So you're logging in to your favorite crypto currency exchange over https using a username and password, executing some transactions, and you're not at all surprised that, security wise, everything's hunky dory...
In order to appreciate and understand what goes on under the hood, as a developer, it's really important to dive into the key concepts of cryptography .
In this presentation, we'll go back to JCA (Java Cryptography API) en JCE (Java Cryptography Extensions) basics, like message digests, symmetric and asymmetric encryption, and digital signatures, and see how they're used in a variety of examples like https and certificates, salted password checking, and block chain technology.
After this presentation, you'll have a better understanding of Java Cryptography APIs and their applications.
3. Cryptography (or cryptology; from Greek
κρυπτός, kryptos, "hidden, secret"; and γράφ,
gráph, "writing", or -λογία, -logia,
respectively) is the practice and study of
hiding information.
https://en.wikipedia.org/wiki/Outline_of_cryptography
8. How to plug in a security provider
• JDK8 and previous:
• Update jre/lib/security/java.security
• Place JAR in lib/ext
• JDK9 and onwards:
• Update conf/security/java.security
• Place JAR on classpath
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=com.specificprovider.SpecificProvider
Or register it in
java.security file
Security.addProvider(new SpecificProvider());
(extends java.security.provider)
9. JCA /JCE API Summary
Interface / class Function
Security Provider configuration
KeyGenerator Generates symmetric keys
Key Represents key material
Cipher Encryption algorithm
SecretKeyFactory Converts symmetric key material to
SecretKey abstraction
KeyPairGenerator Generates public / private keys
KeyPair Public / private keypair
KeyFactory Converts public / private material to Key
abstraction
KeyStore Storing mechanism for keys and
certificates
MessageDigest Hashing.
HMAC Combines hashing and encryption
37. Don’t use Asymmetric encryption to encrypt large blocks of data
RSA in particular is slow
…but you CAN use it for…
• Generating symmetric keys (Diffie-Hellman)
• Encryting / Decrypting symmetric keys
• Encrypting hashes, or message digests (Digital Signature)
38. Encryption solves the problem of confidentiality…
…But not integrity
Digital signatures
60. Signature dsa = Signature.getInstance("SHA256withRSA");
dsa.initSign(keyPair.getPrivate());
dsa.update(“Hi Jfokus!!!!”.getBytes());
byte[] signature = dsa.sign();
Creating a digital signature of a payload
Signature dsa = Signature.getInstance("SHA256withRSA ");
dsa.initVerify(kp.getPublic());
dsa.update(“Hi Jfokus!!!!”.getBytes());
boolean signatureIsOk = dsa.verify(signature);
Verifying a signature
61. KeyGenerator generator = KeyGenerator.getInstance("HMACSha256");
Key key = generator.generateKey();
// create signature
Mac mac = Mac.getInstance("HMACSha256");
mac.init(key);
byte[] input = "Hello, world!".getBytes();
byte[] signature = mac.doFinal(input);
// validation of signature
byte[] recievedInput = "Hello, world! ".getBytes();
byte[] newSignature = mac.doFinal(recievedInput);
// now compare newly generated signature with received signature
assertEquals(new String(signature), new String(newSignature));
Symmetric signing (HMAC)
62. MessageDigest digester = MessageDigest.getInstance("SHA-256“);
Obtain a hash function
Put some data in the function
digester.update(“Hi there”.getBytes());
Digest the data
digester.digest();
68 B1 28 2B 91 DE 2C 05 4C 36 62 9C B8 DD 44 7F 12 F0 96 D3 E3 C5 87 97 8D C2 24 84 44 63 34 83