassallık Testleri

References

1. TIOBE 2021, TIOBE Index for January 2021, https://www.tiobe.com/tiobe-index/, Last accessed: Jan 17 2021.
2. Z. L. Feng, T. Hong, H. M. Huan, K. X. Hui and J. Qi (2011), "Checking Java Bugs by Data Propagation Analysis," 2011 First International Conference on Instrumentation, Measurement, Computer, Communication and Control, Beijing, 2011, pp. 861-864, doi: 10.1109/IMCCC.2011.217.
3. Salvador Martínez, Valerio Cosentino, Jordi Cabot (2017), Model-based analysis of Java EE web security misconfigurations, Computer Languages, Systems & Structures, Volume 49, 2017, Pages 36-61, ISSN 1477-8424, https://doi.org/10.1016/j.cl.2017.02.001.
4. Nathanael Paul, David Evans (2006), Comparing Java and .NET security: Lessons learned and missed, Computers & Security, Volume 25, Issue 5, 2006, Pages 338-350, ISSN 0167-4048, https://doi.org/10.1016/j.cose.2006.02.003.
5. Almut Herzog, Nahid Shahmehri (2005), Performance of the Java security manager, Computers & Security, Volume 24, Issue 3, 2005, Pages 192-207, ISSN 0167-4048, https://doi.org/10.1016/j.cose.2004.08.006.
6. Chamila Wijayarathna, Nalin Asanka Gamagedara Arachchilage (2019), Why Johnny can’t develop a secure application? A usability analysis of Java Secure Socket Extension API, Computers & Security, Volume 80, 2019, Pages 54-73, ISSN 0167-4048, https://doi.org/10.1016/j.cose.2018.09.007.
7. Saldamli G. and Koc C. K. (2009), Random Number Generators for Cryptographic Applications, in Cryptographic Engineering, Springer. Oracle JavaSE-8 (2021), Class SecureRandom, https://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html, Last Accessed: Jan 17 2021.
8. Lawrence E. Bassham, Andrew L. Rukhin, Juan Soto, James R. Nechvatal, Miles E. Smid, Elaine B. Barker, Stefan D. Leigh, Mark Levenson, Mark Vangel, David L. Banks, Nathanael Alan Heckert, James F. Dray, and San Vo. (2010). SP 800-22 Rev. 1a. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. Technical Report. National Institute of Standards & Technology, Gaithersburg, MD, USA.

9. Robert G. Brown (2021), Robert G. Brown’s General Tools Page, https://webhome.phy.duke.edu/~rgb/General/dieharder.php, Last Accessed: Jan 17 2021.
10. John Walker (2008), A Pseudorandom Number Sequence Test Program, https://www.fourmilab.ch/random/, Last Accessed: Jan 17 2021.
11. L’ecuyer, P. and Simard, R. (2007). TestU01: A C library for empirical testing of random number gen-erators. ACM Trans. Math. Softw. 33, 4, Article 22 (August 2007), 40 pages. DOI=10.1145/1268776.1268777 http://doi.acm.org/10.1145/ 1268776.1268777
12. O. Katz, D. A. Ramon and I. A. Wagner, (2008), "A Robust Random Number Generator Based on a Differential Current-Mode Chaos," in IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 16, no. 12, pp. 1677-1686, Dec. 2008, doi: 10.1109/TVLSI.2008.2001731.
13. T. Stojanovski and L. Kocarev, "Chaos-based random number generators-part I: analysis [cryptography]," in IEEE Transactions on Circuits and Systems I: Fundamental Theory and Applications, vol. 48, no. 3, pp. 281-288, March 2001, doi: 10.1109/81.915385.
14. D. B. Thomas and W. Luk, "The LUT-SR Family of Uniform Random Number Generators for FPGA Architectures," in IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 21, no. 4, pp. 761-770, April 2013, doi: 10.1109/TVLSI.2012.2194171.
15. L. Akçay, E. Çil, A. Vardar, İ. Yaman, R. Yeniçeri and M. E. Yalçın, "Implementation of a chaotic time-delay RNG based secure communication system on FPGA," 2017 10th International Conference on Electrical and Electronics Engineering (ELECO), Bursa, 2017, pp. 1277-1280.
16. Ken Uchida, Tetsufumi Tanamoto, Shinobu Fujita, Single-electron random-number generator (RNG) for highly secure ubiquitous computing applications, Solid-State Electronics, Volume 51, Issues 11–12, 2007, Pages 1552-1557, ISSN 0038-1101, https://doi.org/10.1016/j.sse.2007.09.015.