190 likes | 209 Views
GS: Chapter 5 Asymmetric Encryption in Java. Topics. Ciphers, modes and padding Asymmetric encryption in Java Session key encryption File encryption/decryption using RSA Key agreement. Ciphers, Modes and Padding.
E N D
GS: Chapter 5Asymmetric Encryption in Java csci5233 Computer Security
Topics • Ciphers, modes and padding • Asymmetric encryption in Java • Session key encryption • File encryption/decryption using RSA • Key agreement csci5233 Computer Security
Ciphers, Modes and Padding • The ECB (Electronic Code Book) mode encrypts the plaintext a block at a time. • Asymmetric ciphers are almost always used in ECB mode. Why? • The block size is usually almost equal to the size of the key. Example: 1024-bit RSA ~= data block of 117 bytes csci5233 Computer Security
Ciphers, Modes and Padding • When the size of the data is less than the size of the block, padding is needed. • RSA uses two forms of padding: PKCS#1 – the standard form of padding in RSA; insecure when used for encrypting plaintext with obvious patterns in it (like English text) OAEP (Optimal Asymmetric Encryption Padding) – an improvement on PKCS#1. csci5233 Computer Security
Asymmetric encryption in Java • The steps of using asymmetric encryption in Java is similar to using symmetric encryption: • Create a key; • Create and initialize a cipher using the key; • Use the cipher to encrypt or decrypt, by specifying appropriate mode. • The main difference is that an asymmetric cipher requires a key pair: a public and a private key. csci5233 Computer Security
Major Java Classes for Key Pairs • java.security.KeyPair public final class KeyPair extends Object implements Serializable • java.security.PublicKey public interface PublicKey extends Key This interface contains no methods or constants. It merely serves to group (and provide type safety for) all public key interfaces. Note: The specialized public key interfaces extend this interface. See, for example, the DSAPublicKey interface in java.security.interfaces. csci5233 Computer Security
Major Java Classes for Key Pairs • java.security.PrivateKey Similar to the PublicKey interface, except that it is for the private key • java.security.KeyPairGenerator public abstract class KeyPairGenerator extends KeyPairGeneratorSpi • The KeyPairGenerator class is used to generate pairs of public and private keys. • Key pair generators are constructed using the getInstance factory methods. csci5233 Computer Security
Session key encryption • Oddly enough, the greatest value in using asymmetric encryption is in encrypting symmetric keys. Why? (discussed earlier in Chapter 2) • Exercise: Explain how session key encryption works. • SimpleRSAExample.java (or find it at http://sce.cl.uh.edu/yang/teaching/proJavaSecurityCode.html) csci5233 Computer Security
File encrypt/decrypt using RSA • Steps: • Use an AES session key to encrypt the file. (Note: Each file is encrypted by a different session key.) • Use RSA to encrypt the session key. • Store the encrypted session key inside the file. • Source code: FileEncryptorRSA.java csci5233 Computer Security
File encrypt/decrypt using RSA • FileEncryptor is started with one of three options: -c: create key pair and write it to 2 files -e: encrypt a file, given as an argument -d: decrypt a file, given as an argument csci5233 Computer Security
File encrypt/decrypt using RSA • Format of the encrypted file csci5233 Computer Security
File encrypt/decrypt using RSA • The decryption steps csci5233 Computer Security
Key agreement • javax.crypto Class KeyAgreement This class provides the functionality of a key agreement (or key exchange) protocol. For each of the correspondents in the key exchange, doPhase needs to be called. For example, if this key exchange is with one other party, doPhase needs to be called once, with the lastPhase flag set to true. csci5233 Computer Security
Key agreement KeydoPhase(Key key, boolean lastPhase)Executes the next phase of this key agreement with the given key that was received from one of the other parties involved in this key agreement. csci5233 Computer Security
Key agreement • If this key exchange is with two other parties, doPhase needs to be called twice, the first time setting the lastPhase flag to false, and the second time setting it to true. There may be any number of parties involved in a key exchange. • With the doPhase method, Diffie-Hellman allows any number of public keys to be added to perform a key agreement. csci5233 Computer Security
Key agreement • Once all the keys have been passed in with doPhase( ), a call to generateSecret( ) will perform the actual key agreement and return a byte array that is the shared secret. byte[] generateSecret()Generates the shared secret and returns it in a new buffer. int generateSecret(byte[] sharedSecret, int offset)Generates the shared secret, and places it into the buffer sharedSecret, beginning at offset inclusive. SecretKeygenerateSecret(String algorithm)Creates the shared secret and returns it as a SecretKey object of the specified algorithm. csci5233 Computer Security
Key agreement for a Chat Application • The sample application • KeyAgreementClient.java • KeyAgreementServer.java csci5233 Computer Security
Next • Message digest, Digital signatures & Certificates (GS: 6) csci5233 Computer Security