Homework Study Java Cryptography by Reading the rest of slides and accessing Sun

1
HomeworkStudy Java CryptographybyReading the
rest of slidesand accessing Suns Java website
http//java.sun.com
2
Goals

• Learn about JAVA Crypto Architecture
• How to use JAVA Crypto APIs
• Understand the JCE (Java Cryptography Extension)
• Be able to use java crypto functions
  (meaningfully) in your code
• JAAS (Java Authentication and Authorization
  Service)
• (Refer Java web site for JAAS details)
• JSSE (Java Secure Socket Extension)
• (Refer Java web site for JSSE details)

3
Introduction

• JDK Security API
• Core API for Java
• Built around the java.security package
• First release of JDK Security introduced "Java
  Cryptography Architecture" (JCA)
• Framework for accessing and developing
  cryptographic functionality
• JCA encompasses
• Parts of JDK 1.2 Security API related to
  cryptography
• Architecture that allows for multiple and
  interoperable cryptography implementations
• The Java Cryptography Extension (JCE) extends JCA
  
• Includes APIs for encryption, key exchange, and
  Message Authentication Code (MAC)

4
Java Cryptography Extension (JCE)

• Adds encryption, key exchange, key generation,
  message authentication code (MAC)
• Multiple providers supported
• Keys certificates in keystore database
• Separate due to export control

5
JCE Architecture
App 1
App 2
API
JCE Cipher KeyAgreement KeyGenerator SecretKeyFac
tory MAC
SPI
CSP 2
CSP 1
6
Design Principles

• Implementation independence and interoperability
• "provider based architecture
• Set of packages implementing cryptographic
  services
• digital signature algorithms
• Programs request a particular type of object
• Various implementations working together, use
  each other's keys, or verify each other's
  signatures
• Algorithm independence and extensibility
• Cryptographic classes providing the functionality
• Classes are called engine classes, example
  Signature
• Addition of new algorithms straight forward

7
Building Blocks

• Key
• Certificate
• Keystore
• Message Digest
• Digital Signature
• SecureRandom
• Cipher
• MAC

8
Engine Classes and SPI

• Interface to specific type of cryptographic
  service
• Defines API methods to access cryptographic
  service
• Actual implementation specific to algorithms
• For example Signature engine class
• Provides access to the functionality of a digital
  signature algorithm
• Actual implementation supplied by specific
  algorithm subclass
• "Service Provider Interface" (SPI)
• Each engine class has a corresponding abstract
  SPI class
• Defines the Service Provider Interface to be used
  by implementors
• SPI class is abstract - To supply implementation,
  provider must subclass

9
JCA Implementation

• SPI (Service Provider Interface)
• say FooSpi
• Engine
• Foo
• Algorithm
• MyAlgorithm
• Foo f Foo.getInstance(MyAlgorithm)

10
General Usage

• No need to call constructor directly
• Define the algorithm reqd.
• getInstance()
• Initialize the keysize
• init() or initialize()
• Use the Object
• generateKey() or doFinal()

11
java.security classes

• Key
• KeyPair
• KeyPairGenerator
• KeyFactory
• Certificate
• CertificateFactory
• Keystore
• MessageDigest
• Signature
• SignedObject
• SecureRandom

12
Key

• Types
• SecretKey
• PublicKey
• PrivateKey
• Methods
• getAlgorthm()
• getEncoded()
• KeyPair PrivateKey, PublicKey

13
KeyGenerator

• Generates instances of key
• Requires Algorithm
• getInstance(algo)
• Keylength, (random)
• Initialize(param, random)
• Generates required key/keypair

14
KeyFactory/SecretKeyFactory

• Converts a KeySpec into Keys
• KeySpec
• Depends on the algorithm
• Usually a byte (DES)
• Could also be a set of numbers (DSA)
• Required when the key is encoded and transferred
  across the network

15
Certificate

• Problem
• Java.security.Certificate is an interface
• Java.security.cert.Certificate is a class
• Which one to use when you ask for a Certificate?
• Import only the correct type
• Avoid import java.security.
• Use X509Certificate

16
KeyStore

• Access to a physical keystore
• Can import/export certificates
• Can import keys from certificates
• Certificate.getPublicKey()
• Certificate.getPrivateKey()
• Check for certificate validity
• Check for authenticity

17
keytool

• Reads/writes to a keystore
• Unique alias for each certificate
• Password Encrypted
• Functionality
• Import
• Sign Request
• Export NOTE Default is DSA !

18
Signature

• DSA, RSA
• Obtain a Signature Object
• getInstance(algo)
• getInstance(algorithm,provider)

19
Signature (signing)

• Initialize for signing
• initSign(PrivateKey)
• Give the data to be signed
• update(byte input) and variations
• doFinal(byte input) and variations
• Sign
• byte Signature.sign() NOTE Signature does not
  contain the actual signature

20
Signature (verifying)

• Initialize for verifying
• initVerify(PublicKey)
• Give the data to be verifieded
• update(byte input) and variations
• doFinal(byte input) and variations
• Verify
• boolean Signature.verify()

21
SignedObject

• Signs and encapsulates a signed object
• Sign
• SignedObject(Serializable, Signature)
• Recover
• Object getContent()
• byte getSignature()
• Verify
• Verify(PublicKey, Signature) ! Need to initialize
  the instance of the signature

22
javax.crypto classes

• Cipher
• Mac
• KeyGenerator
• SecretKeyFactory
• SealedObject

23
Cipher

• DES, DESede, RSA, Blowfish, IDEA
• Obtain a Cipher Object
• getInstance(algorithm/mode/padding)
• or getInstance(algorithm)
• or getInstance(algorithm, provider) eg
  DES/ECB/NoPadding or RSA
• Initialize
• init(mode, key)
• mode ENCRYPT_MODE / DECRYPT_MODE

24
Cipher cont.

• Encrypt/Decrypt
• byte update(byte input) and variations
• byte doFinal(byte input) and variations
• Exceptions
• NoSuchAlgorithmException
• NoSuchPadding Exception
• InvalidKeyException

25
SealedObject

• Encrypts and encapsulates an encrypted object
• Encrypt
• SealedObject(Serializable, Cipher)
• Recover
• getObject(Cipher)
• or getObject(key) Cipher mode should be
  different!!

26
Wrapper Class Crypto.java

• Adding a provider
• public Crypto() java.security.Security.addProvid
  er(new cryptix.provider.Cryptix())

27
Enrcyption using RSA

• public synchronized byte encryptRSA(Serializabl
  e obj, PublicKey kPub)
• throws KeyException, IOException
• try
• Cipher RSACipher Cipher.getInstance("RSA")
  
• return encrypt(RSACipher, obj, kPub)
• catch (NoSuchAlgorithmException e)
• System.exit(1)
• return null

28
Decryption using RSA

• public synchronized Object decryptRSA(byte
  msgE, PrivateKey kPriv)
• throws KeyException, IOException
• try
• Cipher RSACipher Cipher.getInstance("RSA")
  
• return decrypt(RSACipher, msgE, kPriv)
• catch (NoSuchAlgorithmException e)
• System.exit(1)
• return null

29
Creating a signature

• public synchronized byte sign(byte msg,
  PrivateKey kPriv)
• throws SignatureException, KeyException,
  IOException
• // Initialize the signature object for signing
• debug("Initializing signature.")
• try
• Signature RSASig Signature.getInstance("SHA
  -1/RSA/PKCS1")
• debug("Using algorithm "
  RSASig.getAlgorithm())
• RSASig.initSign(kPriv)
• RSASig.update(msg)
• return RSASig.sign()
• catch (NoSuchAlgorithmException e)
• System.exit(1)
• return null

30
Verifying a signature

• public synchronized boolean verify(byte msg,
  byte sig, PublicKey kPub)
• throws SignatureException, KeyException
• // Initialize the signature object for verifying
• debug("Initializing signature.")
• try
• Signature RSASig Signature.getInstance("SHA
  -1/RSA/PKCS1")
• RSASig.initVerify(kPub)
• RSASig.update(msg)
• return RSASig.verify(sig)
• catch (NoSuchAlgorithmException e)
• System.exit(1)
• return false