Table Of ContentJava Cryptography Extensions
The Morgan Kaufmann Practical Guides Series
Series Editor: Michael J. Donahoo
Java Cryptography Extensions: Practical Guide for Programmers
Jason Weiss
JSP: Practical Guide for Java Programmers
Robert J. Brunner
JSTL: Practical Guide for JSP Programmers
Sue Spielman
Java: Practical Guide for Programmers
Zbigniew M. Sikora
The Struts Framework: Practical Guide for Java Programmers
Sue Spielman
Multicast Sockets: Practical Guide for Programmers
David Makofske and Kevin Almeroth
TCP/IP Sockets in Java: Practical Guide for Programmers
Kenneth L. Calvert and Michael J. Donahoo
TCP/IP Sockets in C: Practical Guide for Programmers
Michael J. Donahoo and Kenneth L. Calvert
JDBC: Practical Guide for Java Programmers
Gregory D. Speegle
For further information on these books and for a list of forthcoming titles,
please visit our website at http://www.mkp.com/practical
Java Cryptography Extensions
Practical Guide for Programmers
Jason weiss
AMSTERDAM (cid:12)9 BOSTON (cid:12)9 HEIDELBERG (cid:12)9 LONDON
NEW YORK" OXFORD" PARIS" SAN DIEGO M [4 ~
SAN FRANCISCO" SINGAPORE" SYDNEY" TOKYO
ELSEVIER Morgan Kaufmann is an imprint of Elsevier MORGAN KAUFMANN PUBLISHERS
Senior Editor Rick Adams
Publishing Services Manager Andre Cuello
Project Manager Anne B. McGee
Associate Editor Karyn Johnson
Cover Design Yvo Reizebos Design
Cover Image Image #939879: (cid:14)9 BananaStock/BananaStock, Ltd./
PictureQuest
Composition CEPHA Imaging Pvt. Ltd.
Technical Illustration Dartmouth Publishing, Inc.
Copyeditor Graphic World Publishing Services
Proofreader Graphic World Publishing Services
Indexer Graphic World Publishing Services
Interior printer The Maple-Vail Book Manufacturing Group
Cover printer Phoenix Color Corp.
Morgan Kaufmann Publishers is an imprint of Elsevier.
500 Sansome Street, Suite 400, San Francisco, CA 94111
This book is printed on acid-free paper.
(cid:14)9 2004 by Elsevier Inc. All rights reserved.
Designations used by companies to distinguish their products are often claimed as trademarks or
registered trademarks. In all instances in which Morgan Kaufmann Publishers is aware of a claim, the
product names appear in initial capital or all capital letters. Readers, however, should contact the
appropriate companies for more complete information regarding trademarks and registration.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form or by any meansgelectronic, mechanical, photocopying, scanning, or otherwisegwithout prior
written permission of the publisher.
Permissions may be sought directly from Elsevier's Science & Technology Rights Department in
Oxford, UK: phone: (+44) 1865 843830, fax: (+44) 1865 853333, e-mail: [email protected].
You may also complete your request on-line via the Elsevier homepage (http://elsevier.com) by
selecting "Customer Support" and then "Obtaining Permissions."
Library of Congress Cataloging-in-Publication Data
Weiss, Jason.
Java cryptography extensions : practical guide for programmers / Jason Weiss.
p. cm.
Includes bibliographical references and index.
ISBN 0-12-742751-1
1. Java (Computer program language) 2. Cryptography. I. Title.
QA76.73.J38W445 2004
005.8t2--dc22
2003070900
For information on all Morgan Kaufmann publications,
visit our Web site at www.mkp.com.
Printed in the United States of America
04 05 06 07 08 5 4 3 2 1
For my wife Meredith and our son Kyle,
whom I love more dearly than anything else
This Page Intentionally Left Blank
Contents
Preface ix
Understanding Java's Cryptographic Architecture 1
1.1 Java and Cryptography 3
1.2 Java Cryptography Architecture 4
1.3 Java Cryptography Extension (JCE) 7
1.4 Understanding the Service Provider Interface Architecture
1.5 Installing Providers 9
1.5.1 Static Provider Registration 10
1.5.2 Dynamic Provider Registration 11
1.6 JCA Helper Classes 13
1.6.1 The Security Class 13
1.6.2 The Provider Class 14
1.6.3 Code Example: Obtaining a List of Installed Providers,
Formal Names 15
1.6.4 Code Example: Listing a Provider's Supported
Algorithms 19
1.6.5 Code Example: Obtaining a List of Installed Algorithms 22
1.7 Working with Jurisdiction Policy Files 27
Working with Symmetric Ciphers 29
2.1 Random Number Generation 30
vii
viii Contents []
2.2 The SecureRandom Engine 31
2.2.1 Code Example: Generating Random Values 32
2.3 The KeyGenerator Engine 33
2.3.1 Algorithm Independent Initialization 34
2.3.2 Algorithm Specific Initialization 35
2.3.3 Obtaining the Symmetric Cipher Key via SecretKey
Class 35
2.4 Avoiding Opaque Keys 36
2.4.1 Code Example: Converting a Key into a Key Specification,
Option 1 36
2.4.2 Code Example: Converting a Key into a Key Specification,
Option 2 39
2.5 Categorizing Symmetric Ciphers 40
2.5.1 Key Management 41
2.5.2 Non-Repudiation 41
2.5.3 Data Integrity 42
2.6 Padding and Cipher Modes 42
2.6.1 Padding 43
2.6.2 Cipher Modes 44
2.7 The Cipher Engine 46
2.7.1 Initializing the Engine 48
2.7.2 Code Example: Block Cipher Encryption 49
2.7.3 Code Example: Secure Streaming Cipher Encryption 52
2.7.4 Code Example: Secure Streaming Cipher Decryption 55
2.8 Password Based Encryption 59
2.8.1 Code Example: Password Based Encryption with a Message
Digest and an Encryption Algorithm 60
2.9 Bringing Order to Chaos: Picking a Cipher 64
2.9.1 DES 64
2.9.2 DESede a.k.a. TripleDES 64
2.9.3 Advanced Encryption Standard (AES) 64
2.9.4 Blowfish 65
Working with Asymmetric Ciphers and Key Agreement
Protocols 67
3.1 The KeyPairGenerator Engine 69
3.1.1 Code Example: Algorithm Independent Key Pair
Generation 69
3.1.2 Comparing Symmetric and Asymmetric Keys 71
3.1.3 Persistinga Key: Key Encodings Defined 72
3.1.4 Code Example: Inspecting Key Encodings 72
Contents iX
(cid:12)9
3.1.5 Code Example: Loading an X.509 Encoded Public Key from
Disk 75
3.1.6 Code Example: Loading a PKCS#8 Encoded Private Key from
Disk 76
3.2 Revisiting the Cipher Engine 78
3.2.1 Code Example: Encrypting a File with a Public Key 78
3.2.2 Code Example: Decrypting a File with a Private Key 81
3.3 Comparing Keys for Equality 84
3.4 Looking to the Future: Elliptic Curve Cryptography 84
3.4.1 Asymmetric Cipher Wrap-up 85
3.5 The Engine 85
KeyAgreement
3.5.1 Code Example: Key Exchange to Establish a Secure
Channel 86
4 Message Digests, Message Authentication Codes, and Digital
Signatures 101
4.1 Choosing a Message Digest Algorithm 102
4.1.1 An Overview of an MD5 102
4.1.2 An Overview of SHA-1 103
4.1.3 An Overview of RIPEMD 103
4.2 The MessageDigest Engine 103
4.2.1 Code Example: Generating a Message Digest 103
4.2.2 Message Digest Performance 106
4.2.3 Understanding Message Digest Shortcomings 107
4.3 The Mac Engine 107
4.3.1 Code Example: Generating a Hashed MAC Digest 108
4.3.2 Understanding MAC Shortcomings 110
4.4 Digital Signatures 111
4.5 The Signature Engine 113
4.5.1 Code Example: Generating a Digital Signature Using a
Private Key 113
4.5.2 Code Example: Verifying a Digital Signature Using a
Public Key 115
Managing Keys and Certificates 119
5.1 The Need for Key Management 119
5.2 Digital Certificates Defined 120
5.3 The KeyStore Engine 121
5.3.1 The keytool Utility 124
