1

Homework

Study Java Cryptographyby

Reading the rest of slidesand

accessing Sun’s Java website: http://java.sun.com

2

Goals

Learn about JAVA Crypto Architecture How to use JAVA Crypto API’s Understand the JCE (Java Cryptography Extension) Be able to use java crypto functions (meaningfully) in your

code JAAS (Java Authentication and Authorization Service)

(Refer Java web site for JAAS details) JSSE (Java Secure Socket Extension)

(Refer Java web site for JSSE details)

3

Introduction JDK Security API

Core API for Java Built around the java.security package

First release of JDK Security introduced "Java Cryptography Architecture" (JCA) Framework for accessing and developing cryptographic functionality

JCA encompasses Parts of JDK 1.2 Security API related to cryptography Architecture that allows for multiple and interoperable cryptography implementations

The Java Cryptography Extension (JCE) extends JCA Includes APIs for encryption, key exchange, and Message Authentication Code (MAC)

4

Java Cryptography Extension (JCE)

Adds encryption, key exchange, key generation, message authentication code (MAC) Multiple “providers” supported Keys & certificates in “keystore” database

Separate due to export control

5

JCE Architecture

JCE:Cipher

KeyAgreementKeyGenerator

SecretKeyFactoryMAC

CSP 1 CSP 2

SPI

APIApp 1 App 2

6

Design Principles Implementation independence and interoperability

"provider“ based architecture Set of packages implementing cryptographic services

• digital signature algorithms Programs request a particular type of object Various implementations working together, use each other's keys, or verify each other's

signatures

Algorithm independence and extensibility Cryptographic classes providing the functionality Classes are called engine classes, example Signature Addition of new algorithms straight forward

7

Building Blocks

Key

Certificate

Keystore

Message Digest

Digital Signature

SecureRandom

Cipher

MAC

8

Engine Classes and SPI Interface to specific type of cryptographic service Defines API methods to access cryptographic service Actual implementation specific to algorithms For example : Signature engine class

Provides access to the functionality of a digital signature algorithm Actual implementation supplied by specific algorithm subclass

"Service Provider Interface" (SPI) Each engine class has a corresponding abstract SPI class Defines the Service Provider Interface to be used by implementors

SPI class is abstract - To supply implementation, provider must subclass

9

JCA Implementation

SPI (Service Provider Interface) say FooSpi

Engine Foo Algorithm MyAlgorithm

Foo f = Foo.getInstance(MyAlgorithm);

10

General Usage

No need to call constructor directly Define the algorithm reqd.

getInstance() Initialize the keysize

init() or initialize() Use the Object generateKey() or doFinal()

11

java.security classes

Key KeyPair KeyPairGenerator KeyFactory Certificate CertificateFactory Keystore MessageDigest Signature SignedObject SecureRandom

12

Key

Types SecretKey PublicKey PrivateKey

Methods getAlgorthm() getEncoded()

KeyPair= {PrivateKey, PublicKey}

13

KeyGenerator

Generates instances of key Requires Algorithm

getInstance(algo) Keylength, (random)

Initialize(param, random) Generates required key/keypair

14

KeyFactory/SecretKeyFactory

Converts a KeySpec into Keys KeySpec Depends on the algorithm Usually a byte[] (DES)

Could also be a set of numbers (DSA) Required when the key is encoded and transferred across

the network

15

Certificate

Problem Java.security.Certificate is an interface Java.security.cert.Certificate is a class

Which one to use when you ask for a Certificate? Import only the correct type

Avoid “import java.security.*” Use X509Certificate

16

KeyStore

Access to a physical keystore Can import/export certificates

Can import keys from certificates Certificate.getPublicKey()

Certificate.getPrivateKey() Check for certificate validity Check for authenticity

17

keytool

Reads/writes to a keystore Unique alias for each certificate Password Encrypted

Functionality Import Sign Request

Export NOTE: Default is DSA !

18

Signature

DSA, RSA Obtain a Signature Object getInstance(algo) getInstance(algorithm,provider)

19

Signature (signing)

Initialize for signing

initSign(PrivateKey) Give the data to be signed update(byte [] input) and variations

doFinal(byte [] input) and variations Sign

byte[] Signature.sign() NOTE: Signature does not contain the actual signature

20

Signature (verifying)

Initialize for verifying initVerify(PublicKey)

Give the data to be verifieded update(byte [] input) and variations

doFinal(byte [] input) and variations Verify boolean Signature.verify()

21

SignedObject

Signs and encapsulates a signed object Sign

SignedObject(Serializable, Signature) Recover Object getContent()

byte[] getSignature() Verify

Verify(PublicKey, Signature) ! Need to initialize the instance of the signature

22

javax.crypto classes

Cipher Mac KeyGenerator SecretKeyFactory SealedObject

23

Cipher

DES, DESede, RSA, Blowfish, IDEA … Obtain a Cipher Object getInstance(algorithm/mode/padding) or getInstance(algorithm)

or getInstance(algorithm, provider) eg “DES/ECB/NoPadding” or “RSA” Initialize init(mode, key) mode= ENCRYPT_MODE / DECRYPT_MODE

24

Cipher cont.

Encrypt/Decrypt byte[] update(byte [] input) and variations

byte[] doFinal(byte [] input) and variations Exceptions NoSuchAlgorithmException NoSuchPadding Exception InvalidKeyException

25

SealedObject

Encrypts and encapsulates an encrypted object Encrypt

SealedObject(Serializable, Cipher) Recover getObject(Cipher)

or getObject(key) Cipher mode should be different!!

26

Wrapper Class : Crypto.java

Adding a provider public Crypto() { java.security.Security.addProvider(new

cryptix.provider.Cryptix());}

27

Enrcyption using RSA

public synchronized byte[] encryptRSA(Serializable obj, PublicKey kPub) throws KeyException, IOException {try { Cipher RSACipher = Cipher.getInstance("RSA"); return encrypt(RSACipher, obj, kPub);} catch (NoSuchAlgorithmException e) { System.exit(1);}return null; }

28

Decryption using RSA

public synchronized Object decryptRSA(byte[] msgE, PrivateKey kPriv)throws KeyException, IOException

{try { Cipher RSACipher = Cipher.getInstance("RSA"); return decrypt(RSACipher, msgE, kPriv);} catch (NoSuchAlgorithmException e) { System.exit(1);}return null; }

29

Creating a signature

public synchronized byte[] sign(byte[] msg, PrivateKey kPriv) throws SignatureException, KeyException, IOException

{// Initialize the signature object for signingdebug("Initializing signature.");try { Signature RSASig = Signature.getInstance("SHA-1/RSA/PKCS#1"); debug("Using algorithm: " + RSASig.getAlgorithm()); RSASig.initSign(kPriv); RSASig.update(msg); return RSASig.sign();} catch (NoSuchAlgorithmException e) { System.exit(1);}return null; }

30

Verifying a signature

public synchronized boolean verify(byte[] msg, byte[] sig, PublicKey kPub) throws SignatureException, KeyException

{// Initialize the signature object for verifyingdebug("Initializing signature.");try { Signature RSASig = Signature.getInstance("SHA-1/RSA/PKCS#1"); RSASig.initVerify(kPub); RSASig.update(msg); return RSASig.verify(sig);} catch (NoSuchAlgorithmException e) { System.exit(1);}return false; }