Summary
-------

Implement the three Deterministic Random Bit Generator (DRBG) mechanisms
described in [NIST 800-90Ar1][90a].

[90a]: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf

Non-Goals
---------

Provide API for Source of Entropy Input (SEI), or implement approved SEI on all platforms, where "approved" means approved
by NIST or FIPS.


Motivation
----------

The JDK has two kinds of `SecureRandom` implementations.  One is
platform-dependent and based on native calls or OS devices such as
reading `/dev/{u}random` on Unix, using the CryptoAPI on Windows, and
using various preconfigured PKCS11 libraries. The latest releases of
[Solaris][getentropy], [Linux][linux-drbg] and [Windows][windows-drbg]
already support DRBG, but older releases and embedded systems might
not. The other kind is a [pure Java implementation][sha1prng] that uses
an older SHA1-based RNG implementation, which is not as strong as the
algorithms used by approved DRBG mechanisms.

The DRBG mechanisms developed and approved by NIST (as in SP 800-90Ar1)
use modern algorithms as strong as SHA-512 and AES-256. Each of these
mechanisms can be configured with different security strengths and
features to match user requirements. Support for these mechanisms is
becoming very important in some environments, especially for the
U.S. Government.


Description
-----------

According to NIST SP 800-90, a random bit generator (RBG, [800-90C][90c]) is
constructed with a source of entropy input ([800-90B][90b] and 800-90C) and a
DRBG mechanism (800-90Ar1). The source of entropy input provides fresh
randomness (entropy) as a seed to the DRBG mechanism, which is then able
to continuously generate "random" bit sequences.

### APIs

  - New methods for `SecureRandom` matching 800-90C, which allows
    configuration of a `SecureRandom` object and specifying
    additional input in the course of seeding, reseeding,
    and random-bit generation.

  - New methods in `SecureRandomSpi`, to implement the new methods above.

  - A new `SecureRandomParameters` interface so that additional input can be provided to the new `SecureRandom` methods.

These new APIs should be generalized enough for any `SecureRandom` flavors
(not just DRBG) and can be added to `SecureRandom` and `SecureRandomSpi`.

  - A new `DrbgParameters` class (and its inner classes) implementing `SecureRandomParameters` to be used by DRBG.

### Implementation

  - Implement the three DRBG mechanisms (Hash_DRBG, HMAC_DRBG, CTR_DRBG)
    in 800-90Ar1 (on all platforms).

### By-products

  - SHA-512/224 and SHA-512/256 secure hash algorithms as described in
    [FIPS 180-4][180].

  - Related [HmacSHA512/224 and HmacSHA512/256 algorithms][198].

Testing
-------

  - The DRBG implementations must pass the [CAVP test vectors][drbg-test].

  - [SHA-512/224][sha-test-2] and [SHA-512/256][sha-test-1] test vectors.

  - An [informal test vector][hmac-test] for HmacSHA512/224 and
    HmacSHA512/256.


[90c]: http://csrc.nist.gov/publications/drafts/800-90/draft-sp800-90c.pdf
[90b]: http://csrc.nist.gov/publications/drafts/800-90/draft-sp800-90b.pdf
[cavp]: http://csrc.nist.gov/groups/STM/cavp/index.html#05
[drbg-test]: http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgtestvectors.zip
[getentropy]: https://blogs.oracle.com/darren/en_GB/entry/solaris_new_system_calls_getentropy
[180]: http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
[198]: http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf
[sha-test-1]: http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA512_256.pdf
[sha-test-2]: http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA512_224.pdf
[hmac-test]: https://groups.google.com/d/msg/sci.crypt/OolWgsgQD-8/IUR2KhCcfEkJ
[sha1prng]: http://hg.openjdk.java.net/jdk9/dev/jdk/file/f08705540498/src/java.base/share/classes/sun/security/provider/SecureRandom.java
[linux-drbg]: http://www.chronox.de/drbg.html
[windows-drbg]: https://msdn.microsoft.com/en-us/library/windows/desktop/aa379942%28v=vs.85%29.aspx