Java Cryptography

innocentsickAI and Robotics

Nov 21, 2013 (3 years and 9 months ago)

77 views

1

Homework


Study Java Cryptography

by

Reading the rest of slides

and

accessing Sun

s Java website:
http://java.sun.com

2

Goals


Learn about JAVA Crypto Architecture


How to use JAVA Crypto API

s


Understand the JCE (Java Cryptography Extension)


Be able to use java crypto functions (meaningfully) in your
code


JAAS (Java Authentication and Authorization Service)


(Refer Java web site for JAAS details)


JSSE (Java Secure Socket Extension)


(Refer Java web site for JSSE details)

3

Introduction


JDK Security API


Core API for Java


Built around the java.security package


First release of JDK Security introduced "Java Cryptography Architecture" (JCA)


Framework for accessing and developing cryptographic functionality


JCA encompasses


Parts of JDK 1.2 Security API related to cryptography


Architecture that allows for multiple and interoperable cryptography implementations


The Java Cryptography Extension (JCE) extends JCA


Includes APIs for encryption, key exchange, and Message Authentication Code (MAC)

4

Java Cryptography Extension (JCE)


Adds encryption, key exchange, key generation, message
authentication code (MAC)


Multiple

providers


supported


Keys & certificates in

keystore


database


Separate due to export control

5

JCE Architecture

JCE:

Cipher

KeyAgreement

KeyGenerator

SecretKeyFactory

MAC

CSP 1

CSP 2

SPI

API

App 1

App 2

6

Design Principles


Implementation independence and interoperability


"provider


based architecture


Set of packages implementing cryptographic services


digital signature algorithms


Programs request a particular type of object


Various implementations working together, use each other's keys, or verify each other's
signatures



Algorithm independence and extensibility


Cryptographic classes providing the functionality


Classes are called
engine classes
, example Signature


Addition of new algorithms straight forward

7

Building Blocks


Key


Certificate


Keystore


Message Digest


Digital Signature


SecureRandom


Cipher


MAC

8

Engine Classes and SPI


Interface to specific type of cryptographic service


Defines API methods to access cryptographic service


Actual implementation specific to algorithms


For example : Signature engine class


Provides access to the functionality of a digital signature algorithm


Actual implementation supplied by specific algorithm subclass



"Service Provider Interface" (SPI)


Each engine class has a corresponding abstract SPI class


Defines the Service Provider Interface to be used by implementors



SPI class is abstract
-

To supply implementation, provider must subclass

9

JCA Implementation


SPI (Service Provider Interface)



say FooSpi


Engine


Foo


Algorithm


MyAlgorithm


Foo f = Foo.getInstance(MyAlgorithm);

10

General Usage


No need to call constructor directly


Define the algorithm reqd.


getInstance()


Initialize the keysize


init() or initialize()


Use the Object


generateKey() or doFinal()

11

java.security classes


Key


KeyPair


KeyPairGenerator


KeyFactory


Certificate


CertificateFactory


Keystore


MessageDigest


Signature


SignedObject


SecureRandom

12

Key


Types


SecretKey


PublicKey


PrivateKey


Methods


getAlgorthm()


getEncoded()


KeyPair= {PrivateKey, PublicKey}

13

KeyGenerator


Generates instances of key


Requires Algorithm


getInstance(algo)


Keylength, (random)


Initialize(param, random)


Generates required key/keypair

14

KeyFactory/SecretKeyFactory


Converts a KeySpec into Keys


KeySpec


Depends on the algorithm


Usually a byte[] (DES)


Could also be a set of numbers (DSA)


Required when the key is encoded and transferred across
the network

15

Certificate



Problem


Java.security.Certificate is an interface


Java.security.cert.Certificate is a class


Which one to use when you ask for a Certificate?


Import only the correct type


Avoid

import java.security.*




Use X509Certificate

16

KeyStore


Access to a physical keystore


Can import/export certificates


Can import keys from certificates


Certificate.getPublicKey()


Certificate.getPrivateKey()


Check for certificate validity


Check for authenticity

17

keytool


Reads/writes to a keystore


Unique alias for each certificate


Password Encrypted


Functionality


Import


Sign Request


Export NOTE: Default is DSA !

18

Signature


DSA, RSA


Obtain a Signature Object


getInstance(algo)


getInstance(algorithm,provider)

19

Signature (signing)


Initialize for signing


initSign(PrivateKey)


Give the data to be signed


update(byte [] input)
and variations


doFinal(byte [] input)
and variations


Sign


byte[] Signature.sign() NOTE: Signature does not contain the
actual signature

20

Signature (verifying)


Initialize for verifying


initVerify(PublicKey)


Give the data to be verifieded


update(byte [] input)
and variations


doFinal(byte [] input)
and variations


Verify


boolean Signature.verify()

21

SignedObject


Signs and encapsulates a signed object


Sign


SignedObject(Serializable, Signature)


Recover


Object getContent()


byte[] getSignature()


Verify


Verify(PublicKey, Signature) ! Need to initialize the instance of the
signature

22

javax.crypto classes


Cipher


Mac


KeyGenerator


SecretKeyFactory


SealedObject

23

Cipher


DES, DESede, RSA, Blowfish, IDEA




Obtain a Cipher Object


getInstance(algorithm/mode/padding)


or getInstance(algorithm)


or getInstance(algorithm, provider) eg

DES/ECB/NoPadding


or

RSA




Initialize


init(mode, key)


mode= ENCRYPT_MODE / DECRYPT_MODE

24

Cipher cont.


Encrypt/Decrypt


byte[] update(byte [] input)
and variations


byte[] doFinal(byte [] input)
and variations


Exceptions


NoSuchAlgorithmException


NoSuchPadding Exception


InvalidKeyException

25

SealedObject


Encrypts and encapsulates an encrypted object


Encrypt


SealedObject(Serializable, Cipher)


Recover


getObject(Cipher)


or getObject(key) Cipher mode should be different!!

26

Wrapper Class : Crypto.java


Adding a provider


public Crypto() {

java.security.Security.addProvider(new
cryptix.provider.Cryptix());}



27

Enrcyption using RSA

public synchronized byte[] encryptRSA(Serializable obj, PublicKey kPub)


throws KeyException, IOException {


try {



Cipher RSACipher = Cipher.getInstance("RSA");



return encrypt(RSACipher, obj, kPub);


} catch (NoSuchAlgorithmException e) {



System.exit(1);


}


return null; }

28

Decryption using RSA

public synchronized Object decryptRSA(byte[] msgE, PrivateKey kPriv)


throws KeyException, IOException


{


try {



Cipher RSACipher = Cipher.getInstance("RSA");



return decrypt(RSACipher, msgE, kPriv);


} catch (NoSuchAlgorithmException e) {



System.exit(1);


}


return null; }

29

Creating a signature


public synchronized byte[] sign(byte[] msg, PrivateKey kPriv)


throws SignatureException, KeyException, IOException


{


// Initialize the signature object for signing


debug("Initializing signature.");


try {



Signature RSASig = Signature.getInstance("SHA
-
1/RSA/PKCS#1");



debug("Using algorithm: " + RSASig.getAlgorithm());



RSASig.initSign(kPriv);



RSASig.update(msg);



return RSASig.sign();


} catch (NoSuchAlgorithmException e) {



System.exit(1);


}


return null; }

30

Verifying a signature

public synchronized boolean verify(byte[] msg, byte[] sig, PublicKey kPub)


throws SignatureException, KeyException


{


// Initialize the signature object for verifying


debug("Initializing signature.");


try {



Signature RSASig = Signature.getInstance("SHA
-
1/RSA/PKCS#1");



RSASig.initVerify(kPub);



RSASig.update(msg);



return RSASig.verify(sig);


} catch (NoSuchAlgorithmException e) {



System.exit(1);


}


return false; }