Upload
chloe-williamson
View
218
Download
1
Tags:
Embed Size (px)
Citation preview
1
Homework
Study Java Cryptographyby
Reading the rest of slidesand
accessing Sun’s Java website: http://java.sun.com
2
Goals
Learn about JAVA Crypto Architecture How to use JAVA Crypto API’s Understand the JCE (Java Cryptography Extension) Be able to use java crypto functions (meaningfully) in your
code JAAS (Java Authentication and Authorization Service)
(Refer Java web site for JAAS details) JSSE (Java Secure Socket Extension)
(Refer Java web site for JSSE details)
3
Introduction JDK Security API
Core API for Java Built around the java.security package
First release of JDK Security introduced "Java Cryptography Architecture" (JCA) Framework for accessing and developing cryptographic functionality
JCA encompasses Parts of JDK 1.2 Security API related to cryptography Architecture that allows for multiple and interoperable cryptography implementations
The Java Cryptography Extension (JCE) extends JCA Includes APIs for encryption, key exchange, and Message Authentication Code (MAC)
4
Java Cryptography Extension (JCE)
Adds encryption, key exchange, key generation, message authentication code (MAC) Multiple “providers” supported Keys & certificates in “keystore” database
Separate due to export control
5
JCE Architecture
JCE:Cipher
KeyAgreementKeyGenerator
SecretKeyFactoryMAC
CSP 1 CSP 2
SPI
APIApp 1 App 2
6
Design Principles Implementation independence and interoperability
"provider“ based architecture Set of packages implementing cryptographic services
• digital signature algorithms Programs request a particular type of object Various implementations working together, use each other's keys, or verify each other's
signatures
Algorithm independence and extensibility Cryptographic classes providing the functionality Classes are called engine classes, example Signature Addition of new algorithms straight forward
8
Engine Classes and SPI Interface to specific type of cryptographic service Defines API methods to access cryptographic service Actual implementation specific to algorithms For example : Signature engine class
Provides access to the functionality of a digital signature algorithm Actual implementation supplied by specific algorithm subclass
"Service Provider Interface" (SPI) Each engine class has a corresponding abstract SPI class Defines the Service Provider Interface to be used by implementors
SPI class is abstract - To supply implementation, provider must subclass
9
JCA Implementation
SPI (Service Provider Interface) say FooSpi
Engine Foo Algorithm MyAlgorithm
Foo f = Foo.getInstance(MyAlgorithm);
10
General Usage
No need to call constructor directly Define the algorithm reqd.
getInstance() Initialize the keysize
init() or initialize() Use the Object generateKey() or doFinal()
11
java.security classes
Key KeyPair KeyPairGenerator KeyFactory Certificate CertificateFactory Keystore MessageDigest Signature SignedObject SecureRandom
12
Key
Types SecretKey PublicKey PrivateKey
Methods getAlgorthm() getEncoded()
KeyPair= {PrivateKey, PublicKey}
13
KeyGenerator
Generates instances of key Requires Algorithm
getInstance(algo) Keylength, (random)
Initialize(param, random) Generates required key/keypair
14
KeyFactory/SecretKeyFactory
Converts a KeySpec into Keys KeySpec Depends on the algorithm Usually a byte[] (DES)
Could also be a set of numbers (DSA) Required when the key is encoded and transferred across
the network
15
Certificate
Problem Java.security.Certificate is an interface Java.security.cert.Certificate is a class
Which one to use when you ask for a Certificate? Import only the correct type
Avoid “import java.security.*” Use X509Certificate
16
KeyStore
Access to a physical keystore Can import/export certificates
Can import keys from certificates Certificate.getPublicKey()
Certificate.getPrivateKey() Check for certificate validity Check for authenticity
17
keytool
Reads/writes to a keystore Unique alias for each certificate Password Encrypted
Functionality Import Sign Request
Export NOTE: Default is DSA !
19
Signature (signing)
Initialize for signing
initSign(PrivateKey) Give the data to be signed update(byte [] input) and variations
doFinal(byte [] input) and variations Sign
byte[] Signature.sign() NOTE: Signature does not contain the actual signature
20
Signature (verifying)
Initialize for verifying initVerify(PublicKey)
Give the data to be verifieded update(byte [] input) and variations
doFinal(byte [] input) and variations Verify boolean Signature.verify()
21
SignedObject
Signs and encapsulates a signed object Sign
SignedObject(Serializable, Signature) Recover Object getContent()
byte[] getSignature() Verify
Verify(PublicKey, Signature) ! Need to initialize the instance of the signature
23
Cipher
DES, DESede, RSA, Blowfish, IDEA … Obtain a Cipher Object getInstance(algorithm/mode/padding) or getInstance(algorithm)
or getInstance(algorithm, provider) eg “DES/ECB/NoPadding” or “RSA” Initialize init(mode, key) mode= ENCRYPT_MODE / DECRYPT_MODE
24
Cipher cont.
Encrypt/Decrypt byte[] update(byte [] input) and variations
byte[] doFinal(byte [] input) and variations Exceptions NoSuchAlgorithmException NoSuchPadding Exception InvalidKeyException
25
SealedObject
Encrypts and encapsulates an encrypted object Encrypt
SealedObject(Serializable, Cipher) Recover getObject(Cipher)
or getObject(key) Cipher mode should be different!!
26
Wrapper Class : Crypto.java
Adding a provider public Crypto() { java.security.Security.addProvider(new
cryptix.provider.Cryptix());}
27
Enrcyption using RSA
public synchronized byte[] encryptRSA(Serializable obj, PublicKey kPub) throws KeyException, IOException {try { Cipher RSACipher = Cipher.getInstance("RSA"); return encrypt(RSACipher, obj, kPub);} catch (NoSuchAlgorithmException e) { System.exit(1);}return null; }
28
Decryption using RSA
public synchronized Object decryptRSA(byte[] msgE, PrivateKey kPriv)throws KeyException, IOException
{try { Cipher RSACipher = Cipher.getInstance("RSA"); return decrypt(RSACipher, msgE, kPriv);} catch (NoSuchAlgorithmException e) { System.exit(1);}return null; }
29
Creating a signature
public synchronized byte[] sign(byte[] msg, PrivateKey kPriv) throws SignatureException, KeyException, IOException
{// Initialize the signature object for signingdebug("Initializing signature.");try { Signature RSASig = Signature.getInstance("SHA-1/RSA/PKCS#1"); debug("Using algorithm: " + RSASig.getAlgorithm()); RSASig.initSign(kPriv); RSASig.update(msg); return RSASig.sign();} catch (NoSuchAlgorithmException e) { System.exit(1);}return null; }
30
Verifying a signature
public synchronized boolean verify(byte[] msg, byte[] sig, PublicKey kPub) throws SignatureException, KeyException
{// Initialize the signature object for verifyingdebug("Initializing signature.");try { Signature RSASig = Signature.getInstance("SHA-1/RSA/PKCS#1"); RSASig.initVerify(kPub); RSASig.update(msg); return RSASig.verify(sig);} catch (NoSuchAlgorithmException e) { System.exit(1);}return false; }