1 Session 4 Module 6: Digital signatures

Digital Signatures / Session4 / 2 of 18 Module 4, 5 - Review (1)  Java 2 security model provides a consistent and flexible policy for applets and applications.  Types of Security Restrictions:  File Access Restrictions  Network Restrictions  Other Security Restrictions  Securing applet  Securing application

Digital Signatures / Session4 / 3 of 18 Module 4, 5 - Review (2)  Java Authentication & Authorization Service (JAAS) is an API that enables Java applications to access authentication & access control services without being tied to those services. Authentication Authorization  Cryptography is mechanism of encoding information in a secret coded form  JCA is the java security API is a new addition to library of java APIs. It is a framework written in java to access and develop cryptographic functionality  JCE is a set, it provides implements for encryption, key generation and agreement and message authentication code

Digital Signatures / Session4 / 4 of 18 Module 6 - Objectives  Introduction to Digital Signatures  Signing and verifying data using java tools  Signing and verifying data using security API

Digital Signatures / Session4 / 5 of 18 Digital signature  Digital signatures are used to digitally sign messages or objects.  Digital signatures is used to verify that the content of a message is unaltered, and help to identify the creator of a message.  Digital signature is used for: Ensuring message content integrity Verifying the authenticity of the message sender

Digital Signatures / Session4 / 6 of 18 How to create digital signature?  Digital signatures are generated by Public Key Cryptography, using public and private keys to encrypt and decrypt messages.  Public key: used by a receiver to decrypt a message  Private key: Used encrypt a message with his/her private key  Message digest: A message digest is a fixed-length result of converting the contents of a message into a hash-like a cyclic redundancy check SHA-1 and MD-5 are examples of algorithms for converting message text into a message digest

Digital Signatures / Session4 / 7 of 18 Working of digital signatures (1)  Digital signatures work by using the mechanisms of encryption and decryption.  Encryption A hash or a message digest is prepared using the Hashing Algorithm. The hashed data or message digest is encrypted using the sender’s private key. The digital signature and the sender’s public key are appended to the end of the message.

Digital Signatures / Session4 / 8 of 18 Working of digital signatures (2)  Decryption The receiver receives the message and a digital signed message digest. The receiver separately calculates a message digest for the received message. The receiver uses the sender’s public key to decrypt the signed message digest that was received and compares this to the independently calculated message digest. If the two digests do not match, the data may have been tampered with or the data may not be authentic or may not have been intended for the receiver.

Digital Signatures / Session4 / 9 of 18 Working of digital signatures (3) Message Message hash Sender Un-tampered Message New hash Receiver Calculate hash Encryption using hash Encrypted Message Signed hash+public key Calculate new hash Compared with signed hash

Digital Signatures / Session4 / 10 of 18 Drawbacks of digital signatures  Non-Repudiation Disclaiming responsibility for a sent message  Time Stamping Do not contain any record of the data and time when a particular document was signed

Digital Signatures / Session4 / 11 of 18 Digital Certificates  Digital certificates prevent impersonation by storing a widely known and distributed public key  A certification authority (CA) issues these certificates and ensures the validity of the public key contained in the certificate and the authenticity of the certificate owner.  Standards of digital certificates X.509:  was created by the international telephone standards body  is used by Microsoft’s Authenticode, Netscape’s Object Signing, and Marimba’s Channel Signing PGP (Pretty Good Privacy)  was developed by Phil Zimmermann  is used for encrypting, compressing and authenticating messages and attachments.

Digital Signatures / Session4 / 12 of 18 Working with certificates  keytool utility can display, import and export certificates in addition to key pairs.  When a new public / private keypair is created, a self- signed certificate signed by the same entity that created the key pair is obtained.  The request for the certificate is made as follows:  Example: keytool –alias aptechkey –certreq –file test.txt

Digital Signatures / Session4 / 13 of 18 Verifying Data  Signing and Verifying Data using: Java Tools  Using Jar tool and Jarsigner tool Security API

Digital Signatures / Session4 / 14 of 18  Before java program can be digitally signed, it must be packaged into an archive form consisting of all class files and other files with the help of jar tool  jarsigner then digitally signs a java archive Example: jarsigner MyApplet.jar aptechkey  The key must have go through a verification process before use.  Password of the keystore and the password associated with the private key is required to authenticate an archive when the jarsigner is used.  The jarsigner is also used to verify a digitally signed archive by checking if the private key matches the Java archive. Using jar tool and jarsigner

Digital Signatures / Session4 / 15 of 18  Step 1: Generate a Key-Pair Generator KeyPairGenerator kpg = KeyPairGenerator.getInstance(“DSA”, “SUN”);  Step 2: Initialize the Key-Pair Generator SecureRandom r = SecureRandom.getInstance(“SHA1PRNG”,”SUN”); keyGenerator.initialize(1024,r); KeyPair p = keyGenerator.generateKeyPair(); PrivateKey privKey = p.getPrivate(); PublicKey pubKey = p.getPublic();  Step 3: Get a Signature Object Signature dsa = Signature.getInstance(“SHA1withDSA”,”SUN”);  Step 4: Initialize the Signature Object dsa.initPriv(privKey); Signing data using security API (1)

Digital Signatures / Session4 / 16 of 18 Signing data using security API (2)  Step 5: Supply the data to be signed to the Signature Object FileInputStream input = new FileInputStream(data.txt); BufferedInputStream inputBuf = new BufferedInputStream(input); byte [] dataBuffer = new byte[1024]; int len; while(inputBuf.available()!=0) { len = inputBuf.read(dataBuffer); dsa.update(databuffer,0,len); }  Step 6: Generate the Signature byte [] dataSignature = dsa.sign();  Step 7: Saving digital signature and public key in two different files

Digital Signatures / Session4 / 17 of 18 Verifying the signature  Create a Signature instance using the same signature algorithm as that used to generate the signature.  Initialize the signature instance with the public key.  Supply the signature object with the data to be verified by reading one byte array at a time.  Invoke the verify() method on the newly created Signature object to compare the two signatures.  The verify() method returns a Boolean value denoting the authenticity of the signature.

Digital Signatures / Session4 / 18 of 18 Module 6 - Summary  Digital signatures are used to digitally sign messages or objects to identify their creators  A digital certificate must be first imported as a trusted certificate and then the signature has to be verified to authenticate the sender  Signing and Verifying Data using: Java Tools Security API