csci5233 Computer Security 1

GS Chapter 5

Asymmetric Encryption in Java

csci5233 Computer Security 2

Topics

A Ciphers modes and padding

B Asymmetric encryption in Java

C Session key encryption

D File encryptiondecryption using RSA

E Key agreement

csci5233 Computer Security 3

Ciphers Modes and Padding

The ECB (Electronic Code Book) mode encrypts the

plaintext a block at a time

Asymmetric ciphers are almost always used in ECB mode

Why

The block size is usually almost equal to the size of the

key

Example 1024-bit RSA ~= data block of 117 bytes

csci5233 Computer Security 4

Ciphers Modes and Padding

When the size of the data is less than the size of the block

padding is needed

RSA uses two forms of padding

PKCS1 ndash the standard form of padding in RSA insecure when used for

encrypting plaintext with obvious patterns in it (like English text)

OAEP (Optimal Asymmetric Encryption Padding) ndash an improvement on

PKCS1

csci5233 Computer Security 5

Asymmetric encryption in Java

The steps of using asymmetric encryption in

Java is similar to using symmetric encryption

1 Create a key

2 Create and initialize a cipher using the key

3 Use the cipher to encrypt or decrypt by specifying

appropriate mode

The main difference is that an asymmetric cipher

requires a key pair a public and a private key

csci5233 Computer Security 6

Major Java Classes for Key Pairs

1 javasecurityKeyPairpublic final class KeyPair

extends Object

implements Serializable

2 javasecurityPublicKeypublic interface PublicKey extends Key

This interface contains no methods or constants It merely serves to group

(and provide type safety for) all public key interfaces

Note The specialized public key interfaces extend this interface See for

example the DSAPublicKey interface in

javasecurityinterfaces

csci5233 Computer Security 2

Topics

A Ciphers modes and padding

B Asymmetric encryption in Java

C Session key encryption

D File encryptiondecryption using RSA

E Key agreement

csci5233 Computer Security 3

Ciphers Modes and Padding

The ECB (Electronic Code Book) mode encrypts the

plaintext a block at a time

Asymmetric ciphers are almost always used in ECB mode

Why

The block size is usually almost equal to the size of the

key

Example 1024-bit RSA ~= data block of 117 bytes

csci5233 Computer Security 4

Ciphers Modes and Padding

When the size of the data is less than the size of the block

padding is needed

RSA uses two forms of padding

PKCS1 ndash the standard form of padding in RSA insecure when used for

encrypting plaintext with obvious patterns in it (like English text)

OAEP (Optimal Asymmetric Encryption Padding) ndash an improvement on

PKCS1

csci5233 Computer Security 5

Asymmetric encryption in Java

The steps of using asymmetric encryption in

Java is similar to using symmetric encryption

1 Create a key

2 Create and initialize a cipher using the key

3 Use the cipher to encrypt or decrypt by specifying

appropriate mode

The main difference is that an asymmetric cipher

requires a key pair a public and a private key

csci5233 Computer Security 6

Major Java Classes for Key Pairs

1 javasecurityKeyPairpublic final class KeyPair

extends Object

implements Serializable

2 javasecurityPublicKeypublic interface PublicKey extends Key

This interface contains no methods or constants It merely serves to group

(and provide type safety for) all public key interfaces

Note The specialized public key interfaces extend this interface See for

example the DSAPublicKey interface in

javasecurityinterfaces

csci5233 Computer Security 3

Ciphers Modes and Padding

The ECB (Electronic Code Book) mode encrypts the

plaintext a block at a time

Asymmetric ciphers are almost always used in ECB mode

Why

The block size is usually almost equal to the size of the

key

Example 1024-bit RSA ~= data block of 117 bytes

csci5233 Computer Security 4

Ciphers Modes and Padding

When the size of the data is less than the size of the block

padding is needed

RSA uses two forms of padding

PKCS1 ndash the standard form of padding in RSA insecure when used for

encrypting plaintext with obvious patterns in it (like English text)

OAEP (Optimal Asymmetric Encryption Padding) ndash an improvement on

PKCS1

csci5233 Computer Security 5

Asymmetric encryption in Java

The steps of using asymmetric encryption in

Java is similar to using symmetric encryption

1 Create a key

2 Create and initialize a cipher using the key

3 Use the cipher to encrypt or decrypt by specifying

appropriate mode

The main difference is that an asymmetric cipher

requires a key pair a public and a private key

csci5233 Computer Security 6

Major Java Classes for Key Pairs

1 javasecurityKeyPairpublic final class KeyPair

extends Object

implements Serializable

2 javasecurityPublicKeypublic interface PublicKey extends Key

This interface contains no methods or constants It merely serves to group

(and provide type safety for) all public key interfaces

Note The specialized public key interfaces extend this interface See for

example the DSAPublicKey interface in

javasecurityinterfaces

csci5233 Computer Security 4

Ciphers Modes and Padding

When the size of the data is less than the size of the block

padding is needed

RSA uses two forms of padding

PKCS1 ndash the standard form of padding in RSA insecure when used for

encrypting plaintext with obvious patterns in it (like English text)

OAEP (Optimal Asymmetric Encryption Padding) ndash an improvement on

PKCS1

csci5233 Computer Security 5

Asymmetric encryption in Java

The steps of using asymmetric encryption in

Java is similar to using symmetric encryption

1 Create a key

2 Create and initialize a cipher using the key

3 Use the cipher to encrypt or decrypt by specifying

appropriate mode

The main difference is that an asymmetric cipher

requires a key pair a public and a private key

csci5233 Computer Security 6

Major Java Classes for Key Pairs

1 javasecurityKeyPairpublic final class KeyPair

extends Object

implements Serializable

2 javasecurityPublicKeypublic interface PublicKey extends Key

This interface contains no methods or constants It merely serves to group

(and provide type safety for) all public key interfaces

Note The specialized public key interfaces extend this interface See for

example the DSAPublicKey interface in

javasecurityinterfaces

csci5233 Computer Security 5

Asymmetric encryption in Java

The steps of using asymmetric encryption in

Java is similar to using symmetric encryption

1 Create a key

2 Create and initialize a cipher using the key

3 Use the cipher to encrypt or decrypt by specifying

appropriate mode

The main difference is that an asymmetric cipher

requires a key pair a public and a private key

csci5233 Computer Security 6

Major Java Classes for Key Pairs

1 javasecurityKeyPairpublic final class KeyPair

extends Object

implements Serializable

2 javasecurityPublicKeypublic interface PublicKey extends Key

This interface contains no methods or constants It merely serves to group

(and provide type safety for) all public key interfaces

Note The specialized public key interfaces extend this interface See for

example the DSAPublicKey interface in

javasecurityinterfaces

csci5233 Computer Security 6

Major Java Classes for Key Pairs

1 javasecurityKeyPairpublic final class KeyPair

extends Object

implements Serializable

2 javasecurityPublicKeypublic interface PublicKey extends Key

This interface contains no methods or constants It merely serves to group

(and provide type safety for) all public key interfaces

Note The specialized public key interfaces extend this interface See for

example the DSAPublicKey interface in

javasecurityinterfaces

csci5233 Computer Security 7

3 javasecurityPrivateKey

Similar to the PublicKey interface except that it is for the private

key

4 javasecurityKeyPairGenerator

public abstract class KeyPairGenerator extends KeyPairGeneratorSpi

The KeyPairGenerator class is used to generate pairs of public and

private keys

Key pair generators are constructed using the getInstance

factory methods

Major Java Classes for Key Pairs

csci5233 Computer Security 8

Session key encryption

Oddly enough the greatest value in using asymmetric

encryption is in encrypting symmetric keys

Why (discussed earlier in Chapter 2)

Exercise Explain how session key encryption works

SimpleRSAExamplejava (or find it at

httpscecluheduyangteachingproJavaSecurityCode

html

)

csci5233 Computer Security 9

File encryptdecrypt using RSA

Steps

1) Use an AES session key to encrypt the file (Note

Each file is encrypted by a different session key)

2) Use RSA to encrypt the session key

3) Store the encrypted session key inside the file

Source code FileEncryptorRSAjava

csci5233 Computer Security 10

File encryptdecrypt using RSA

FileEncryptor is started with one of three options

-c create key pair and write it to 2 files

-e encrypt a file given as an argument

-d decrypt a file given as an argument

csci5233 Computer Security 11

File encryptdecrypt using RSA Format of the encrypted file

csci5233 Computer Security 12

File encryptdecrypt using RSA The decryption steps

csci5233 Computer Security 13

Key agreement javaxcrypto

Class KeyAgreement

This class provides the functionality of a key agreement (or key

exchange) protocol

For each of the correspondents in the key exchange doPhase

needs to be called For example if this key exchange is

with one other party doPhase needs to be called once

with the lastPhase flag set to true

csci5233 Computer Security 14

Key agreement

Key doPhase (Key key boolean lastPhase)

Executes the next phase of this key agreement with the

given key that was received from one of the other parties

involved in this key agreement

csci5233 Computer Security 11

File encryptdecrypt using RSA Format of the encrypted file

csci5233 Computer Security 12

File encryptdecrypt using RSA The decryption steps

csci5233 Computer Security 13

Key agreement javaxcrypto

Class KeyAgreement

This class provides the functionality of a key agreement (or key

exchange) protocol

For each of the correspondents in the key exchange doPhase

needs to be called For example if this key exchange is

with one other party doPhase needs to be called once

with the lastPhase flag set to true

csci5233 Computer Security 14

Key agreement

Key doPhase (Key key boolean lastPhase)

Executes the next phase of this key agreement with the

given key that was received from one of the other parties

involved in this key agreement

csci5233 Computer Security 12

File encryptdecrypt using RSA The decryption steps

csci5233 Computer Security 13

Key agreement javaxcrypto

Class KeyAgreement

This class provides the functionality of a key agreement (or key

exchange) protocol

For each of the correspondents in the key exchange doPhase

needs to be called For example if this key exchange is

with one other party doPhase needs to be called once

with the lastPhase flag set to true

csci5233 Computer Security 14

Key agreement

Key doPhase (Key key boolean lastPhase)

Executes the next phase of this key agreement with the

given key that was received from one of the other parties

involved in this key agreement

csci5233 Computer Security 13

Key agreement javaxcrypto

Class KeyAgreement

This class provides the functionality of a key agreement (or key

exchange) protocol

For each of the correspondents in the key exchange doPhase

needs to be called For example if this key exchange is

with one other party doPhase needs to be called once

with the lastPhase flag set to true

csci5233 Computer Security 14

Key agreement

Key doPhase (Key key boolean lastPhase)

Executes the next phase of this key agreement with the

given key that was received from one of the other parties

involved in this key agreement

csci5233 Computer Security 14

Key agreement

Key doPhase (Key key boolean lastPhase)

Executes the next phase of this key agreement with the

given key that was received from one of the other parties

involved in this key agreement

csci5233 Computer Security 15

Key agreement If this key exchange is with two other parties doPhase

needs to be called twice the first time setting the

lastPhase flag to false and the second time setting it to

true There may be any number of parties involved in a

key exchange

With the doPhase method Diffie-Hellman allows any

number of public keys to be added to perform a key

agreement

csci5233 Computer Security 16

Key agreement Once all the keys have been passed in with doPhase( ) a call to

generateSecret( ) will perform the actual key agreement and

return a byte array that is the shared secret

byte[] generateSecret()

Generates the shared secret and returns it in a new buffer

int generateSecret (byte[] sharedSecret int offset)

Generates the shared secret and places it into the buffer

sharedSecret beginning at offset inclusive

SecretKey generateSecret (String algorithm)

Creates the shared secret and returns it as a SecretKey object of the

specified algorithm

csci5233 Computer Security 16

Key agreement Once all the keys have been passed in with doPhase( ) a call to

generateSecret( ) will perform the actual key agreement and

return a byte array that is the shared secret

byte[] generateSecret()

Generates the shared secret and returns it in a new buffer

int generateSecret (byte[] sharedSecret int offset)

Generates the shared secret and places it into the buffer

sharedSecret beginning at offset inclusive

SecretKey generateSecret (String algorithm)

Creates the shared secret and returns it as a SecretKey object of the

specified algorithm

csci5233 Computer Security 17

csci5233 Computer Security 18

Key agreement for a Chat Application The sample application

KeyAgreementClientjava

KeyAgreementServerjava

csci5233 Computer Security 19

Next

Message digest Digital signatures amp Certificates (GS 6)

• GS Chapter 5 Asymmetric Encryption in Java
• Topics
• Ciphers Modes and Padding
• Slide 4
• Asymmetric encryption in Java
• Major Java Classes for Key Pairs
• Slide 7
• Session key encryption
• File encryptdecrypt using RSA
• Slide 10
• Slide 11
• Slide 12
• Key agreement
• Slide 14
• Slide 15
• Slide 16
• PowerPoint Presentation
• Key agreement for a Chat Application
• Next

csci5233 Computer Security 18

Key agreement for a Chat Application The sample application

KeyAgreementClientjava

KeyAgreementServerjava

csci5233 Computer Security 19

Next

Message digest Digital signatures amp Certificates (GS 6)

• GS Chapter 5 Asymmetric Encryption in Java
• Topics
• Ciphers Modes and Padding
• Slide 4
• Asymmetric encryption in Java
• Major Java Classes for Key Pairs
• Slide 7
• Session key encryption
• File encryptdecrypt using RSA
• Slide 10
• Slide 11
• Slide 12
• Key agreement
• Slide 14
• Slide 15
• Slide 16
• PowerPoint Presentation
• Key agreement for a Chat Application
• Next

csci5233 Computer Security 19

Next

Message digest Digital signatures amp Certificates (GS 6)

• GS Chapter 5 Asymmetric Encryption in Java
• Topics
• Ciphers Modes and Padding
• Slide 4
• Asymmetric encryption in Java
• Major Java Classes for Key Pairs
• Slide 7
• Session key encryption
• File encryptdecrypt using RSA
• Slide 10
• Slide 11
• Slide 12
• Key agreement
• Slide 14
• Slide 15
• Slide 16
• PowerPoint Presentation
• Key agreement for a Chat Application
• Next