Bouncy Castle

1
Bouncy Castle

• ITD 3523 Computer Security
• Presented by
• Kyle Frye, Donald McCullough, Justin Mead, Daniel
  Polczynski, Jimmy Scruggs

2
Bouncy Castle
3
Bouncy Castle

• The Bouncy Castle Crypto package is an open
  source Java implementation of cryptographic
  algorithms.
• Bouncy Castle is licensed under the MIT X
  Consortium license.

4
Bouncy Castle

• Developed by the Legion of the Bouncy Castle
• Open source Java implementation freely
  distributed for both commercial and
  non-commercial use
• Platform independent, light-weight API

5
Bouncy Castle

• Only complete cryptography package that runs on
  MIDP
• Lack of documentation is a problem with Bouncy
  Castle
• Hard for beginners to decipher the relationship
  between classes and correct types for methods
  arguments and return values
• Cryptography was never meant to be easy to
  understand or straightforward

6
Bouncy Castle

• Bouncy Castle was developed in Australia,
  therefore it is not bound by laws restricting
  exports on encryption technology
• Bouncy Castle can be used as the Provider, part
  of the JAVA Cryptography Extension (JCE)
• The JCE is part of the JAVA Cryptography
  Architecture (JCA), which has its own Built-in
  restrictions that are approved for export
• Sun introduced the use of policy files, which
  allowed the use of algorithms and key sizes to be
  restricted and also introduced the idea of signed
  providers Wiley

7
Capabilities

• Encrypting messages between two MIDP (Mobile
  Information Device Profile) devices is possible
  using Bouncy Castle
• MIDlet suites are only about 50KB and a
  lightweight Bouncy Castle package is around 350KB
  obfuscators are used to reduce the size of the
  MIDlet suite and to rename some of the Bouncy
  Castle classes
• MIDlet suites are used mainly for wireless and
  mobile devices
• Developers must be careful when using Bouncy
  Castle for MIDP devices it is easy to implement
  application security poorly

8
Capabilities

• Bouncy Castle has the ability to play along with
  PGP (Pretty Good Privacy)
• Must have at least one public key ring file on
  your system
• Create what is known as a RSA key and not a DSA
  keypair
• With these items you will be able to use PGP and
  Bouncy Castle encryption together

9
Implementations

• Bouncy Castle is simple to install on existing
  JAVA installations
• Download the Provider package from
  http//www.bouncycastle.org/latest_releases.html
• Copy this file into the jre\lib\ext directory
• Edit the JAVA Security File that is located in
  the jre\lib\security directory
• Once the Bouncy Castle provider package is
  installed its functionality is used indirectly by
  calling a JCE class

10
Keystores

• Keystores are an in-memory collection of keys and
  certificates
• Three implementations of a keystore for Bouncy
  Castle Keystore.JKS, Keystore.UBER,
  Keystore.JKS
• Keystore.JKS, which is compatible with JKS (Java
  KeyStore) and JDK keytool, stores the keystore
  unencrypted disk and the keys encrypted with
  their own passwords
• When a password is provided, SHA-1 HMAC is used
  to verify the keystore contents

11
Keystores

• Keystore.UBER or Keystore.BouncyCastle requires
  the password be provided on the command line only
• Entire keystore is encrypted with a PBE (Password
  Based Encryption) based on SHA-1 (Secure Hashing
  Algorithm) and Twofish (symmetric key block
  cipher), which forces verification by making all
  of keystore resistant to tampering and inspection

12
Keystores

• Keystore.JKS is compatible with PKCS12 (Public
  Key Cryptographic Standards 12), a file format
  used to store private keys with accompanying
  public keys and X509 certificates
• Keys are encrypted with three key TripleDES

13
Performance Concerns

• Uses the JVM (Java Virtual Machine) to perform
  the most intensive big integer computations
• Use of the RSA algorithm gives the only
  acceptable performance and that being marginal
• It takes a Palm VII more than a minute to verify
  a simple signature encrypted with 128 bit RSA key

14
Conclusion

• Bouncy Castle is a lightweight clean Java
  application that is suitable for use in small
  handheld and wireless devices that do not have
  vast amounts of computing memory and power. It is
  open source and platform independent due to its
  use of Java. Bouncy Castle uses a wide variety of
  encryption algorithms. Sounds pretty good until
  you get to the performance issues.

15
Works Cited

• 4Investigations on CyberVote client security
  issues. (n.d.). Retrieved May 6, 2007, from
  http//www.eucybervote.org/Reports/MSI-WP2-D7V1-V1
  .0-03.htm
• Legion of the Bouncy Castle. (n.d.). Thought
  Works - Open Source. Retrieved May 6, 2007, from
  http//opensource.thoughtworks.com/projects/legion
  ofthebouncycastle.html
• MIDP Application Security 4 Encryption in MIDP.
  (n.d.). Sun Developer Network. Retrieved May
  3, 2007, from http//developers.sun.com/techtopics
  /mobility/midp/articles/security4/
• PGP Encryption using Bouncy Castle . (n.d.).
  Retrieved May 6, 2007, from http//cephas.net/blog
  /2004/04/01/pgp-encryption-using-bouncy-castle/
• Securing your J2ME/MIDP apps. (n.d.). IBM.
  Retrieved May 6, 2007, from IBM Web site
  http//www-128.ibm.com/developerworks/library/j-mi
  dpds.html
• The JCA and the JCE. (n.d.). Retrieved May 7,
  2007, from http//media.wiley.com/product_data/exc
  erpt/30/07645963/0764596330.pdf