Cryptography & Network security exercise 2

Cryptography & Network Security Exercise 2 MSc. NGUYEN CAO DAT BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 Goals  Learn about JCA (Java Cryptography Architecture)  Understand the JCE (Java Cryptography Extension)  How to use Java Crypto API’s  How to use Java BigInteger class BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 References [1].Java Cryptography, Jonathan Knudsen, O'Reilly Media, 2010. [2]. 2/docs/guide/security/CryptoSpec.html [3]. cs/technotes/guides/security/crypto/Crypt oSpec.html [4]. 2/docs/api/java/math/BigInteger.html BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 Introduction (1/2) • JDK Security API • Core API for Java • Built around the java.security package • First release of JDK Security introduced "Java Cryptography Architecture" (JCA) • Framework for accessing and developing cryptographic functionality • JCA encompasses • Parts of JDK 1.2 Security API related to cryptography • Architecture that allows for multiple and interoperable cryptography implementations BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 Introduction (2/2) • The Java Cryptography Extension (JCE) • Extends JCA -> javax.crypto.* • Includes APIs for encryption, key exchange, and Message Authentication Code (MAC) • Multiple “providers” supported • Keys & certificates in “keystore” database BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 Design Principles • Implementation independence and interoperability • "provider“ based architecture • Set of packages implementing cryptographic services • Programs request a particular type of object • Various implementations working together, use each other's keys, or verify each other's signatures • Algorithm independence and extensibility • Cryptographic classes providing the functionality • Classes are called engine classes, example Signature • Addition of new algorithms straight forward BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 Architecture (1/2) BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 Architecture (2/2) • Cryptographic Service Providers • Sun, SunJSSE, SunJCE, SunRsaSign • SUN provider (default) • JCA provides APIs to query providers and services • Key management ▫ “keystore” database: keys and certificates ▫ Available to applications  Authentication  Signing BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 JCA Overview •Core classes and interfaces related to Java cryptography •Contains 2 provider classes that are used to manage and maintain the service providers •Provider: class that represents a cryptographic service provider •Security: class that manages the installed providers and their security properties •Contains a number of engine classes which are used to interface with cryptographic services BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 JCA Engine Classes • MessageDigest: used to implement one-way hash functions such as MD5 or SHA • Signature: used to implement digital signatures • KeyPairGenerator: used to create public/private key pairs for different algorithms • KeyFactory: used to convert keys into key specifications and then vice-versa • CertificateFactory: used to generate certificates • KeyStore: used to create a keystore which maintains keys and certificates in memory for later usage • AlgorithmParameters: used to maintain the security parameters for specific algorithms • AlgorithmParameterGenerator: used to create a set of parameters to be used for specific algorithms • SecureRandom: used to create random or pseudo- random numbers BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 JCA Examples (1/2) Create Message Digest byte[] dataBytes = “This is test data”.getBytes(); MessageDigest md = MessageDigest.getInstance("SHA1"); md.update(dataBytes); byte[] digest = md.digest(); •First, the test data is populated. •Second, a concrete message digest object is created with SHA1 as the cryptographic algorithm •Third, the message digest object is updated; i.e. the digest is updated using the current bytes •Finally, the digest method completes the algorithm • JcaMessageDigest.java BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 JCA Examples (2/2) Create Keystore KeyStore ks = KeyStore.getInstance("JCEKS"); ks.load(null,password.toCharArray()); java.io.FileOutputStream fos = new java.io.FileOutputStream(keyFilePath); ks.store(fos, password.toCharArray()); fos.close(); •First, create the concrete KeyStore object. •Second, load “ks” with a null input •Third, create the output stream to save the file. •Fourth, the store method saves the KeyStore to the file specified and protects it with the password •Finally, close the output stream. •JcaCertificateTest.java BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 JCE Overview •Originally created as an optional extension package for cryptographic services subject to U.S. export controls •Uses JCA’s “provider” and “security” classes to manage its service providers •Comprised of all “engine” classes BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 JCE Engine Classes • Cipher: provides encryption and decryption functionality • CipherInputStream & CipherOutputStream: used as a convenient way to encrypt or decrypt information using streams • Mac: used to check the integrity of messages based on a secret key • KeyGenerator: used to generate symmetric keys • SecretKeyFactory: similar to the KeyFactory of JCA which converts keys into key specifications and vice-versa • SealedObject: used to create a serialized object which is protected using cryptography • KeyAgreement: provides functionality to use a key agreement protocol • Interfaces: provides interfaces for Diffie-Hellman keys • Spec: similar to algorithmParamaters of JCA which provides key and parameter specifications for different algorithms BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 JCE Examples (1/2) Generate Secret Key KeyGenerator kg = KeyGenerator.getInstance(“DES”); SecretKey sKey = kg.generateKey(); •A secret key is used for symmetric encryption/decryption •First, create a concrete key generator object; in this case a DES key •Second, create a SecretKey object and call the generateKey method of the KeyGenerator object to retrieve the key •JceSecretKeyTest.java BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 JCE Examples (2/2) Encrypt byte[] testdata = “Understanding Java Cryptography”.getBytes(); Cipher myCipher = Cipher.getInstance("DES/ECB/PKCS5Padding"); myCipher.init(Cipher.ENCRYPT_MODE, sKey); byte[] cipherText = myCipher.doFinal(testdata); •First, load some test data. •Second, create a concrete Cipher object •Third, initialize the cipher with the secret key for encryption •Finally, the doFinal method actually encrypts the data BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 Examples • An application to encrypt text files • An application to decrypt text files BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 Provider Class • Providers are installed in a given preference order, the order in which the provider list is searched if a specific provider is not requested. • Example ▫ PROVIDER1  SHA1withDSA, SHA-1, MD5, DES, and DES3  Preference order 1 ▫ PROVIDER2  SHA1withDSA, MD2, MD5, RC4, and RSA  Preference order 2 Signature dsa = Signature.getInstance("SHA1withDSA","PROVIDER_2"); BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 Installing Providers • Installing the Provider Classes (two ways) • Place a zip or JAR file containing the classes anywhere in your classpath. • Supply your provider JAR file as an "installed" or "bundled" extension. • Configuring the Provider • Add the provider to your list of approved providers • Static method • Edit the java.security file in the lib/security directory of the SDK security.provider.n=masterClassName BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 Security class • Manage installed providers and security-wide properties • Only static methods and never instantiated • The methods for adding or removing providers, and for setting Security properties. • Can only be executed by a trusted program, that is: ▫ Local application not running a security manager ▫ An applet or application with permission BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 Java BigInteger class (1/3) • Constructor public BigInteger(String val) throws NumberFormatException • Example BigInteger m = new BigInteger(“9238756983265342987456928689862 3498”) BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 Java BigInteger class (2/3) • Methods public BigInteger add(BigInteger val) public BigInteger subtract(BigInteger val) public BigInteger multiply(BigInteger val) public BigInteger divide(BigInteger val) throws ArithmeticException public BigInteger remainder(BigInteger val)throws ArithmeticException BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 Java BigInteger class (3/3) • Others methods public BigInteger modPow(BigInteger e, BigInteger m) : a^e (mod m) public BigInteger modInverse(BigInteger m) throws ArithmeticException: public BigInteger shiftLeft(int n) public BigInteger shiftRight(int n) • Example BK TP.HCM Cryptography & Network Security Trường ĐHBK TP.HCM - Khoa Khoa học & Kỹ thuật máy tính 2009 Exercises 1. Run the programs above 2. Check if you can supply a key as user input? 3. What other encryption algorithms you may use? And Try them. 4. Write a java program to retrieve the HTML file at URL , encrypt the contents and store it into a local file “index.enc”, then decrypt the file “index.enc” and store it into a local file “index.dec”. 5. Try to encrypt your emails sent to your friends.