1. Java Cryptography Nick Pullman DSU-MSIA Citigroup Information Security pullmann@pluto.dsu.edu

2. Basic Cryptographic Functions Private/Public Key Pair Generation Secret Key Generation Hash Functions Digital Signatures Random Number Generation Encryption/Decryption

3. Java Cryptographic Overview Java cryptography uses 2 main APIs  Java Cryptographic Architecture (JCA)  Java Cryptographic Extensions (JCE) Robust and Extensible Platform independent Interoperable among vendor implementations

4. Java Cryptographic Architecture JCA/JCE define the types and functionalities of different cryptographic services The actual cryptographic implementation is done by service providers JCA/JCE is made up of mostly “engine” classes which provide a standard interface into the service providers This makes the overall implementation extensible since new service providers can be “plugged in”

5. JCA Overview Core classes and interfaces related to Java cryptography Contains 2 provider classes that are used to manage and maintain the service providers  Provider: class that represents a cryptographic service provider  Security: class that manages the installed providers and their security properties Contains a number of engine classes which are used to interface with cryptographic services

6. JCA Classes MessageDigest: used to implement one-way hash functions such as MD5 or SHA Signature: used to implement digital signatures KeyPairGenerator: used to create public/private key pairs for different algorithms KeyFactory: used to convert keys into key specifications and then vice-versa CertificateFactory: used to generate certificates KeyStore: used to create a keystore which maintains keys and certificates in memory for later usage AlgorithmParameters: used to maintain the security parameters for specific algorithms AlgorithmParameterGenerator: used to create a set of parameters to be used for specific algorithms SecureRandom: used to create random or pseudo-random numbers

7. JCA Examples Create Message Digest  byte[] dataBytes = “This is test data”.getBytes(); MessageDigest md = MessageDigest.getInstance("SHA1"); md.update(dataBytes); byte[] digest = md.digest(); First, the test data is populated. Second, a concrete message digest object is created with SHA1 as the cryptographic algorithm Third, the message digest object is updated; i.e. the digest is updated using the current bytes Finally, the digest method completes the algorithm Create Keystore  KeyStore ks = KeyStore.getInstance("JCEKS"); ks.load(null,password.toCharArray()); java.io.FileOutputStream fos = new java.io.FileOutputStream(keyFilePath); ks.store(fos, password.toCharArray()); fos.close(); First, create the concrete KeyStore object. Second, load “ks” with a null input Third, create the output stream to save the file. Fourth, the store method saves the KeyStore to the file specified and protects it with the password Finally, close the output stream.

8. JCE Overview Originally created as an optional extension package for cryptographic services subject to U.S. export controls Uses JCA’s “provider” and “security” classes to manage its service providers Comprised of all “engine” classes

9. JCE Classes Cipher: provides encryption and decryption functionality CipherInputStream & CipherOutputStream: used as a convenient way to encrypt or decrypt information using streams Mac: used to check the integrity of messages based on a secret key KeyGenerator: used to generate symmetric keys SecretKeyFactory: similar to the KeyFactory of JCA which converts keys into key specifications and vice-versa SealedObject: used to create a serialized object which is protected using cryptography KeyAgreement: provides functionality to use a key agreement protocol Interfaces: provides interfaces for Diffie-Hellman keys Spec: similar to algorithmParamaters of JCA which provides key and parameter specifications for different algorithms

10. JCE Examples Generate Secret Key  KeyGenerator kg = KeyGenerator.getInstance(“DES”) SecretKey sKey = kg.generateKey(); A secret key is used for symmetric encryption/decryption First, create a concrete key generator object; in this case a DES key Second, create a SecretKey object and call the generateKey method of the KeyGenerator object to retrieve the key Encrypt  byte[] testdata = “Understanding Java Cryptography”.getBytes(); Cipher myCipher = Cipher.getInstance("DES/ECB/PKCS5Padding"); myCipher.init(Cipher.ENCRYPT_MODE, sKey); byte[] cipherText = myCipher.doFinal(testdata); First, load some test data. Second, create a concrete Cipher object Third, initialize the cipher with the secret key for encryption Finally, the doFinal method actually encrypts the data

11. Cryptography Tool: Message Digest Using this tool, you can get MD5 and SHA1 message digests, save them to files, and then later use it for comparison To create the Digests 1. Open a file 2. Get the digest or digests 3. Save the digest to a file To compare the Digests 1. Open a file 2. Select “Compare Digest” 3. Select the saved file and it will compare the current files digest with the value that was stored in the saved file Create Message Digests Compare Message Digests

12. Cryptography Tool: Key Store The key store is then created and protected by the password Java manages keys through a key store To create a Key Store 1. Select “Create Keystore” 2. Select location to save the file 3. Input a password Create Key Store Save file dialog box

13. Cryptography Tool: Encryption/Decryption Encryption/Decryption is very similar. With encryption, the opened file will be encrypted, and a series of steps is executed to create the encrypted file; a) choose location to save encrypted file, b) choose a key store, c) enter the password, and finally d) enter the alias of the key that you want to use. Decryption is almost the same except instead of the opened file being decrypted, an open dialog box lets you choose the file that you want to decrypt Encrypt a FileSave dialog for encrypted file

14. Encryption/Decryption Example Output This is an example of encrypting and then decrypting a file The original file starts on the left, is then encrypted, and then the encrypted file is decrypted to give the file on the right

15. PKI with Java – Sreekanth Malladi Java provides both API and Tools for key creation, management, and use Nick explained Java API Keytool and Cryptool are tools for key creation & management  i.e. public/private key pair generation  Certificate signing, certificate validation, CA set up etc.

16. Exporting certificate in Windows We have seen exporting certificates in Windows  Review Java also has similar key storage pattern Keystore for storing keys Keystore can be of different types  JCEKS, JKS etc.

17. Example keytool commands Generating a self-signed certificate  keytool –genkey –keystore test.ks –storepass changeit –storetype JCEKS alias testkey Listing contents of a key store  keytool –list –keystore test.ks –storepass changeit – storetype JCEKS –v Generating a CSR  Keytool –certreq –keystore test.ks –storepass changeit –storetype JCEKS –alias testkey –file test.cer

18. Keytool commands continued… Printing contents of ap7b file  Keytool –printcert –file test.p7b Importing the CA signed certificate  Keytool –import –keystore test.ks –storepass changeit –storetype JCEKS –alias testkey –file test.p7b Listing CA certificates in keystore  keytool –list –v %JRE_HOME%\LIB\SECURITY\CACERTS

19. Keytool commands Generating a public-key certificate with algorithm of choice  Keytool –genkey –storepass changeit –storetype JCEKS –keypass changeit –keystore server.ks – keyalg RSA –dname “CN=Server, OU=X, O=Y, L=Z, S=XY, C=YZ” Storing the so-created certificate in a file  Keytool –export –file temp$.cer –storepass changeit – storetype JCEKS –keypass changeit –keystore server.ks

20. Importing/adding a certificate to keystore  Keytool –import –file temp$.cer –storepass changeit –storetype JCEKS –keypass changeit –keystore client.ts -noprompt

21. Cryptool Useful to setup CA  C:\jstk>bin\certool setupca –cadir rootca – serial 256 –dn “CN=RootCA, OU=Bar, O=Foo, C=US” –password changeit Issuing a certificate  certtool issue –cadir rootca –csrfile test.csr – cerfile test.p7b –password changeit

22. Where are keytool and certool? Keytool comes with java installation  In C:\j2sdk1.4.2_09\bin or whereever j2sdk is installed  Usually the other place is C:\Program Files\Java……. Cryptool has to be downloaded separately Note that Java has API to implement all the functionalities of keytool and cryptool

23. Reference Keytool, certool concepts from  J2EE Security for Servlets, EJBs, and Web Services by Pankaj Kumar, Prentice Hall, 2004, ISBN 0-13-140264-1

24. Summary Java implements cryptographic functions using the JCA/JCE APIs in conjunction with cryptographic service providers The architecture is both flexible and extensible allowing for specialized service provider APIs to be “plugged in” to the JCA/JCE architecture The architecture is designed to be both platform independent and interoperable with specific vendor implementations

25. Additional Resources http://www.oreilly.com/catalog/javacrypt/chapter/ch06.html http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide. html http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide. html http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html http://www.j2ee-security.net/book/dnldsrc/ THANKS!!!