Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo
Cryptography 101
For Developers
www.craftsmen.nl
michel@craftsmen.nl
@MichelSchudel
Cryptography 101 for Java developers
Cryptography (or cryptology; from Greek
κρυπτός, kryptos, "hidden, secret"; and γράφ,
gráph, "writing", or -λογία, -logia,
respectively) is the practice and study of
hiding information.
https://en.wikipedia.org/wiki/Outline_of_cryptography
Cryptography 101 for Java developers
Modern cryptography
Symmetric encryption Asymmetric encryption
Hashing
JCA
(Java Cryptography Architecture)
JCE
(Java Cryptography Extension)
https://sites.google.com/site/lbathen/research/bouncy_castle
How to plug in a security provider
• JDK8 and previous:
• Update jre/lib/security/java.security
• Place JAR in lib/ext
• JDK9 and onwards:
• Update conf/security/java.security
• Place JAR on classpath
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=com.specificprovider.SpecificProvider
Or register it in
java.security file
Security.addProvider(new SpecificProvider());
(extends java.security.provider)
JCA /JCE API Summary
Interface / class Function
Security Provider configuration
KeyGenerator Generates symmetric keys
Key Represents key material
Cipher Encryption algorithm
SecretKeyFactory Converts symmetric key material to
SecretKey abstraction
KeyPairGenerator Generates public / private keys
KeyPair Public / private keypair
KeyFactory Converts public / private material to Key
abstraction
KeyStore Storing mechanism for keys and
certificates
MessageDigest Hashing.
HMAC Combines hashing and encryption
1. Hashing
2. Symmetric encryption
3. Asymmetric encryption
4. Digital signatures
5. Certificates
Cryptography 101 for Java developers
Deterministic
Fixed size
One-way
Psuedo
Random
No collisions
10^13 years
Hashing functions
MD-5 (hash size 128 bits)
SHA-1 (hash size 160 bits)
SHA-256 (hash size 256 bits)
Hashing in
My message
digest
68B1282B91DE2C054C36629CB8DD447F12F0
96D3E3C587978DC2248444633483
MessageDigest
getInstance(“SHA-256”)
DEMO
Hashing
•Password hashing
•Bitcoin block mining
•Digital Signatures
(Combined with encryption)
Where is hashing used?
Password hashing
transaction{from: michel, to: jfokus, amount, 5}
transaction{from: michel, to: jfokus, amount, 4}
random: 0
transaction{from: michel, to: jfokus, amount, 5}
transaction{from: michel, to: jfokus, amount, 4}
random: 1
transaction{from: michel, to: jfokus, amount, 5}
transaction{from: michel, to: jfokus, amount, 4}
random: 2
random++
random++
Bitcoin block mining
SHA-256 000084E534…..
SHA-256 D63C34F5D6…..
SHA-256 23A984E534…..
Hash of a block should start with 0000….
Symmetric encryption
Symmetric encryption
“ JFOKUS!! ”
3H6V3E98
Encryption
AlgorithmB4 C3 F8 32 87 A9 6E
• DES (Data Encryption Standard)
• block size 64 bits
• key size 56 bits
• AES (Advanced Encryption Standard)
• block size 128 bits
• key size 128/ 192 / 256 bits
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Symmetric encryption
Algorithms
Symmetric encryption in
KeyGenerator
Key
generateKey(keySize, for example 192)
Cipher
init(key)*
My message
doFinal
4fg67d34lk4lk
getInstance(“AES”)
getInstance(“AES”)
Key
Key size restrictions
“Illegal key size...” (calling init with keysize 192)
Limit on key sizes outside USA
• Install “unlimited strength jurisdiction policy files”
• /jre/lib/security/local_policy.jar, export_policy.jar
Java 8u152 includes unlimited strength jars
Java 8u162 and up have unlimited strength by default
https://golb.hplar.ch/2017/10/JCE-policy-changes-in-Java-SE-8u151-and-8u152.html
DEMO
AES Encryption (with ECB)
Electronic CopyBook Encryption (ECB)
JFokus!! JFokus!! JFokus!!
12345678 12345678 12345678
Cipher Block Chaining
Symmetric encryption with IV in
SecureRandom
IvParameterSpec
nextBytes(array)
init init
My message
doFinal
4fg67d34lk4lk
KeyGenerator
Key
generateKey (192)
getInstance
(“AES”)
Cipher
getInstance
(“AES”)
DEMO
AES Encryption with CBC
Application: Encrypt a Wallet (or zip file)!
“myPassword” PBKDF2 SHA256 AES
Password-Based Key Derivation Function
Cryptography 101 for Java developers
Martin
Hellman
Whitfield
Diffie
Cryptography 101 for Java developers
Asymmetric keys
(public key cryptography)
Public key algorithms
• Diffie-Hellman key agreement protocol
• RSA (Rivest-Shamir-Adleman) – key size 1024,2048, 3072
• ECC (Elliptic Curve Cryptography) – keysize 128
Asymmetric cryptography in
KeyPair
generateKeyPair
init(keyPair.getPrivate())
Cipher
init(keyPair.getPublic())
KeyPairGeneratorgetInstance(“RSA”)
Cipher
getInstance(“RSA”)
My message
doFinal
4fg67d34lk4lk
My message
doFinal
Demo
RSA Encryption
Don’t use Asymmetric encryption to encrypt large blocks of data
RSA in particular is slow
…but you CAN use it for…
• Generating symmetric keys (Diffie-Hellman)
• Encryting / Decrypting symmetric keys
• Encrypting hashes, or message digests (Digital Signature)
Encryption solves the problem of confidentiality…
…But not integrity
Digital signatures
HMAC - Digital signature using symmetric encryption
Digital signatures in
KeyGenerator
getInstance(“HMACSha256”)
Mac
getInstance(“HMACSha256”)
Key
generateKey(keySize)
Init(key)
My message
4fg67d34lk4lk Signature
Digital signature using asymmetric encryption
Digital signatures in
KeyPair
generateKeyPair
init(keyPair.getPrivate())
Signature
init(keyPair.getPublic())
KeyPairGeneratorgetInstance(“RSA”)
Signature
getInstance(“RSA”)
My message
sign
4fg67d34lk4lk
verify
update
Signing crypto transactions
Demo
Digital signature
We’ve seen…
• Confidentiality (encryption)
• Integrity (digital signatures)
… but what about authenticity?
https://www.jscape.com/hubfs/images/csr-ca-signed-server-certificate.png
Cryptography 101 for Java developers
Cryptography 101 for Java developers
JCA Keystore
myKeystore.jks
Keystore keyStore = keyStore.getInstance(“JKS”);
keyStore.load(inputstream, keystorepassword);
Key key = keyStore.getKey(alias, keypassword);
Certificate certificate = keyStore.getCertificate(alias);
keytool.exe
*.JKS
*.JCEKS
*.PKCS12 Generate keys
Import/export certs
Create CSR
Keytool.exe
• Generate keypair
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -
storepass password -validity 360 -keysize 2048
• Generate certificate request
keytool -certreq -alias selfsigned -keystore keystore.jks -storepass
password
• Export certificate
• keytool -exportcert -keystore keystore.jks -storepass password -alias
selfsigned > out.cer
Cryptography 101 for Java developers
https://www.cryptologie.net/article/340/tls-pre-master-secrets-and-master-secrets/
• Diffie-Hellman
• RSA
Send certificate
Encrypt with
Public key / DH
Decrypt with
Private key /DH
Generate symmetric
key
Generate symmetric
key
AES Encryption
AES Encryption
HTTPS
Validate certificate
Check digital
signature
We’ve seen…
•JCA/ JCE Architecture
•Message Digests
•(A)Symmetric encryption
•Digital signatures
•Certificates
@MichelSchudel
michel@craftsmen.nl
https://github.com/MichelSchudel/crypto-demo
Cryptography 101 for Java developers
Demo slides
KeyGenerator generator = KeyGenerator.getInstance("AES", "BC");
generator.init(192);
Key key = generator.generateKey();
Obtain a key
Init the algorithm with the key
Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", "BC");
cipher.init(Cipher.ENCRYPT_MODE, key);
Encrypt the data
byte[] encryptedOutput = cipher.doFinal(“Hello, Jfokus!!!”.getBytes());
CE 41 54 A4 0F E0 2B 0C 7F C7 4B 2F 6E B5 B4 7A CE 41 54 A4 0F E0
2B 0C 7F C7 4B 2F 6E B5 B4 7A CE 41 54 A4 0F E0 2B 0C 7F C7 4B 2F 6E B5 B4 7A
cipher.init(Cipher.DECRYPT_MODE, key);
cipher.doFinal(CE 41 54 A4 0F E0 2B 0C 7F C7 4B 2F 6E B5 B4 7A CE 4
2B 0C 7F C7 4B 2F 6E B5 B4 7A CE 41 54 A4 0F E0 2B 0C 7F C7 4B 2F 6E B5 B4
Decrypting
hello, JFokus
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(2048);
KeyPair kp = kpg.generateKeyPair();
Key pub = kp.getPublic();
Key pvt = kp.getPrivate();
Obtain a key
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.ENCRYPT_MODE, privateKey);
return cipher.doFinal(message.getBytes());
Encryption
Signature dsa = Signature.getInstance("SHA256withRSA");
dsa.initSign(keyPair.getPrivate());
dsa.update(“Hi Jfokus!!!!”.getBytes());
byte[] signature = dsa.sign();
Creating a digital signature of a payload
Signature dsa = Signature.getInstance("SHA256withRSA ");
dsa.initVerify(kp.getPublic());
dsa.update(“Hi Jfokus!!!!”.getBytes());
boolean signatureIsOk = dsa.verify(signature);
Verifying a signature
KeyGenerator generator = KeyGenerator.getInstance("HMACSha256");
Key key = generator.generateKey();
// create signature
Mac mac = Mac.getInstance("HMACSha256");
mac.init(key);
byte[] input = "Hello, world!".getBytes();
byte[] signature = mac.doFinal(input);
// validation of signature
byte[] recievedInput = "Hello, world! ".getBytes();
byte[] newSignature = mac.doFinal(recievedInput);
// now compare newly generated signature with received signature
assertEquals(new String(signature), new String(newSignature));
Symmetric signing (HMAC)
MessageDigest digester = MessageDigest.getInstance("SHA-256“);
Obtain a hash function
Put some data in the function
digester.update(“Hi there”.getBytes());
Digest the data
digester.digest();
68 B1 28 2B 91 DE 2C 05 4C 36 62 9C B8 DD 44 7F 12 F0 96 D3 E3 C5 87 97 8D C2 24 84 44 63 34 83

More Related Content

Cryptography 101 for Java developers