• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Java Crypto
 

Java Crypto

on

  • 4,450 views

 

Statistics

Views

Total Views
4,450
Views on SlideShare
4,437
Embed Views
13

Actions

Likes
1
Downloads
142
Comments
0

2 Embeds 13

http://www.slideshare.net 10
http://croice.com 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Java Crypto Java Crypto Presentation Transcript

    • GS: Chapter 3 Encryption, Authentication and Java Cryptography
    • Cryptography & Java
      • Encryption
      • Authentication
      • Java Cryptography
    • Encryption
      • Encryption Basics:
        • An algorithm ( or cipher) and a key are required in order to encrypt or decrypt messages.
        • Example: the Caesar cipher (p.34)
          • A symmetric, stream cipher
          • Exercise: Encrypt “DDAY” using Caesar cipher (5).
          • Answer: “IIFD”.
          • Q: What is the algorithm?
          • Q: What is the key?
          • Q: How would the cipher be decrypted?
    • Encryption
      • Symmetric Encryptions:
        • Both the encrypter and the decrypter share the same key.
        • Key space : The set of possible keys that work with a cipher; determined by the number of bits used in the cipher.
        • The larger the key space is, the more secure the encryption will be.
        • Each additional bit added to the key length doubles its security.
    • Encryption
      • Symmetric Encryptions:
        • Two types of symmetric ciphers: block ciphers and stream ciphers.
        • Examples of symmetric encryptions:
          • DES (Data Encryption Standard) & TripleDES: block ciphers
          • Blowfish: a faster and more secure replacement of DES
          • RC4 (Rivest’s Code 4): a stream cipher
          • AES (Advanced Encryption Standard): a block cipher
    • Encryption
      • Limitations of Symmetric Encryptions:
        • Key distribution can be a vulnerability.
        • If the key is exposed, the encrypted message and all future communication using the same key will suffer the eavesdropping attack .
        • Key management problems: distribution, update, revoking
    • Encryption
      • Asymmetric Encryptions:
        • Also known as ‘public key encryption’
        • Messages encrypted with the public key can only be decrypted by the corresponding private key .
        • The public key can be made known to the public, but the private key is kept as secret and only known to the owner of the key.
        • Examples of asymmetric encryption algorithms:
          • Merkel Hellman Knapsacks
          • RSA: Rivest, Shamir, Adleman
          • El Gamal
    • Encryption
      • Limitations of asymmetric Encryptions:
        • Asymmetric encryption requires much larger keys than symmetric encryption.
          • A 1024-bit asymmetric key ~= a 128-bit symmetric key
          • Why?
        • Asymmetric encryption is much slower (~ 1000 times slower) than symmetric encryption.
        • It is subject to man-in-the-middle attack .
          • Solution? Digital certificates (Ch. 6)
    • Encryption
      • Session-key Encryption
        • A session-key is a symmetric key that is used to encrypt the plaintext message. The session key itself is encrypted using a public key.
        • Sender:
          • C = Spub ( S ) + Sencrypt (message)  Recipient
        • Recipient:
          • Spriv ( Spub (S) )  S
          • Sdecrypt (Sencrypt (message))  message
        • Alternatively, the session key may be assigned an expiration time and be used over several sessions.
    • Encryption
      • Examples of Session-key Encryption
        • PGP (Pretty Good Privacy):
          • Originally (1991) used to encrypt e-mail using session-key encryption
          • Supports RSA, TripleDES, etc.
          • http://www. pgp .com/
        • S/MIME (Secure/MIME):
          • Invented by RSA to secure e-mail
          • Backed by Microsoft, RSA, and AOL
        • SSL/TLS (Secure Socket Layer/Transport Layer Security): Ch. 9
          • Originally an attempt to secure TCP/IP traffic using encryptions
    • Encryption
      • Key Agreement Algorithm
        • A key agreement algorithm takes the private and the public keys of two distinct parties (Apriv + Bpub or Apub + Bpriv) and generates a common shared secret key , which is then used to generate a session key. See the diagram on p.41.
        • Diffie-Hellman Key Agreement Algorithm: The first ever public key encryption
        • Allows two parties to independently generate the shared key; The session key is never transmitted.
        • References:
          • See http://www.apocalypse.org/pub/u/seven/diffie.html
          • IETF RFC2631: http://www.ietf.org/rfc/rfc2631.txt
    • Encryption
      • Strength of Encryption Algorithms
        • Two factors:
          • The algorithm used +
          • The size of the key space
        • See the tables comparing symmetric ciphers (p.42) and asymmetric ciphers (p.43)
    • Alternative Data-hiding Methods
        • Steganography: hiding messages inside another message or in a picture.
          • See “ Steganography : Hidden Data ”. By Deborah Radcliff. ComputerWorld . June 10, 2002.
        • Elliptic Curve Cryptography (ECC): based on the elliptic curve logarithm problem; a more efficient public key encryption (faster, smaller key size)
          • An intro: http://world.std.com/~dpj/elliptic.html
        • Codes, one-time pads, etc.
    • Authentication
      • The process of determining the authenticity of a message or user.
      • Methods:
      • Message Digest
        • a check value generated from a document, usually generated by a hash function
        • to prove that the data in the document has not been tampered with.
        • Commonly used for password authentication (i.e., one-way authentication)
        • Examples: MD4, MD5, SHA (secure hash algorithm)
        • Any problem? Man-in-the-middle attack Why?
    • Authentication Methods
      • MAC (Message Authentication Codes)
        • A message digest created with a key
        • Typically used for data verification in a context where a secure connection is already available.
        • Example: SSL uses MACs to verify the data received, using a secret key that is exchanged at the beginning of the session.
        • Example MACs:
          • HmacMD5 (Hashing MAC using MD5)
          • HmacSHA1 (Hashing MAC using SHA-1)
    • Authentication Methods
      • Digital Signatures
        • Based on public key encryption
        • Computed with a person’s private key and verified with the person’s public key
        • An example of creating a digital signature: p.48
          • The sender applies a message digest algorithm to get a message digest (md) out of the message to be sent.
          • The message digest is then encrypted by the person’s private key. The ciphertext is the digital signature (ds).
        • To check the digital signature:
          • The recipient applies the digest algorithm to get a message digest (md-2).
          • The recipient decrypts the ds using the sender’s public key.
          • The output from step 2 is verified against md-2.
    • Authentication Methods
      • Digital Certificates
        • Purpose: To authenticate a person’s public key
        • “ Vouching”: one party certifies that another party’s identity is authentic. e.g., passport, id cards
        • A digital certificate for A is A’s public key plus some identifying information, signed by the private key of a certification authority (CA) verifying A’s identity.
        • Other example usage of certificates:
          • To authenticate a host/server (e.g., SSL certificates)
          • To sign and encrypt e-mail
    • Authentication Methods
      • Digital Certificates (Cont.)
        • Certificates are often chained . That is, a CA may be authenticated by a root CA .
        • The top CA of a certificate chain must be self-signed.
        • Verisign has been accepted as the top CA.
        • Example of certificate chaining: Both Internet Explorer and Netscape Communicator include certificates from Verisign in their install. So when the browser makes an SSL connection to a server, if the server presents a certificate that is signed by Verisign, the server’s certificate will be automatically accepted.
    • Cryptanalysis
      • The practice of analyzing and breaking cryptography
      • Mehtods:
        • Brute force attack versus the key space
        • Common cryptanalytic tools: Frequency distribution, Digram/trigram study, IC, Repeated patterns, Probable letters
        • 4 cryptanalytic cases:
          • Ciphertext only  Ciphertext-only attack
          • Full or partial plaintext
            • Known plaintext attack
            • Probable plaintext analysis
          • Ciphertext of any plaintext  Chosen plaintext attack
          • Algorithm + Ciphertext  Chosen ciphertext attack
    • Key Management (storage)
      • A dilemma: Keys must be securely stored while allowing users easy access when necessary.
      • A typical solution is to encrypt the stored keys with passwords and then protect the storage with the OS access control.
      • A key storage is an attractive target for attack.
      • The smart card solution: A smart card stores a private key and a certificate, which can be used to encrypt and/or decrypt information.
      • An example of smart card solution: See Protection of Keys (RSA vs nCipher)
    • Cryptographical Protocols
      • Cryptographical protocols determine the exact order and way in which each algorithm must be used in order to maximize security.
      • Examples of protocols:
        • Distribution of keys,
        • Certificates, Digital signatures,
        • Key escrow,
        • Mental poker,
        • Electronic voting,
        • oblivious transfer, contract signing,
        • certified mail
    • JCA/JCE
      • Java Cryptography Architecture (JCA) is part of the Java 2 run-time environment.  java.security.*
      • JCE (Java Cryptography Extension), on the other hand, is an extension to the JCA. JCE adds encryption and decryption APIs to the JCA.  java.crypto.*
      • Major classes defined in JCA:
        • MessageDigest, Signature, KeyPairGenerator, KeyFactory, CertificateFactory, KeyStore, AlgorithmParameters, AlgorithmParameterGenerator, SecureRandom, …
    • JCA/JCE
      • A cryptographic service provider implements various cryptographic algorithms.
      • See page 54 for a list of algorithms implemented in the SUN provider (sun.security.provider.Sun), Java 2 (v1.2).
      • A second provider, the RSAJCA provider (com.sun.rsajca.Provider) is shipped with JDK v1.3, to provide RSA-specific cryptos.
    • JCA
      • An example of using MessageDigest in the JCA:
        • Get an instance of a message digest.
          • MessageDigest myMessageDigest =
          • MessageDigest. getInstance (“MD5”);
          • Or MessageDigest myMessageDigest =
          • MessageDigest.getInstance (“MD5”,”Sun”);
        • Add data to be digested.
          • myMessageDigest. update (myData);
        • Get the digest.
          • byte [ ] signatureBytes =
          • myMessageDigest. digest ( );
    • JCE
      • Major JCE classes:
        • Cipher, KeyAgreement, KeyGenerator, MAC, SecretKey, SecretKeyFactory
      • JCE needs to be separately downloaded and installed if you have JDK older than v1.4.  For JDK1.4 or higher, JCE is an integrated component.  
      • See http://java.sun.com/products/ jce /index-14.html for more details.
    • JCE
      • Installation of JCE security provider
      • Sample programs: http://nas.cl.uh.edu/yang/teaching/csci5931webSecurity/JCE%20provider.htm
      • Visit http://sce.cl.uh.edu/yang/teaching/proJavaSecurityCode.html and download all the sample programs from the book.
    • Next
      • Symmetric Encryption (GS: 4)
      • Asymmetric Encryption (GS: 5)