Network Sevurity and Cryptography

Download Report

Transcript Network Sevurity and Cryptography 

Homework
Study Java Cryptography
by
Reading the rest of slides
and
accessing Sun’s Java website:
http://java.sun.com
1
Goals




Learn about JAVA Crypto Architecture
How to use JAVA Crypto API’s
Understand the JCE (Java Cryptography Extension)
Be able to use java crypto functions (meaningfully) in your
code
 JAAS (Java Authentication and Authorization Service)
(Refer Java web site for JAAS details)
 JSSE (Java Secure Socket Extension)
(Refer Java web site for JSSE details)
2
Introduction

JDK Security API



First release of JDK Security introduced "Java Cryptography Architecture" (JCA)


Framework for accessing and developing cryptographic functionality
JCA encompasses



Core API for Java
Built around the java.security package
Parts of JDK 1.2 Security API related to cryptography
Architecture that allows for multiple and interoperable cryptography implementations
The Java Cryptography Extension (JCE) extends JCA

Includes APIs for encryption, key exchange, and Message Authentication Code (MAC)
3
Java Cryptography Extension (JCE)
 Adds encryption, key exchange, key generation, message
authentication code (MAC)


Multiple “providers” supported
Keys & certificates in “keystore” database
 Separate due to export control
4
JCE Architecture
App 1
API
App 2
JCE:
Cipher
KeyAgreement
KeyGenerator
SecretKeyFactory
MAC
SPI
CSP 1
CSP 2
5
Design Principles

Implementation independence and interoperability





"provider“ based architecture
Set of packages implementing cryptographic services
•
digital signature algorithms
Programs request a particular type of object
Various implementations working together, use each other's keys, or verify each other's
signatures
Algorithm independence and extensibility



Cryptographic classes providing the functionality
Classes are called engine classes, example Signature
Addition of new algorithms straight forward
6
Building Blocks

Key

Certificate

Keystore

Message Digest

Digital Signature

SecureRandom

Cipher

MAC
7
Engine Classes and SPI




Interface to specific type of cryptographic service
Defines API methods to access cryptographic service
Actual implementation specific to algorithms
For example : Signature engine class

Provides access to the functionality of a digital signature algorithm

Actual implementation supplied by specific algorithm subclass

"Service Provider Interface" (SPI)

Each engine class has a corresponding abstract SPI class

Defines the Service Provider Interface to be used by implementors

SPI class is abstract - To supply implementation, provider must subclass
8
JCA Implementation
 SPI (Service Provider Interface)

say FooSpi
 Engine



Foo
Algorithm
MyAlgorithm
 Foo f = Foo.getInstance(MyAlgorithm);
9
General Usage
 No need to call constructor directly

Define the algorithm reqd.
 getInstance()

Initialize the keysize
 init() or initialize()


Use the Object
generateKey() or doFinal()
10
java.security classes











Key
KeyPair
KeyPairGenerator
KeyFactory
Certificate
CertificateFactory
Keystore
MessageDigest
Signature
SignedObject
SecureRandom
11
Key
 Types



SecretKey
PublicKey
PrivateKey
 Methods


getAlgorthm()
getEncoded()
 KeyPair= {PrivateKey, PublicKey}
12
KeyGenerator
 Generates instances of key

Requires Algorithm
 getInstance(algo)

Keylength, (random)
 Initialize(param, random)
 Generates required key/keypair
13
KeyFactory/SecretKeyFactory
 Converts a KeySpec into Keys



KeySpec
Depends on the algorithm
Usually a byte[] (DES)
 Could also be a set of numbers (DSA)
 Required when the key is encoded and transferred across
the network
14
Certificate
 Problem


Java.security.Certificate is an interface
Java.security.cert.Certificate is a class
 Which one to use when you ask for a Certificate?

Import only the correct type
 Avoid “import java.security.*”
 Use X509Certificate
15
KeyStore
 Access to a physical keystore
 Can import/export certificates


Can import keys from certificates
Certificate.getPublicKey()
 Certificate.getPrivateKey()
 Check for certificate validity
 Check for authenticity
16
keytool
 Reads/writes to a keystore
 Unique alias for each certificate
 Password Encrypted



Functionality
Import
Sign Request
 Export NOTE: Default is DSA !
17
Signature
 DSA, RSA



Obtain a Signature Object
getInstance(algo)
getInstance(algorithm,provider)
18
Signature (signing)

Initialize for signing

initSign(PrivateKey)


Give the data to be signed

update(byte [] input) and variations
doFinal(byte [] input) and variations


Sign
byte[] Signature.sign() NOTE: Signature does not contain the
actual signature
19
Signature (verifying)
 Initialize for verifying
 initVerify(PublicKey)


Give the data to be verifieded
update(byte [] input) and variations
 doFinal(byte [] input) and variations


Verify
boolean Signature.verify()
20
SignedObject

Signs and encapsulates a signed object


SignedObject(Serializable, Signature)



Recover
Object getContent()
byte[] getSignature()


Sign
Verify
Verify(PublicKey, Signature) ! Need to initialize the instance of the
signature
21
javax.crypto classes





Cipher
Mac
KeyGenerator
SecretKeyFactory
SealedObject
22
Cipher


DES, DESede, RSA, Blowfish, IDEA …

Obtain a Cipher Object

getInstance(algorithm/mode/padding)

or getInstance(algorithm)
or getInstance(algorithm, provider) eg “DES/ECB/NoPadding” or
“RSA”

Initialize

init(mode, key)

mode= ENCRYPT_MODE / DECRYPT_MODE
23
Cipher cont.
 Encrypt/Decrypt

byte[] update(byte [] input) and variations
 byte[] doFinal(byte [] input) and variations




Exceptions
NoSuchAlgorithmException
NoSuchPadding Exception
InvalidKeyException
24
SealedObject
 Encrypts and encapsulates an encrypted object

Encrypt
 SealedObject(Serializable, Cipher)


Recover
getObject(Cipher)
 or getObject(key) Cipher mode should be different!!
25
Wrapper Class : Crypto.java
 Adding a provider

public Crypto() { java.security.Security.addProvider(new
cryptix.provider.Cryptix());}
26
Enrcyption using RSA
public synchronized byte[] encryptRSA(Serializable obj, PublicKey kPub)
throws KeyException, IOException {
try {
Cipher RSACipher = Cipher.getInstance("RSA");
return encrypt(RSACipher, obj, kPub);
} catch (NoSuchAlgorithmException e) {
System.exit(1);
}
return null; }
27
Decryption using RSA
public synchronized Object decryptRSA(byte[] msgE, PrivateKey kPriv)
throws KeyException, IOException
{
try {
Cipher RSACipher = Cipher.getInstance("RSA");
return decrypt(RSACipher, msgE, kPriv);
} catch (NoSuchAlgorithmException e) {
System.exit(1);
}
return null; }
28
Creating a signature
public synchronized byte[] sign(byte[] msg, PrivateKey kPriv)
throws SignatureException, KeyException, IOException
{
// Initialize the signature object for signing
debug("Initializing signature.");
try {
Signature RSASig = Signature.getInstance("SHA-1/RSA/PKCS#1");
debug("Using algorithm: " + RSASig.getAlgorithm());
RSASig.initSign(kPriv);
RSASig.update(msg);
return RSASig.sign();
} catch (NoSuchAlgorithmException e) {
System.exit(1);
}
return null; }
29
Verifying a signature
public synchronized boolean verify(byte[] msg, byte[] sig, PublicKey kPub)
throws SignatureException, KeyException
{
// Initialize the signature object for verifying
debug("Initializing signature.");
try {
Signature RSASig = Signature.getInstance("SHA-1/RSA/PKCS#1");
RSASig.initVerify(kPub);
RSASig.update(msg);
return RSASig.verify(sig);
} catch (NoSuchAlgorithmException e) {
System.exit(1);
}
return false; }
30