cryptography & network security exercise 2
DESCRIPTION
Cryptography & Network Security Exercise 2. MSc. NGUYEN CAO DAT. Goals. Learn about JCA (Java Cryptography Architecture) Understand the JCE (Java Cryptography Extension) How to use Java Crypto API’s How to use Java BigInteger class. References. - PowerPoint PPT PresentationTRANSCRIPT
Cryptography & Network Security Exercise 2
MSc. NGUYEN CAO DAT
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
Goals
Learn about JCA (Java Cryptography Architecture)
Understand the JCE (Java Cryptography Extension)
How to use Java Crypto API’s How to use Java BigInteger class
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
References
[1].Java Cryptography, Jonathan Knudsen, O'Reilly Media, 2010.
[2].http://download.oracle.com/javase/1.4.2/docs/guide/security/CryptoSpec.html
[3].http://download.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html
[4].http://download.oracle.com/javase/1.4.2/docs/api/java/math/BigInteger.html
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
Introduction (1/2)• JDK Security API
• Core API for Java• Built around the java.security package
• First release of JDK Security introduced "Java Cryptography Architecture" (JCA)• Framework for accessing and developing cryptographic
functionality• JCA encompasses
• Parts of JDK 1.2 Security API related to cryptography• Architecture that allows for multiple and interoperable
cryptography implementations
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
Introduction (2/2)• The Java Cryptography Extension (JCE)
• Extends JCA -> javax.crypto.*• Includes APIs for encryption, key exchange, and Message
Authentication Code (MAC) • Multiple “providers” supported• Keys & certificates in “keystore” database
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
Design Principles• Implementation independence and interoperability
• "provider“ based architecture• Set of packages implementing cryptographic services • Programs request a particular type of object• Various implementations working together, use each other's
keys, or verify each other's signatures
• Algorithm independence and extensibility • Cryptographic classes providing the functionality• Classes are called engine classes, example Signature• Addition of new algorithms straight forward
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
Architecture (1/2)
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
Architecture (2/2)
•Cryptographic Service Providers• Sun, SunJSSE, SunJCE, SunRsaSign• SUN provider (default)• JCA provides APIs to query providers and
services•Key management
▫ “keystore” database: keys and certificates▫Available to applications
Authentication Signing
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
JCA Overview
•Core classes and interfaces related to Java cryptography•Contains 2 provider classes that are used to manage and maintain the service providers
•Provider: class that represents a cryptographic service provider•Security: class that manages the installed providers and their security properties
•Contains a number of engine classes which are used to interface with cryptographic services
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
JCA Engine Classes• MessageDigest: used to implement one-way hash functions such
as MD5 or SHA• Signature: used to implement digital signatures• KeyPairGenerator: used to create public/private key pairs for
different algorithms• KeyFactory: used to convert keys into key specifications and then
vice-versa• CertificateFactory: used to generate certificates• KeyStore: used to create a keystore which maintains keys and
certificates in memory for later usage• AlgorithmParameters: used to maintain the security parameters
for specific algorithms• AlgorithmParameterGenerator: used to create a set of
parameters to be used for specific algorithms• SecureRandom: used to create random or pseudo-random numbers
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
JCA Examples (1/2)
Create Message Digestbyte[] dataBytes = “This is test data”.getBytes(); MessageDigest md = MessageDigest.getInstance("SHA1"); md.update(dataBytes); byte[] digest = md.digest();
•First, the test data is populated. •Second, a concrete message digest object is created with SHA1 as the cryptographic algorithm•Third, the message digest object is updated; i.e. the digest is updated using the current bytes•Finally, the digest method completes the algorithm• JcaMessageDigest.java
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
JCA Examples (2/2)Create Keystore
KeyStore ks = KeyStore.getInstance("JCEKS"); ks.load(null,password.toCharArray()); java.io.FileOutputStream fos = new java.io.FileOutputStream(keyFilePath);ks.store(fos, password.toCharArray()); fos.close();
•First, create the concrete KeyStore object. •Second, load “ks” with a null input•Third, create the output stream to save the file. •Fourth, the store method saves the KeyStore to the file specified and protects it with the password•Finally, close the output stream. •JcaCertificateTest.java
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
JCE Overview
•Originally created as an optional extension package for cryptographic services subject to U.S. export controls•Uses JCA’s “provider” and “security” classes to manage its service providers•Comprised of all “engine” classes
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
JCE Engine Classes• Cipher: provides encryption and decryption functionality• CipherInputStream & CipherOutputStream: used as a
convenient way to encrypt or decrypt information using streams
• Mac: used to check the integrity of messages based on a secret key
• KeyGenerator: used to generate symmetric keys• SecretKeyFactory: similar to the KeyFactory of JCA which
converts keys into key specifications and vice-versa • SealedObject: used to create a serialized object which is
protected using cryptography• KeyAgreement: provides functionality to use a key
agreement protocol• Interfaces: provides interfaces for Diffie-Hellman keys• Spec: similar to algorithmParamaters of JCA which provides
key and parameter specifications for different algorithms
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
JCE Examples (1/2)
Generate Secret KeyKeyGenerator kg = KeyGenerator.getInstance(“DES”); SecretKey sKey = kg.generateKey();
•A secret key is used for symmetric encryption/decryption•First, create a concrete key generator object; in this case a DES key•Second, create a SecretKey object and call the generateKey method of the KeyGenerator object to retrieve the key•JceSecretKeyTest.java
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
JCE Examples (2/2)
Encryptbyte[] testdata = “Understanding Java Cryptography”.getBytes(); Cipher myCipher = Cipher.getInstance("DES/ECB/PKCS5Padding"); myCipher.init(Cipher.ENCRYPT_MODE, sKey); byte[] cipherText = myCipher.doFinal(testdata);
•First, load some test data. •Second, create a concrete Cipher object•Third, initialize the cipher with the secret key for encryption•Finally, the doFinal method actually encrypts the data
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
Examples
• An application to encrypt text files• An application to decrypt text files
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
Provider Class• Providers are installed in a given preference order,
the order in which the provider list is searched if a specific provider is not requested.
• Example▫ PROVIDER1
SHA1withDSA, SHA-1, MD5, DES, and DES3 Preference order 1
▫ PROVIDER2 SHA1withDSA, MD2, MD5, RC4, and RSA Preference order 2Signature dsa =
Signature.getInstance("SHA1withDSA","PROVIDER_2");
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
Installing Providers• Installing the Provider Classes (two ways)
• Place a zip or JAR file containing the classes anywhere in your classpath.
• Supply your provider JAR file as an "installed" or "bundled" extension.
• Configuring the Provider• Add the provider to your list of approved providers• Static method
• Edit the java.security file in the lib/security directory of the SDK
security.provider.n=masterClassName
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
Security class• Manage installed providers and security-wide
properties• Only static methods and never instantiated• The methods for adding or removing providers,
and for setting Security properties.• Can only be executed by a trusted program, that
is:▫ Local application not running a security manager▫ An applet or application with permission
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
Java BigInteger class (1/3)• Constructor
public BigInteger(String val) throws NumberFormatException
• Example BigInteger m = new
BigInteger(“92387569832653429874569286898623498”)
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
Java BigInteger class (2/3)
• Methodspublic BigInteger add(BigInteger val)public BigInteger subtract(BigInteger val)public BigInteger multiply(BigInteger val)public BigInteger divide(BigInteger val) throws
ArithmeticExceptionpublic BigInteger remainder(BigInteger
val)throws ArithmeticException
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
Java BigInteger class (3/3)
•Others methodspublic BigInteger modPow(BigInteger e, BigInteger m) : a^e (mod m)public BigInteger modInverse(BigInteger m) throws ArithmeticException:public BigInteger shiftLeft(int n)public BigInteger shiftRight(int n)
• Example
BKTP.HCM
Cryptography & Network SecurityTrương ĐHBK TP.HCM - Khoa Khoa hoc & Ky thuât may tinh
2009
Exercises
1. Run the programs above2. Check if you can supply a key as user input?3. What other encryption algorithms you may use?
And Try them.4. Write a java program to retrieve the HTML file at
URL http://www.cse.hcmut.edu.vn/ , encrypt the contents and store it into a local file “index.enc”, then decrypt the file “index.enc” and store it into a local file “index.dec”.
5. Try to encrypt your emails sent to your friends.