Java Cryptography & Internet Security. 1 Goals of Network Security 2 Basic Cryptographic Concepts 3 Java Security Concepts & Applets 4 Java Cryptographic Architecture (JCE) & Java Cryptographic Extension (JCE) 5 An example: what students have to do.
1 Goals of Network Security Security is multilateral ! • Confidentiality • symmetric encoding systems (bilateral) • asymmetric encoding systems (multilateral) • special protocols: S-HTTP, SSL • Integrity • digital signatures, (multilateral) • Message Autentification Code (MAC) • Availability • diversified networks • Assign somebody / Commitment • digital signatures (multilateral)
2 Basic Cryptographic Concepts • crypto system • cryptographically secure message digest (SHA-1, MD5, ...) • cryptographic cipher: encryption & decryption • symmetric encryption (DES, IDEA, ...) • asymmetric encryption (public key) (RSA, ElGamal, ...) • certificate (X.509 standard) • digital signatures: signing and verifying (DSA, RSA, ...)
Kryptosystem M : plaintext space C : ciphertext space K : key space M : message C : cipher message K : key E = Encrypt D = Decrypt E ( M ) = C D ( C ) = M DK (EK (M) ) = M | M M E : M × K C D : C × K M
Message Digest = one way hash function w = h (x) Message Authentification Code (MAC) = hash function with secure key w = h (x, k)
Random number symmetric encryption k = secure key Key generator k ciphertext plaintext plaintext encrypt decrypt x C(x) x B A asymmetric encryption s = private key Key generator t = public key ciphertext plaintext plaintext encrypt decrypt x C(x) x B A
X.509 Certificate version serial number Algorithm identifier Issuer (name of CA) Period of validity Subject (user name) Public key Signature (CA)
Random number symmetric authentification k = secure key Key generator k Text with authentific. text Text, testresult Generate MAC test MAC x x, MAC x, {true | false} B A asymmetric authentication (signature system) s = private key (sign) Key generator t = public key (verify) Text with signatur + testresult text Text with signature sign verify x x, sig(x) x,sig(x), {true | false} B A
3 Java: Security Concept & Applets and how it looks like How an applet works • Java 1.0 Security Model • “Sandbox Model“ : no permission to access local resources (client) • Java 1.1 Security Model • signed applets introduced : full access to local resources • unsigned applets run in the sandbox • Java 1.2 Security Model A security manager in the JVM controls access Trouble: there are differencec between appletviewer , Netscape, Microsoft IE in Java 1.1 and Java 1.2
4 Java Cryptographic Architecture (JCA) & Java Cryptographic Extension (JCE) • Design principle: Provider - Algorithm - Concept • Classes: SUN MD5 MessageDigest SHA1 X RSA Signature DSA Identity Signer MessageDigest Signature Key KeyPair KeyPairGenerator KeyGenerator SecureRamdom KeyStore Certificate X509Certificate Cipher
5 An example: what students have to do ... • Task description for students • steps: • give applet rights to write a file belegis.dat on client • generate a keypair and a self signed certificate (X.509) ; store the keypair in a keystore file and export certificate to a file • write a Java-application that produces a MD5-Message Digest of file belegis.dat • write another Java-application that reads and signs the Java source code of step 3, concatenate the source with the signature and encrypt the result (symmetric cryptography). Deserialize a session key for this purpose. • Store in a directory for verification: • file belegis.dat • the self signed certificate • the message digest • the chiffretext
Solution Solution‘s Verification • If no permissions are given to applet • give file permissions by policytool • applet writes belegis.dat now • generate a keystore file & a key pair by keytool, export certificate (step 2) • java source code (step 3) • java source code (step 4) • register verification time • import certificate • read keystore file • verify message digest • desrialize session key • decrypt chiffretext and store temporary • extract certificate • proof validity of certificate • prepare for verifying signature • read signature • verify signature Response to Solution
import java.security.*; import java.security.cert.*; import java.io.*; public class Beleg01Loes3{ public static void main(String args []){ try { FileInputStream fi = new FileInputStream("mykeystore"); KeyStore ks = KeyStore.getInstance("JKS","SUN"); char [] passwd1 = {'r','p','l','a','c','d','1'}; ks.load(fi,passwd1); char [] passwd2 = {'r','p','l','a','c','a','1'}; Key priv = ks.getKey("is_beleg",passwd2); MessageDigest md = MessageDigest.getInstance("MD5"); FileInputStream fi2 = new FileInputStream("c:/temp/belegis.dat"); byte xx =(byte)fi2.read(); while(xx != -1){ md.update(xx); xx =(byte)fi2.read(); } fi2.close(); System.out.println("------- Datei gelesen -------");
byte [] medi = md.digest(); FileOutputStream mdf = new FileOutputStream("belegis_MD5.dat"); mdf.write(medi); mdf.close(); System.out.println("---- MD5 geschrieben ----"); System.out.println("---------- ende ----------"); } catch(Exception e){ System.out.println("error:"+e); } } }
import java.io.*; import java.security.*; import java.security.spec.*; import java.security.interfaces.*; import java.security.cert.*; import javax.crypto.*; import javax.crypto.spec.*; import javax.crypto.interfaces.*; public class Beleg01Loes4{ public static void main(String args[]){ try{ Provider sunJCE = new com.sun.crypto.provider.SunJCE(); Security.addProvider(sunJCE); System.out.println("Provider eingetragen"); File f1; File f2; if(args.length < 3) { System.out.println("Usage: java JCEChiffrierung c"+ " <plaintext file> <chiffretext file> "); System.exit(8); } f1 = new File(args[1]); f2 = new File(args[2]);
FileInputStream fis; FileOutputStream fos; FileInputStream kfis; FileOutputStream kfos; fis = new FileInputStream(f1); fos = new FileOutputStream(f2); CipherInputStream cis; Cipher desciph = Cipher.getInstance("DES"); System.out.println("Cipher-Objekt erzeugt"); cis = new CipherInputStream(fis, desciph); SecretKey desKey; // Lesen und Signieren FileInputStream fi = new FileInputStream("mykeystore"); KeyStore ks = KeyStore.getInstance("JKS","SUN"); char [] passwd1 = {'r','p','l','a','c','d','1'}; ks.load(fi,passwd1); char [] passwd2 = {'r','p','l','a','c','a','1'}; Key priv = ks.getKey("bel",passwd2); Signature dsa = Signature.getInstance("DSA","SUN"); dsa.initSign((PrivateKey)priv);
FileOutputStream mdfo = new FileOutputStream("beleg01_sig.dat"); int siz = (int) f1.length(); int z = 0; byte x =(byte)fis.read(); while(z < siz){ dsa.update(x); mdfo.write(x); z++; x =(byte)fis.read(); } byte [] sig = dsa.sign(); fis.close(); System.out.println("------- Datei gelesen und signiert -------"); mdfo.write((byte)'S'); mdfo.write((byte)'I'); mdfo.write((byte)'G'); System.out.println("------- SIG geschrieben -------"); mdfo.write(sig); mdfo.close(); System.out.println("------- signierte Datei geschrieben -------");
f1 = new File("beleg01_sig.dat"); fis = new FileInputStream(f1); cis = new CipherInputStream(fis, desciph); kfis = new FileInputStream( "i:/prakt/fritzsch/Sicherheit/chiffkey.dat"); ObjectInputStream keyin = new ObjectInputStream(kfis); desKey = (SecretKey)keyin.readObject(); System.out.println("Key deserialisiert"); desciph.init(Cipher.ENCRYPT_MODE,desKey); byte [] b = new byte [8]; int i = cis.read(b); while(i != -1){ fos.write(b,0,i); i = cis.read(b); } fos.close(); System.out.println("Dateien lesen/schreiben beendet"); } catch(Exception e){ System.err.println("Error:"+ e); } } }
import java.security.*; import java.security.cert.*; import java.io.*; import java.util.*; import javax.crypto.*; public class Beleg01PruefS{ public static void main(String args []){ // Arbeitsverzeichnis: htw4711 // Aufruf: java Beleg01PruefS htw4711 try { // Zeitpunkt der Ueberpruefung registrieren ------------- System.out.println("Beleg geprueft:"); System.out.println((new Date()).toLocaleString()); // Provider SunJCE eintragen ---------------------------- Provider sunJCE = new com.sun.crypto.provider.SunJCE(); Security.addProvider(sunJCE);
// Certificate löschen (auch wenn nicht vorhanden )---------- String command1 = "keytool -delete " + " -alias " + args[0] + " -keystore i:/Prakt/fritzsch/Sicherheit/mykeystore“ + " -storepass rplacd1"; System.out.println("-- invoke: "); System.out.println(" " + command1); Runtime rt1 = Runtime.getRuntime(); Process p1 = rt1.exec(command1); p1.waitFor(); System.out.println(" ... beendet mit RC="+ p1.exitValue());
// Certificate importieren ----------------------------------- System.out.println("-- Zertifikat importieren "); String command = "keytool -import "+ " -alias " + args[0] + " -file "+ args[0] + ".cer"+ //" -keystore c:/workstation/IS/mykeystore"+ " -keystore i:/Prakt/fritzsch/Sicherheit/mykeystore"+ " -storepass rplacd1"; System.out.println("-- invoke: "); System.out.println(" " + command); Runtime rt = Runtime.getRuntime(); Process p = rt.exec(command); String ss = "y\n"; p.getOutputStream().write(ss.getBytes()); p.getOutputStream().close(); p.waitFor(); System.out.println(" ... beendet mit RC="+ p.exitValue()); // Keystore-Datei lesen ------------------------------------ KeyStore ks = KeyStore.getInstance("JKS","SUN"); char [] passwd1 = {'r','p','l','a','c','d','1'}; FileInputStream fi = new FileInputStream( "i:/Prakt/fritzsch/Sicherheit/mykeystore"); ks.load(fi,passwd1);
// Message-Digest prüfen ----------------------------------- MessageDigest md = MessageDigest.getInstance("MD5"); FileInputStream fius = new FileInputStream("belegis.dat"); byte [] org = {1,1,1,1,5,1,1,1,1,5,1,1,1,1,5,1,1,1,1,5, 1,1,1,1,5,1,1,1,1,5,1,1,1,1,5,1,1,1,1,5, 1,1,1,1,5,1,1,1,1,5,1,1,1,1,5,1,1,1,1,5, 1,1,1,1,5,1,1,1,1,5,1,1,1,1,5,1,1,1,1,5, 1,1,1,1,5,1,1,1,1,5,1,1,1,1,5,1,1,1,1,5,1}; int i = 0; org[i]=(byte)fius.read(); while (org[i]!=-1){ md.update(org[i]); i=i+1; org[i]=(byte)fius.read(); } fius.close(); FileInputStream fimd = new FileInputStream("belegis_MD5.dat"); byte [] dig = {1,1,1,1,5,1,1,1,1,5,1,1,1,1,5,1,0}; int j = 0; dig[j] = (byte)fimd.read(); while (j<15){ j=j+1; dig[j] = (byte)fimd.read(); } fimd.close();
byte [] medi =md.digest(); boolean vergleich=true; for (int k = 0; k<16; k++) if(dig[k]!=medi[k]) vergleich=false; System.out.println("-- Vergleich Message Digest:" + vergleich); // Sitzungsschlüssel deserialisieren ------------------------ FileInputStream kfis = new FileInputStream( "i:/Prakt/fritzsch/Sicherheit/chiffkey.dat"); ObjectInputStream keyin = new ObjectInputStream(kfis); SecretKey desKey=(SecretKey)keyin.readObject(); System.out.println("-- Sitzungsschluessel deserialisiert");
// Datei chiffretext.dat dechiffrieren und ----------------- // in belegis_zwi.dat ablegen FileInputStream fis = new FileInputStream("chiffretext.dat"); FileOutputStream fos = new FileOutputStream("belegis_zwi.dat"); CipherInputStream cis; Cipher desciph = Cipher.getInstance("DES/ECB/PKCS5Padding"); cis = new CipherInputStream(fis,desciph); desciph.init(Cipher.DECRYPT_MODE,desKey); byte [] ba = new byte [1]; int iii = cis.read(ba); while (iii != -1){ fos.write(ba,0,iii); iii = cis.read(ba); } fos.close(); fis.close(); System.out.println("-- Dechiffrierung erfolgreich"); // öffentlichen Schlüssel aus Certif. extrahieren ----------- java.security.cert.X509Certificate cl = (java.security.cert.X509Certificate) ks.getCertificate(args[0]); PublicKey pub = cl.getPublicKey(); System.out.println("-- oeffentlicher Schluessel extrahiert");
// Gültigkeitsdauer des Zertifikates überprüfen -------------- Date bef = cl.getNotBefore(); Date aft = cl.getNotAfter(); System.out.println("-- Zertifikat ist gueltig"); System.out.println(" vom: " + bef.toLocaleString()); System.out.println(" bis: " + aft.toLocaleString()); // Signatur-Objekt zum Prüfen initialisieren ----------------- Signature dsa = Signature.getInstance("DSA"); dsa.initVerify(pub);
// Zwischendatei belegis_zwi.dat lesen ----------------------- File gesamtFile = new File("belegis_zwi.dat"); int sizef = (int)gesamtFile.length(); fis = new FileInputStream(gesamtFile); byte b = (byte)fis.read(); sizef--; byte c = (byte)fis.read(); sizef--; byte d = (byte)fis.read(); while ((d != -1)&&((b !='S')||(c != 'I')||(d !='G'))){ sizef--; dsa.update(b); b=c; c=d; d=(byte)fis.read(); } sizef--;
// Signatur lesen ------------------------------------------ System.out.println("Laenge der Signatur: "+sizef); byte [] sig = new byte[sizef]; int ii = 0; byte s = (byte)fis.read(); while (ii < sizef){ sig[ii] = s; ii++; s = (byte)fis.read(); } fis.close(); System.out.println("-- Signatur gelesen"); // Signatur pruefen ----------------------------------------- boolean verifies = dsa.verify(sig); System.out.println("-- Signatur verifiziert:"+verifies); System.out.println("-- Ende"); } catch(Exception e){ System.out.println("error:"+e); } } }
Preparation • Make available - applet BelegIS.java - HTML page BelegIS.html containing this applet • generate & make available (serialize) secure session key • generate keystore file c:\workstation\IS\mykeystore to include certificates of students
import java.applet.Applet; import java.awt.*; import java.awt.event.*; import java.io.*; import javax.swing.*; import List; public class HanoiVisual extends JApplet implements ActionListener{ JPanel jPanel0= new JPanel(); JPanel jPanel1= new JPanel(); JPanel jPanel2 = new JPanel(); JPanel jPanel3 = new JPanel(); JPanel jPanel4 = new JPanel(); JButton popbutton = new JButton("pop"); JButton pushbutton = new JButton("push"); JButton emptybutton = new JButton("emptyStack"); JButton runbutton = new JButton("run"); JButton stopbutton = new JButton("stop"); JPanel buttonPanel = new JPanel(); VisObject vo1 = new VisObject(0, jPanel1); VisObject vo2 = new VisObject(0, jPanel2); VisObject vo3 = new VisObject(0, jPanel3);
public void init(){ try{ UIManager.setLookAndFeel( UIManager.getCrossPlatformLookAndFeelClassName()); Container contentPane= getContentPane(); contentPane.setBackground(Color.white); jPanel0.setBorder(BorderFactory.createEtchedBorder()); jPanel0.setLayout(new GridLayout(1,3,5,10));//3 Spalten jPanel1.setBorder(BorderFactory.createEtchedBorder()); jPanel1.setLayout(new GridLayout(10,1,5,0));//10 Zeilen for (int j=0;j<10;j++){ jPanel4= (JPanel)jPanel1.add(new MyJPanelInit(),j); } jPanel2.setBorder(BorderFactory.createEtchedBorder()); jPanel2.setLayout(new GridLayout(10,1,5,0));//10 Zeilen for (int j=0;j<10;j++){ jPanel4= (JPanel)jPanel2.add(new MyJPanelInit(),j); }
jPanel3.setBorder(BorderFactory.createEtchedBorder()); jPanel3.setLayout(new GridLayout(10,1,5,0));//10 Zeilen for (int j=0;j<10;j++){ jPanel4= (JPanel)jPanel3.add(new MyJPanelInit(),j); } jPanel0.add(jPanel1); jPanel0.add(jPanel2); jPanel0.add(jPanel3); contentPane.add("Center",jPanel0); pushbutton.addActionListener(this); buttonPanel.add(pushbutton); popbutton.addActionListener(this); buttonPanel.add(popbutton); emptybutton.addActionListener(this); buttonPanel.add(emptybutton); runbutton.addActionListener(this); buttonPanel.add(runbutton); stopbutton.addActionListener(this); buttonPanel.add(stopbutton); contentPane.add("South",buttonPanel); validate(); }catch(Exception e){ } }
public void actionPerformed(ActionEvent evt){ if(evt.getActionCommand().equals("pop")){ MyJPanel y = popvis(vo1); } if(evt.getActionCommand().equals("push")){ pushvis(vo1,new MyJPanel(vo1.i+1)); } if(evt.getActionCommand().equals("emptyStack")){ vo1.i=0; jPanel1.removeAll(); for (int j=0;j<10;j++){ jPanel4= (JPanel)jPanel1.add(new MyJPanelInit(),j); } vo2.i=0; jPanel2.removeAll(); for (int j=0;j<10;j++){ jPanel4= (JPanel)jPanel2.add(new MyJPanelInit(),j); } vo3.i=0; jPanel3.removeAll(); for (int j=0;j<10;j++){ jPanel4= (JPanel)jPanel3.add(new MyJPanelInit(),j); } paint(getGraphics()); }
if(evt.getActionCommand().equals("run")){ hanoiinit(); validate(); } if(evt.getActionCommand().equals("stop")){ stop(); init(); } } public void pushvis(VisObject p,MyJPanel x){ p.i++; p.jP.remove(10-p.i); jPanel4= (JPanel)p.jP.add(x,10-p.i); validate(); paint(getGraphics()); } public MyJPanel popvis(VisObject p){ MyJPanel x = (MyJPanel)p.jP.getComponent(10-p.i); p.jP.remove(10-p.i); jPanel4= (JPanel)p.jP.add(new MyJPanelInit(),10-p.i); validate(); paint(getGraphics()); p.i--; return x; }
public void hanoiinit(){ List a = new List(); a = a.cons(vo1); for (int j=0;j<vo1.i;j++) a= a.cons(new Integer(vo1.i-j)); a=a.reverse(); a.princ(); List b = new List(); b = b.cons(vo2); b.princ(); List c = new List(); c = c.cons(vo3); c.princ(); hanoi(a,b,c); } public void hanoi(List a, List b, List c){ if (a.cdr().cdr().nullp()) move(a, b); else { hanoi(a.cdr().cdr().cons(a.car()),c,b); validate(); move(a, b); validate(); hanoi(c.append(a.cdr().cdr()),b,(new List()).cons(a.car())); validate(); } }
public void move(List a, List b){ MyJPanel x = popvis((VisObject)a.car()); validate(); pushvis((VisObject)b.car(),x); validate(); try{ Thread.currentThread().sleep(1200); validate(); } catch(InterruptedException e){ } } public void paint(Graphics g){ getContentPane().paintAll(g); } } class MyJPanel extends JPanel{ public MyJPanel(int i){ super(); this.setBackground(Color.black); // cyan this.add(new Scheibe(i)); } }
class Scheibe extends JPanel{ public Scheibe(int i){ super(); int x = this.getWidth(); this.setBorder(BorderFactory.createEmptyBorder( 0,x+93-10*i,0,x+93-10*i)); this.setBackground(Color.yellow); this.add(new JLabel(String.valueOf(i))); } } class MyJPanelInit extends JPanel{ public MyJPanelInit(){ super(); this.setBackground(Color.black); } } class VisObject { public int i; public JPanel jP; public VisObject(int n, JPanel p){ i=n; jP=p; } }