Random Number Generation(CSPRNG) in Red Hat Build of Keycloak on Windows

Solution Verified - Updated -

Environment

  • Red Hat Build of Keycloak (RHBK)
    • 26.x

Issue

  • Random Number Generation(CSPRNG) in Red Hat Build of Keycloak on Windows ?
  • How does Red Hat build of Keycloak on Windows operating system makes use of CSPRNG?

Resolution

  • The Red Hat Build of Keycloak (RHBK) does not include its own Cryptographically Secure Pseudorandom Number Generator
    (CSPRNG) library. Instead, it relies on the Java Virtual Machine (JVM) and the underlying operating system's
    cryptographic APIs for secure random number generation.

    On Windows, RHBK uses Java’s SecureRandom, which delegates CSPRNG operations to the Microsoft CryptoAPI through the
    JVM’s Windows-PRNG provider. This ensures compliance with cryptographic security standards required for identity and
    access management workflows.

Root Cause

Since RHBK does not ship with a dedicated CSPRNG library, it depends on the host OS’s cryptographic services.

On Windows:

-  The JVM’s default SecureRandom implementation (Windows-PRNG) maps to the Microsoft CryptoAPI.

-  The actual CSPRNG operations are performed by Windows' native cryptographic functions.

-  RHBK accesses this through the JDK’s sun.security.mscapi package, which interfaces with the Windows 
   cryptographic subsystem.

For deeper technical details on Microsoft’s CryptoAPI, users should consult Microsoft’s official documentation or support channels.

External Resources

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

Java SecureRandom Implementation
Windows-PRNG Provider in OpenJDK
Native Implementation of MSCAPI in OpenJDK

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments