Cryptography & Network Security Exercise 2

Cryptography & Network Security Exercise 2

MSc. NGUYEN CAO DAT

BKTP.HCM

Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh

2009

Goals

Learn about JCA (Java Cryptography Architecture)

Understand the JCE (Java Cryptography Extension)

How to use Java Crypto API’s How to use Java BigInteger class

BKTP.HCM


2009

References

[1].Java Cryptography, Jonathan Knudsen, O'Reilly Media, 2010.

[2].http://download.oracle.com/javase/1.4.2/docs/guide/security/CryptoSpec.html

[3].http://download.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html

[4].http://download.oracle.com/javase/1.4.2/docs/api/java/math/BigInteger.html

BKTP.HCM


2009

Introduction (1/2)• JDK Security API

• Core API for Java• Built around the java.security package

• First release of JDK Security introduced "Java Cryptography Architecture" (JCA)• Framework for accessing and developing cryptographic

functionality• JCA encompasses

• Parts of JDK 1.2 Security API related to cryptography• Architecture that allows for multiple and interoperable

cryptography implementations

BKTP.HCM


2009

Introduction (2/2)• The Java Cryptography Extension (JCE)

• Extends JCA -> javax.crypto.*• Includes APIs for encryption, key exchange, and Message

Authentication Code (MAC) • Multiple “providers” supported• Keys & certificates in “keystore” database

BKTP.HCM


2009

Design Principles• Implementation independence and interoperability

• "provider“ based architecture• Set of packages implementing cryptographic services • Programs request a particular type of object• Various implementations working together, use each other's

keys, or verify each other's signatures

• Algorithm independence and extensibility • Cryptographic classes providing the functionality• Classes are called engine classes, example Signature• Addition of new algorithms straight forward

BKTP.HCM


2009

Architecture (1/2)

BKTP.HCM


2009

Architecture (2/2)

•Cryptographic Service Providers• Sun, SunJSSE, SunJCE, SunRsaSign• SUN provider (default)• JCA provides APIs to query providers and

services•Key management

▫ “keystore” database: keys and certificates▫Available to applications

Authentication Signing

BKTP.HCM


2009

JCA Overview

•Core classes and interfaces related to Java cryptography•Contains 2 provider classes that are used to manage and maintain the service providers

•Provider: class that represents a cryptographic service provider•Security: class that manages the installed providers and their security properties

•Contains a number of engine classes which are used to interface with cryptographic services

BKTP.HCM


2009

JCA Engine Classes• MessageDigest: used to implement one-way hash functions such

as MD5 or SHA• Signature: used to implement digital signatures• KeyPairGenerator: used to create public/private key pairs for

different algorithms• KeyFactory: used to convert keys into key specifications and then

vice-versa• CertificateFactory: used to generate certificates• KeyStore: used to create a keystore which maintains keys and

certificates in memory for later usage• AlgorithmParameters: used to maintain the security parameters

for specific algorithms• AlgorithmParameterGenerator: used to create a set of

parameters to be used for specific algorithms• SecureRandom: used to create random or pseudo-random numbers

BKTP.HCM


2009

JCA Examples (1/2)

Create Message Digestbyte[] dataBytes = “This is test data”.getBytes(); MessageDigest md = MessageDigest.getInstance("SHA1"); md.update(dataBytes); byte[] digest = md.digest();

•First, the test data is populated. •Second, a concrete message digest object is created with SHA1 as the cryptographic algorithm•Third, the message digest object is updated; i.e. the digest is updated using the current bytes•Finally, the digest method completes the algorithm• JcaMessageDigest.java

BKTP.HCM


2009

JCA Examples (2/2)Create Keystore

KeyStore ks = KeyStore.getInstance("JCEKS"); ks.load(null,password.toCharArray()); java.io.FileOutputStream fos = new java.io.FileOutputStream(keyFilePath);ks.store(fos, password.toCharArray()); fos.close();

•First, create the concrete KeyStore object. •Second, load “ks” with a null input•Third, create the output stream to save the file. •Fourth, the store method saves the KeyStore to the file specified and protects it with the password•Finally, close the output stream. •JcaCertificateTest.java

BKTP.HCM


2009

JCE Overview

•Originally created as an optional extension package for cryptographic services subject to U.S. export controls•Uses JCA’s “provider” and “security” classes to manage its service providers•Comprised of all “engine” classes

BKTP.HCM


2009

JCE Engine Classes• Cipher: provides encryption and decryption functionality• CipherInputStream & CipherOutputStream: used as a

convenient way to encrypt or decrypt information using streams

• Mac: used to check the integrity of messages based on a secret key

• KeyGenerator: used to generate symmetric keys• SecretKeyFactory: similar to the KeyFactory of JCA which

converts keys into key specifications and vice-versa • SealedObject: used to create a serialized object which is

protected using cryptography• KeyAgreement: provides functionality to use a key

agreement protocol• Interfaces: provides interfaces for Diffie-Hellman keys• Spec: similar to algorithmParamaters of JCA which provides

key and parameter specifications for different algorithms

BKTP.HCM


2009

JCE Examples (1/2)

Generate Secret KeyKeyGenerator kg = KeyGenerator.getInstance(“DES”); SecretKey sKey = kg.generateKey();

•A secret key is used for symmetric encryption/decryption•First, create a concrete key generator object; in this case a DES key•Second, create a SecretKey object and call the generateKey method of the KeyGenerator object to retrieve the key•JceSecretKeyTest.java

BKTP.HCM


2009

JCE Examples (2/2)

Encryptbyte[] testdata = “Understanding Java Cryptography”.getBytes(); Cipher myCipher = Cipher.getInstance("DES/ECB/PKCS5Padding"); myCipher.init(Cipher.ENCRYPT_MODE, sKey); byte[] cipherText = myCipher.doFinal(testdata);

•First, load some test data. •Second, create a concrete Cipher object•Third, initialize the cipher with the secret key for encryption•Finally, the doFinal method actually encrypts the data

BKTP.HCM


2009

Examples

• An application to encrypt text files• An application to decrypt text files

BKTP.HCM


2009

Provider Class• Providers are installed in a given preference order,

the order in which the provider list is searched if a specific provider is not requested.

• Example▫ PROVIDER1

SHA1withDSA, SHA-1, MD5, DES, and DES3 Preference order 1

▫ PROVIDER2 SHA1withDSA, MD2, MD5, RC4, and RSA Preference order 2Signature dsa =

Signature.getInstance("SHA1withDSA","PROVIDER_2");

BKTP.HCM


2009

Installing Providers• Installing the Provider Classes (two ways)

• Place a zip or JAR file containing the classes anywhere in your classpath.

• Supply your provider JAR file as an "installed" or "bundled" extension.

• Configuring the Provider• Add the provider to your list of approved providers• Static method

• Edit the java.security file in the lib/security directory of the SDK

security.provider.n=masterClassName

BKTP.HCM


2009

Security class• Manage installed providers and security-wide

properties• Only static methods and never instantiated• The methods for adding or removing providers,

and for setting Security properties.• Can only be executed by a trusted program, that

is:▫ Local application not running a security manager▫ An applet or application with permission

BKTP.HCM


2009

Java BigInteger class (1/3)• Constructor

public BigInteger(String val) throws NumberFormatException

• Example BigInteger m = new

BigInteger(“92387569832653429874569286898623498”)

BKTP.HCM


2009

Java BigInteger class (2/3)

• Methodspublic BigInteger add(BigInteger val)public BigInteger subtract(BigInteger val)public BigInteger multiply(BigInteger val)public BigInteger divide(BigInteger val) throws

ArithmeticExceptionpublic BigInteger remainder(BigInteger

val)throws ArithmeticException

BKTP.HCM


2009

Java BigInteger class (3/3)

•Others methodspublic BigInteger modPow(BigInteger e, BigInteger m) : a^e (mod m)public BigInteger modInverse(BigInteger m) throws ArithmeticException:public BigInteger shiftLeft(int n)public BigInteger shiftRight(int n)

• Example

BKTP.HCM


2009

Exercises

1. Run the programs above2. Check if you can supply a key as user input?3. What other encryption algorithms you may use?

And Try them.4. Write a java program to retrieve the HTML file at

URL http://www.cse.hcmut.edu.vn/ , encrypt the contents and store it into a local file “index.enc”, then decrypt the file “index.enc” and store it into a local file “index.dec”.

5. Try to encrypt your emails sent to your friends.

Documents

Cryptography & Network Security Exercise 2