Transcript MT311-15

MT311 Java Application
Development and Programming
Languages
Li Tak Sing (李德成)
Message Authentication Code
(MAC)



As we have mentioned earlier, we cannot
use the message digest alone to guarantee
the integrity of a message. We need to add
a secret key protection so that the resulting
string would also depends on the secret key.
Such an encrypted message digest is called
a message authentication code(MAC).
MAC protects the authentication and integrity
of a message.
MAC

When a user want to send a message, it would use
the secret key to produce a MAC of the message.
Then he/she sends the message and the MAC to the
receiver. The receiver would then use the same
secret key and the message to generate another
MAC. The two MACs would then be compared. If
they are the same, then the message is really from
the supposed sender and the message has not been
messed with by others.
message
keyed hash
message
keyed
hash
MAC
send to the recipient
compare
MAC
MAC
MAC

The followings are the steps to create an
MAC of a message:
–
–
–
–
–
create a secret key
create an Mac object
initialize the Mac object with the key
update the Mac object with the contents of the
message
get the MAC from the Mac object.
Create a secret key
KeyGenerator kg =
KeyGenerator.getInstance("HmacMD5");
SecretKey sk = kg.generateKey();
Note that the key is randomly generated. So
different key would be generated if the
generateKey is invoked for many times. So if
you want to share this key, you need to save
the key to a file and then share the file.
Create an Mac object
Mac mac = Mac.getInstance("HmacMD5");
Initialize the Mac object with the
key
mac.init(sk);
update the Mac object with the
contents of the message
mac.update(buf);
where buf is an array of bytes. You can call
this method as many times as you wish.
get the MAC from the Mac object.
byte[] result=mac.doFinal();
The MD5 program
KeyGenerator kg =
KeyGenerator.getInstance("HmacMD5");
SecretKey sk = kg.generateKey();
Mac mac = Mac.getInstance("HmacMD5");
mac.init(sk);
mac.update(buf);
byte[] result=mac.doFinal();
Public key method


In the secret key method, there is a problem
in distributing the key because both the
sender and recipient need to have the same
key.
It is possible that the key is intercepted when
it is transmitted from one person to another.
Public key method



The public key method, you need a pair of
keys to perform the encryption and
decryption process. The two keys are called
public key and private key. You cannot
deduce the private key from the public key.
When a message is encrypted with the public
key, it must be decrypted with the private key.
When a message is decrypted with the
private key, it must be decrypted with the
public key.
Public key methods

A user first generates a key pair that consists
of a public key and private key. He/she now
informs others about the public key. Then
anybody can now encrypt a message with
the public key and send the encrypted
message to the user. Now, the user can
decrypt the message with the private key.
Public key methods


Note that the public key does not have to be
send over a secured channel because any
one who knows the public key would still not
be able to decrypt any message that has
been encrypted with the public key.
The method protects the confidentiality of the
message.
Java classes for the public key
methods


Most java classes for the public key methods
are in the package java.security.
KeyPairGenerator
–
the static method
static public KeyPairGenerator getInstance(String)
would return a KeyPairGenerator with the
specified method. The most popular method is
RSA. So the following statement get a RSA
public key generator:
encrypted
with public
encrypted
key
message
decrypted
with private
encrypted key
original
message
message
encrypted
with private
original key
encrypted
message
message
decrypted
with public
encrypted key
original
message
message
original
message
Java classes for the public key
methods
KeyPairGenerator generator=KeyPairGenerator("RSA");

The following method of KeyPairGenerator
would initial the KeyPairGenerator to
generate a key of the specified byte length:
public void initialize(int length)
For example, the following statement would
initialize a KeyPairGenerator to generate a
key of size 2048 bits long:
generator.initialize(2048);
Java classes for the public key
methods



The following statement create a key pair:
KeyPair key=generator.generateKeyPair();
The following statement finds the public key:
PublicKey publicKey=key.getPublic();
The following statement finds the private key:
Privatekey privatekey=key.getPrivate();
Java classes for the public key
methods


After obtaining the key pair, we can use
Cipher to encode or decode a message like
what we have done in the secret key
algorithm.
The following statement initializes a Cipher to
be used to encrypt a message using the
private key:
Cipher cipher=Cipher.getInstance("RSA");
cipher.init(Cipher.ENCRYPT_MODE,
key.getPrivate());
Java classes for the public key
methods

The following statement initializes a Cipher to
be used to encrypt a message using the
public key:
Cipher cipher=Cipher.getInstance("RSA");
cipher.init(Cipher.ENCRYPT_MODE,
key.getPublic());
Java classes for the public key
methods

The following statement initializes a Cipher to
be used to decrypt a message using the
private key:
Cipher cipher=Cipher.getInstance("RSA");
cipher.init(Cipher.DECRYPT_MODE,
key.getPivate());
Java classes for the public key
methods

The following statement initializes a Cipher to
be used to decrypt a message using the
public key:
Cipher cipher=Cipher.getInstance("RSA");
cipher.init(Cipher.DECRYPT_MODE,
key.getPublic());
Java classes for the public key
methods


Then, we can use the update and doFinal
method Cipher to encrypt or decrypt the
message.
If the message is short, we can simply use
the doFinal straight away to decrypt the
message.
Digital signature

When you receive a message from a person,
how do you be sure that the message is
really from that person? This can be done by
using digital signature.
Digital signature


A digital signature is like a MAC but the key
used is the private key of the key pair.
To produce a digital signature, we first create
a message digest and then encrypt the
message digest with the private key of the
message. We would say that we sign the
message with the private key.
Digital signature


Then, the sender would send the message
together with the digital signature.
The receiver would then first use the public
key of the sender to decrypt the digital
signature and then get back the message
digest. The receiver then calculate another
message digest from the message.
Digital signature

If the two digital digests match, then we can
sure of two things:
–
–
integrity. That is the message has not been
changed by another person.
authentication. The message is really from the
supposed sender because only he/she has the
private key.
message
hash
message
digital
digest
encrypt signature
with
private
key
message
send to
the recipient
hash
message
digest
compare
digital
signature
decrypt
with
public
key
message
digest
Java classes to create a digital
signature
First we create a key pair first like what we did
for the public key method. However, we
would specify that we want to use the DSA
algorithm which is a digital signature
algorithm:
KeyPairGenerator kpg =
KeyPairGenerator.getInstance("DSA");
Java classes to create a digital
signature

Then, we initialize the key as before:
kpg.initialize(1024);

Then, we can use this key pair generator to
generate a key pair:
KeyPair keyPair=kpg.generateKeyPair();
Java classes to create a digital
signature

We can then get the public key and private
key of the key pair:
PublicKey publicKey=keyPair.getPublic();
PrivateKey privateKey=keyPair.getPrivate();

You should then save the two keys to a files
and send the public key to your recipients.
Java classes to create a digital
signature

Now, assume that we want to create a digital
signature of a message.
Signature sig=Signature.getInstance("DSA");
sig.initSign(privateKey);

Then, you can use the update method of
Signature to check the contents of the
message:
sig.update(message);
Java classes to create a digital
signature


The digital signature is generated by invoked
by the method sign:
sig.sign();
This method returns an array of bytes which
is the digital signature of the message.
To verify a signature, we need the following
statements:
Signature sig=Signature.getInstance("DSA");
sig.initVerify(publicKey);
Java classes to create a digital
signature

Then, we use the update method of
signature to put in the content of the
message just like what we did when we
generated the digitial message.
sig.update(message);
Java classes to create a digital
signature

Then, we can check whether the message
has been correctly signed by invoking the
method verify of Signature:
sig.verify();
This method would return true or false
depending on whether the message has
been correctly signed or not.