The Java Crypto API ICW Lecture 3 Tom Chothia

Reminder of Last Time: Your programs defines “Classes”. Each class defines “Objects”. An Object is defined as having a number of “Fields” that store data......and a number of “Methods” that perform computation.

This Time: Read and write from files. Generate and handle keys. How to encrypt and decrypt – public key encryption, – and symmetric key encryption. Hashes. Keystores

But this Lecture is Really About: APIs APIs are Application Programming Interfaces. They are libraries of useful programs that do most of the work for us. A lot of programming Java is using the right API.

Reading and Writing to a File Make a java.io.File object. Get the input and output streams. Put wrappers round the steams, e.g., PrintReader for strings. DataInputString for bytes. Read and write using.read and.write. Close using.close.

Code Demo See ReadWriteFile.java

Symmetric Key Encryption Symmetric key encryption uses the same key to encrypt and decrypt the message. encrypt (plain text, key) = cipher text decrypt(cipher text, key) = plain text Symmetric key encryption is fast, but handling the key can be difficult.

Popular Types of Symmetric Encryption Advanced Encryption Stardard (AES) –A good cipher, maybe the best. Data Encryption Standard (DES)/3DES –The old stardard, key now to short. –Still OK if you us it 3 times. –Used in e-passports.

Popular Types of Symmetric Encryption BlowFish –Like AES, RC4: Rivest Cypter 4 –Fast, used in SSL, WPA, problem is related keys are used in different sessions.

Public Key Cryptography Public Key Cryptography uses 2 keys: – A public key for encryption – A private key for decryption. You can tell anyone you public and anyone can encrypt data just for you. Only you can read the message.

Types of Public Key Cryptography Diffie-Hellman – First public key system. – Security based on the logs. RSA – Most common public key system. – Security based on factoring large primes – If in doubt use RSA Elliptic Curve – Based on curves in a finite field.

Useful APIs for Crypto javax.crypto.Cipher: – the Cipher object does the encryption. java.security.Key – a cryptographic key java.secuity.KeyFactory – Turn bytes into Key Objects. Also RSAPublicKey, X509EncodedKeySpec,... (remember cmd-shirt-O in Eclipse).

java.security.KeyGenerator Create the object with: kg = KeyGenerator.getInstance( ); Give the key length (if needed): kg.initialize(1024); Read out the key: Key key = kg.genKeyPair();

java.security.KeyPairGenerator Create the object with: kg = KeyPairGenerator.getInstance( ); Key the key length: kg.initialize(1024); Read out the keys: KeyPair keypair = kg.genKeyPair(); PrivateKey privKey = keypair.getPrivate(); PublicKey publicKey = keypair.getPublic();

Encryption In Java Steps to encrypt data in Java (see example code): Import package Create a cipher object Initiate the cipher object with the scheme you want in encrypt or decrypt mode. Pass the object the data you want to encrypt. Read the cipher text out. Decrypt in the same way.

Code Demo Encrypt file

Summary I've just shown you how to Read and write from files. Generate keys. How to encrypt and decrypt. Still to come: Read and write keys to files Keystores Hashes

Java keytool Most Java programs use existing keys rather than create keys themselves. The keytool command can be used to generate keys outside Java.

Saving a Key We can read and write the bytes of a key to a file. This is a bad idea. We want to – protect read access to private keys, – and make sure the publics ones are real.

The KeyStore Class A KeyStore holds password protected private keys and public keys as certicates. Make keystores using the keytool e.g. keytool -genkey -keyalg RSA -keypass password -alias mykey -storepass storepass -keystore myKeyStore

Demo Making a KeyStore with the keytool

KeyStore Methods getInstance(“JKS”): – creates a keystore Load(file,password): – loads key data from a file using password. getKey(alias,password) – get the key “alias” with given password getCertificate(alias) – gets a public key as a certificate

File Encryption Program Combining these we can write a program to encrypt files. See demo.

Hashes A hash of any Object is a short string generated from that Object. The hash of an object is always the same. Any small change makes the hash total different. It is very hard to go from the hash to the object. It is very unlikely that any two different objects have the same hash.

Types of Hash Algorithm SHA-1, SHA-2 current standard, however it is possible to file two messages that have the same hash. MD5 often used for error checking can also find two files with the same hash.

Hashes in Java See Hash.java

Uses of Hashing Download verification Message Verification Passwords (demo)

Password Cracking If an attacker gets the password shadow file – they can try to guess a password – and check if the hash of their guess is in the list. Truly random passwords are safe. Dictionary words are not.

Exercise 1: SHA1 password cracker. In 1 week I will give you a shadow file of SHA1 hashed passwords. You have to write a program that – Guesses a password – Hashes the Guess – Checks to see if it is in the list. Hint: find a list of common passwords online, and use this to build more.

Conclusion Encryption can be public key or symmetrical. Use a Cipher Object in Java to do de/encryption. Keep your keys in a password protected KeyStore.

Next Time How to make connections across the Internet. TCP/IP protocol Sockets in Java.