Case Study: A Forensic Lesson for Web Security (MSS, part one)
Download
Report
Transcript Case Study: A Forensic Lesson for Web Security (MSS, part one)
GS: Chapter 5
Asymmetric Encryption in
Java
csci5233 Computer Security
1
Topics
A.
Ciphers, modes and padding
B.
Asymmetric encryption in Java
C.
Session key encryption
D.
File encryption/decryption using RSA
E.
Key agreement
csci5233 Computer Security
2
Ciphers, Modes and Padding
The ECB (Electronic Code Book) mode encrypts the
plaintext a block at a time.
Asymmetric ciphers are almost always used in ECB mode.
Why?
The block size is usually almost equal to the size of the
key.
Example: 1024-bit RSA ~= data block of 117 bytes
csci5233 Computer Security
3
Ciphers, Modes and Padding
When the size of the data is less than the size of the block,
padding is needed.
RSA uses two forms of padding:
PKCS#1 – the standard form of padding in RSA; insecure when used for
encrypting plaintext with obvious patterns in it (like English text)
OAEP (Optimal Asymmetric Encryption Padding) – an improvement on
PKCS#1.
csci5233 Computer Security
4
Asymmetric encryption in Java
The steps of using asymmetric encryption in
Java is similar to using symmetric encryption:
1.
Create a key;
2.
Create and initialize a cipher using the key;
3.
Use the cipher to encrypt or decrypt, by specifying
appropriate mode.
The main difference is that an asymmetric cipher
requires a key pair: a public and a private key.
csci5233 Computer Security
5
Major Java Classes for Key Pairs
1.
java.security.KeyPair
public final class KeyPair
extends Object
implements Serializable
2.
java.security.PublicKey
public interface PublicKey extends Key
This interface contains no methods or constants. It merely serves to group
(and provide type safety for) all public key interfaces.
Note: The specialized public key interfaces extend this interface. See, for
example, the DSAPublicKey interface in java.security.interfaces.
csci5233 Computer Security
6
Major Java Classes for Key Pairs
3.
java.security.PrivateKey
Similar to the PublicKey interface, except that it is for the private
key
4.
java.security.KeyPairGenerator
public abstract class KeyPairGenerator extends KeyPairGeneratorSpi
The KeyPairGenerator class is used to generate pairs of public and
private keys.
Key pair generators are constructed using the getInstance factory
methods.
csci5233 Computer Security
7
Session key encryption
Oddly enough, the greatest value in using asymmetric
encryption is in encrypting symmetric keys.
Why? (discussed earlier in Chapter 2)
Exercise: Explain how session key encryption works.
SimpleRSAExample.java (or find it at
http://sce.cl.uh.edu/yang/teaching/proJavaSecurityCode.
html)
csci5233 Computer Security
8
File encrypt/decrypt using RSA
Steps:
1)
Use an AES session key to encrypt the file. (Note:
Each file is encrypted by a different session key.)
2)
Use RSA to encrypt the session key.
3)
Store the encrypted session key inside the file.
Source code: FileEncryptorRSA.java
csci5233 Computer Security
9
File encrypt/decrypt using RSA
FileEncryptor is started with one of three options:
-c:
create key pair and write it to 2 files
-e:
encrypt a file, given as an argument
-d:
decrypt a file, given as an argument
csci5233 Computer Security
10
File encrypt/decrypt using RSA
Format of the encrypted file
csci5233 Computer Security
11
File encrypt/decrypt using RSA
The decryption steps
csci5233 Computer Security
12
Key agreement
javax.crypto
Class KeyAgreement
This class provides the functionality of a key agreement (or key
exchange) protocol.
For each of the correspondents in the key exchange, doPhase
needs to be called. For example, if this key exchange is
with one other party, doPhase needs to be called once,
with the lastPhase flag set to true.
csci5233 Computer Security
13
Key agreement
Key doPhase (Key key, boolean lastPhase)
Executes the next phase of this key agreement with the
given key that was received from one of the other parties
involved in this key agreement.
csci5233 Computer Security
14
Key agreement
If this key exchange is with two other parties, doPhase
needs to be called twice, the first time setting the
lastPhase flag to false, and the second time setting it to
true. There may be any number of parties involved in a key
exchange.
With the doPhase method, Diffie-Hellman allows any
number of public keys to be added to perform a key
agreement.
csci5233 Computer Security
15
Key agreement
Once all the keys have been passed in with doPhase( ), a call to
generateSecret( ) will perform the actual key agreement and return a
byte array that is the shared secret.
byte[] generateSecret()
Generates the shared secret and returns it in a new buffer.
int generateSecret (byte[] sharedSecret, int offset)
Generates the shared secret, and places it into the buffer
sharedSecret, beginning at offset inclusive.
SecretKey generateSecret (String algorithm)
Creates the shared secret and returns it as a SecretKey object of the
specified algorithm.
csci5233 Computer Security
16
csci5233 Computer Security
17
Key agreement for a Chat Application
The sample application
KeyAgreementClient.java
KeyAgreementServer.java
csci5233 Computer Security
18
Next
Message digest, Digital signatures & Certificates
(GS: 6)
csci5233 Computer Security
19