Download to read offline
![SECURE EMAILS: AN INTEGRITY ASSURED EMAIL
SYSTEMS USING PKI
Mohd Yousuf Md Touseef Sumer
Dept. of Computer science & Engineering Dept. of Electronics and Communication Engineering
Maulana Azad National Urdu University Maulana Azad National Urdu University
Hyderabad Hyderabad
yousuf.asifia@gmail.com touseefsumer@yahoo.com
Abstract - Most important aspect of any application is security. Complex business systems, e-Commerce and automated business
transactions require robust security measures. Companies using the internet environment as a platform to conduct business have a
better probability of success if there is security. However, for e-commerce on the internet, additional security and integrity
mechanism becomes necessary. Merchants are typically not willing to ship goods or perform services until a payment has been
accepted for them. Authentication can allow for a measure of non-repudiation so the customer cannot deny the transaction
occurred. Similarly, consumers need assurance that they are purchasing from a legitimate enterprise, rather than a hacker’s site
whose sole purpose is to collect credit card numbers. With the changes in today’s business environments and the shift from the
traditional face-to-face business models, mechanisms must be developed to ensure that trusted relationships are maintained. The
PKI message service is intended to provide mechanisms to ensure trusted relationships are established and maintained. PKI
Message Service with PKI Plug-in demonstrates how public key cryptography supports risk management requirements and solves
e-commerce security problems in network environments. This is one such application which provides necessary security services to
users. This application is also intended to help organizations determine their requirement and necessity for a PKI, and what features
are needed for their specific business. The PKI Message Service and PKI Plug-in may find its application in business transactions,
banking, military etc.
I. INTRODUCTION
As SMTP email is an open protocol in that a message can be
intercepted and read by any number of third parties. When you
send an email message, that message can be seen and read by
anyone who comes in contact with the message; just like a
postcard. For example, your message may pass through a
number of Internet Service Providers on its journey and
administrators for these ISPs will almost undoubtedly have
access to the contents of messages that you send. When we talk
about secure email, we are talking about the ability to secure a
message in such a way that the contents of that message remain
private between you and your intended recipient and vice versa.
This is achieved through encryption.
A second (and arguably more important) issue with SMTP
email is that it is open to abuse and manipulation. It is very easy
for a third party to forge an SMTP message and make up its
content and address details. This act of impersonation is
commonly known as spoofing. From this perspective, SMTP
email is also unsecure. Therefore, any solution for secure email
should not only provide encryption for privacy but also ideally
authentication and validation that messages are genuine and can
be guaranteed to have originated from the apparent sender. The
act of validating the authenticity of a message is known as
digital signing.
II. REVIEW OF PKI
The PKI Message Service is a mail application which is based
on the idea of PKI. PKI assumes the use of key cryptography,
which is the most common method on the Internet for
authenticating a message sender or encrypting a message. The
mail application provides Information Security of user messages
over insecure networks such as the Internet. This application
can be deployed in domains where monetary transactions
happen seldom.The PKI Message Service offers two-factor
authentication of messages sent, therefore providing privacy,
authentication, integrity, and non-repudiation; these being
referred as the PAIN properties satisfied by most of application
pertaining to Security. The Message Service having been based
on the idea of PKI is bound to use asymmetric keys for its
operations. The application provides services to access private
keys from hardware crypto-tokens such as Aladdin/SafeNet e-
tokens. It also provides for accessing private keys from local
file system. The public keys are maintained by the server of the
PKI Message Service, thereby acting similar to a Key
Distribution Centre (KDC).The users of this mailing application
can send messages which are encrypted, digitally signed or
signed and encrypted to their respective destinations. The users
who receive these messages from other users of the same
application can decrypt, verify or verify and decrypt the
messages from their peers. The asymmetric cryptographic
functions offered by the PKI Message Service is provided by
software programs typically coded in JAVA which run on the
client side of the PKI Messaging Service application. The PKI
Message Service employs a server to manage user’s public key
certificates and other details. The Server scripts are typically
coded in PHP, HTML, CSS and JavaScript along with the
services of a Database to store all the related user information.
The purpose of having such an application on the web reduces
effort to create and maintain similar such applications on
multiple platforms. This application is platform independent and
serves well in Microsoft Windows, Mac OS X Systems.
III. PKI FEATURES AND APPLICATIONS
PKI is a security architecture that has been introduced to
provide an increased level of confidence for exchanging
information over an increasingly insecure internet. PKI expands
as Public Key Infrastructure, which is the most common method
on the internet for authenticating a sender or encrypting a
message. Public key infrastructure encompasses comprehensive
security technologies and policies using cryptography and
provides standards for fundamental computing infrastructure
improvement [1].PKI involves the hardware, software, policies,
and standards that are necessary to manage SSL (Secure Socket
Layer) certificates. A PKI lets users: [1] Authenticate other
users more securely than standard usernames and passwords.
[2] Encrypt sensitive information. [3] Electronically sign
documents more efficiently.
The PKI technology works with a pair of keys. One of
the two keys may be used to encrypt information which can
only be decrypted with the other key. One key is made public
and the other is kept secret. The secret key is usually called the
Proceedings of International Conference on Advances in Engineering and Technology
www.iaetsd.in
ISBN : 978 - 1505606395
International Association of Engineering and Technology for Skill Development
1](https://image.slidesharecdn.com/iaetsd-secureemailsanintegrityassuredemail-150407214654-conversion-gate01/85/Iaetsd-secure-emails-an-integrity-assured-email-1-320.jpg)
![private key. Since anyone may obtain the public key, users may
initiate secure communications without having to previously
share a secret through some other medium with their
correspondent.PKI enables users of an insecure public network
to securely and privately exchange data and money through the
use of a public and a private cryptographic key pair that is
obtained and shared through a trusted authority. PKI provides
for a digital certificate that can identify an individual or an
organization and directory services that can store and, when
necessary, revoke the certificates. Although the components of a
PKI are generally understood, a number of different vendor
approaches and services are emerging. Meanwhile, an internet
standard for PKI is being worked on.PKI binds public keys with
a person so in a way that allows users to trust the certificate.
Public Key Infrastructures most commonly use a certificate
authority (also called a Registration Authority) to verify the
identity of an entity and create unforgeable certificates. Web
browsers, web servers, email clients, smart cards, and many
other types of hardware and software all have integrated,
standards-based PKI support that can be used with each other.
A PKI is only as valuable as the standards that are established
for issuing certificates [1].
IV. APPLICATIONS OF PKI:
The most widespread use of PKI is server
identification of certificates. SSL requires a PKI certificate on
the server to assert its identity in a trustworthy manner to the
client. Every HTTPS (Hyper Text Transport Protocol Secure)
web server connection uses SSL and therefore also uses PKI.
This outreach web focuses on client-side applications of PKI -
using end user PKI certificates instead of or in addition to server
certificates [2].
Client-side applications of PKI fit into three main categories:
Authentication
Digital signatures
Encryption
Authentication applies to any application that needs to
know with assurance the identity of the user and that the user is
actually the one who is present. Traditional authentication
typically uses usernames and passwords. PKI provides a more
secure alternative to this whereby identity is proven by
possession of a private key instead of a password. A password
is still usually required to protect the private key, but that
password is managed by the user instead of shared with the
application server (a major improvement in security).Digital
signatures enable a user to put their "digital signature" on an
electronic document. This is directly analogous to signing in
pen on a paper document except it goes one step further and
associates the exact contents of the digital document with the
signature in a way that makes tampering with the document's
contents after the signature easy to detect. Again, it is
possession of the private key that assures that only the owner of
the PKI digital credentials could have executed the signature.
Encryption is standard protection of data in a file with a
twist. Anyone can encrypt data intended to be read by a
particular user by using their public key for the encryption
process, but only the designated user possesses the private key
that can decrypt the data, so its privacy is assured by the
security of their private key [2].
Some of the popular PKI applications:
[I] Authentication [A] Web applications [a] Portals [b] Student
information systems [c] Library online journals
[B] Network appliances [a] VPN concentrators [b] Firewalls
[c] Wireless access points [II] Digital signatures
[A] S/MIME secure email (sign individual emails)
[B] Electronic document processing [a] Signing XML forms
[b] Signing electronic documents [c] Paperless authorization
processes [C] Instant messaging (sign each message)[D]
Encryption [a] S/MIME secure email (encrypt individual
emails) [b] Instant messaging (encrypt each message)
V. WHO PROVIDES THE INFRASTRUCTURE?
A number of products are offered that enable a
company or group of companies to implement a PKI. The
acceleration of e-commerce and business-to-business commerce
over the internet has increased the demand for PKI solutions.
Related ideas are the virtual private network (VPN) and the IP
security (IPsec) standard [4]. Among PKI leaders are:
[1] RSA, which has developed the main algorithms used by PKI
vendors.[2] VeriSign, which acts as a certificate authority and
sells software that allows a company to create its own certificate
authorities.[3] GTE Cyber Trust, which provides a PKI
implementation methodology and consultation service that it
plans to vend to other companies for a fixed price.[4] Xcert,
whose Web Sentry product that checks the revocation status of
certificates on a server, using the Online Certificate Status
Protocol (OCSP).[5] Netscape, whose Directory Server product
is said to support 50 million objects and process 5,000, queries a
second.[6] Secure E-Commerce, which allows a company or
extranet manager to manage digital certificates.[7] Meta-
Directory, which can connect all corporate directories into a
single directory for security management.
VI. INFORMATION SECURITY AND PAIN
PROPERTIES
PKI technology is used in the project, because of its
property of information security. Privacy, authentication,
integrity and non-repudiation services together provide
Information Security.
Privacy/Confidentiality -Data confidentiality is
designed to protect the data from disclosure attack. It is
designed to prevent snooping and traffic analysis attack. It is
provided by encrypting the message using Public key of the
receiver.
Authentication - Authentication is used to check the
authentication of the sender and receiver during the connection
establishment. It is provides by encipherment, digital signature
and authentication exchanges.
Integrity - Data Integrity security service is used to
ensure whether the integrity of the data has been preserved or
not. It is provided by signing the message using private key of
the sender and verifying the message using sender’s public key.
Non-Repudiation - Non-repudiation service protects
against repudiation by either sender or receiver of the data. In
non-repudiation with proof of origin, the receiver of the data
can later prove the identity of the sender if denied. In non-
repudiation with proof of delivery, the sender of the data can
later prove that the data were delivered to the intended recipient.
It is provided by digital signature, data integrity and
notarization.
VII. LITERATURE SURVEY
Proceedings of International Conference on Advances in Engineering and Technology
www.iaetsd.in
ISBN : 978 - 1505606395
International Association of Engineering and Technology for Skill Development
2](https://image.slidesharecdn.com/iaetsd-secureemailsanintegrityassuredemail-150407214654-conversion-gate01/85/Iaetsd-secure-emails-an-integrity-assured-email-2-320.jpg)
![Literature Survey aims to review the critical points of current
knowledge including substantive findings as well as theoretical
and methodological contributions on the topic.
A. BASICS OF CRYPTOGRAPHY
Cryptography is the practice and study of techniques
for secure communication in the presence of third parties
(adversaries). It is about constructing and analyzing protocols
that overcome the influence of adversaries and which are related
to various aspects in information security such as data
confidentiality, data integrity, and authentication [6]. Modern
cryptography is heavily based on mathematical theory and
computer science practice; cryptographic algorithms are
designed around computational hardness assumptions, making
such algorithms hard to break in practice by any adversary. It is
theoretically possible to break such a system but it is infeasible
to do so by any known practical means. These schemes are
therefore termed computationally secure; theoretical advances
and faster computing technology require these solutions to be
continually adapted. Modern cryptography is based upon:
Symmetric-key cryptography
Asymmetric-key cryptography
Hash
SYMMETRIC KEY CRYPTOGRAPHY
Symmetric-key algorithms are a class of algorithms for
cryptography that use trivially related, often identical,
cryptographic keys for both encryption of plaintext and
decryption of cipher text. The encryption key is trivially related
to the decryption key, in that they may be identical or there is a
simple transformation to go between the two keys [7].The keys,
in practice, represent a shared secret between two or more
parties that can be used to maintain a private information link.
When used with asymmetric ciphers for key transfer,
pseudorandom key generators are nearly always used to
generate the symmetric cipher session keys. However, lack of
randomness in those generators or in their initialization vectors
is disastrous and has led to cryptanalytic breaks in the past.
Therefore, it is essential that an implementation uses a source of
high entropy for its initialization. A disadvantage of symmetric
key algorithms is the requirement of a shared secret key, with
one copy at each end. Since keys are subject to potential
discovery by a cryptographic adversary, they need to be
changed often and kept secure during distribution and in
service. Choosing, distributing, and storing keys without error
and without loss is difficult to reliably achieve. Cryptanalysis of
symmetric key algorithms are easier when compared to that of
asymmetric key algorithms.
ASYMMETRIC KEY CRYPTOGRAPHY
Asymmetric-key cryptography used two separate keys:
one private and one public. If the encryption and decryption are
thought of as locking and unlocking padlocks with keys, then
the padlock with keys, then the padlock that is locked with a
public key can be unlocked only with the corresponding private
key [8]. Public-key cryptography refers to a cryptographic
system requiring two separate keys, one to lock or encrypt the
plaintext, and one to unlock or decrypt the cipher text. Neither
key will do both functions. One of these keys is published or
public and the other is kept private. If the lock/encryption key is
the one published then the system enables private
communication from the public to the unlocking key's owner. If
the unlock/decryption key is the one published then the system
serves as a signature verifier of documents locked by the owner
of the private key. Thus, unlike symmetric key algorithms, a
public key algorithm does not require a secure initial exchange
of one, or more, secret keys between the sender and receiver.
These algorithms work in such a way that, while it is easy for
the intended recipient to generate the public and private keys
and to decrypt the message using the private key, and while it is
easy for the sender to encrypt the message using the public key,
it is extremely difficult for anyone to figure out the private key
based on their knowledge of the public key. The distinguishing
technique used in public key cryptography is the use of
asymmetric key algorithms, where the key used to encrypt a
message is not the same as the key used to decrypt it. Each user
has a pair of cryptographic keys―a public encryption key and a
private decryption key. The publicly available encrypting-key is
widely distributed, while the private decrypting-key is known
only to the recipient. Messages are encrypted with the
recipient's public key and can be decrypted with the
corresponding private key. The keys are related mathematically,
but parameters are chosen so that determining the private key
from the public key is prohibitively expensive [9].
The two main branches of public key cryptography are:
Public key encryption: a message encrypted with a recipient's
public key cannot be decrypted by anyone except a possessor of
the matching private key―presumably, this will be the owner of
that key and the person associated with the public key used.
This is used for confidentiality.
Digital signatures: a message signed with a sender's private
key can be verified by anyone who has access to the sender's
public key, thereby proving that the sender had access to the
private key (and therefore is likely to be the person associated
with the public key used), and the part of the message that has
not been tampered with.
HASH
Hash is the transformation of a string of characters into
a usually shorter fixed-length value or key that represents the
original string. Hashing is used to index and retrieve items in a
database because it is faster to find the item using the shorter
hashed key than to find it using the original value. It is also used
in many encryption algorithms [10].
STEGANOGRAPHY
The word Steganography means covered writing in
contrast with cryptography. Steganography means concealing
the message itself by covering it with something else [11]. The
advantage of Steganography, over cryptography alone, is that
messages do not attract attention to themselves. Plainly visible
encrypted messages-no matter how unbreakable-will arouse
suspicion, and may in them be incriminating in countries where
encryption is illegal. Therefore, whereas cryptography protects
the contents of a message, Steganography can be said to protect
both messages and communicating parties. However, it can also
pose serious problems because it is difficult to detect. Network
surveillance and monitoring systems will not flag messages or
files that contain steganographic data. Therefore, if someone
attempted to steal confidential data, they could conceal it within
another file and send it in an innocent looking email.
CRYPTOGRAPHY VS STEGANOGRAPHY
The purpose of Cryptography and Steganography is to
provide secret communication. However, Steganography is not
Proceedings of International Conference on Advances in Engineering and Technology
www.iaetsd.in
ISBN : 978 - 1505606395
International Association of Engineering and Technology for Skill Development
3](https://image.slidesharecdn.com/iaetsd-secureemailsanintegrityassuredemail-150407214654-conversion-gate01/85/Iaetsd-secure-emails-an-integrity-assured-email-3-320.jpg)
![the same as cryptography. Cryptography hides the contents of a
secret message from a malicious people, whereas
Steganography even conceals the existence of the message.
Steganography must not be confused with cryptography, where
we transform the message so as to make it meaning obscure to a
malicious people who intercept it. Therefore, the definition of
breaking the system is different. In cryptography, the system is
broken when the attacker can read the secret message. Breaking
a steganographic system need the attacker to detect that
Steganography has been used and he is able to read the
embedded message. In cryptography, the structure of a message
is scrambled to make it meaningless and unintelligible unless
the decryption key is available. It makes no attempt to disguise
or hide the encoded message. Cryptography offers the ability of
transmitting information between persons in a way that prevents
a third party from reading it. Cryptography can also provide
authentication for verifying the identity of someone or
something.It is possible to combine the techniques by
encrypting message using cryptography and then hiding the
encrypted message using Steganography. The resulting stego-
image is transmitted without revealing that secret information is
being exchanged. Furthermore, even if an attacker were to
defeat the steganographic technique and detect the message
from the object, he would still require the cryptographic
decoding key to decipher the encrypted message [12].
VIII. PROGRAM MODULES
PUBLIC KEY CERTIFICATE VALIDATION
The validation of the certificate is done with the help
of the applet by checking the email id of the user and expiration
date of the certificate. This date is verified with the server date
to check if the certificate is valid. By this we validate the users
public certificate.
ALADDIN E-TOKEN ACCESS
To access the e-token we use JCE. The following is an
extract of code to access the e-token.
----------------------------------------------------------------------------
String os1=System.getProperty("os.name").toUpperCase();
if(os1.startsWith("WINDOWS"))
{ String configDir="";
if(os1.contains("Windows 9"))
configDir = System.getenv("WinDir");
else
configDir = System.getenv("SystemRoot");
String
etoken_path=configDir+"system32eTPKCS11.dll";
String pkcs11ConfigSettings="";
if(os1.equalsIgnoreCase("WINDOWS XP") ||
os1.equalsIgnoreCase("WINDOWS NT") ||
os1.equalsIgnoreCase("WINDOWS 98") ||
os1.equalsIgnoreCase("WINDOWS 2000") ||
os1.equalsIgnoreCase("WINDOWS ME"))
{
pkcs11ConfigSettings ="name = SmartCardn" + "library =
"+etoken_path;
}
else
{
pkcs11ConfigSettings = "name =
SmartCardn" + "library =
"+etoken_path+"n"+"slot=2";
}
byte[] pkcs11ConfigBytes = pkcs11ConfigSettings.getBytes();
ByteArrayInputStream confStream = new
ByteArrayInputStream(pkcs11ConfigBytes);
sun.security.pkcs11.SUNPKCS11 Class sunPkcs11Class =
Class.forName("sun.security.pkcs11.SunPKCS11");
Constructor pkcs11Constr = sunPkcs11Class.getConstructor(
Java.io.InputStream.class);
pkcs11Provider = (Provider)
pkcs11Constr.newInstance(confStream);
Security.addProvider(pkcs11Provider);
-----------------------------------------------------------------------------
First, we check if the user operating system is
windows; Sun PKCS#11 provider acts as a bridge between the
Java JCA and JCE APIs and the native PKCS#11 cryptographic
API, translating the calls and conventions between the two.
Cryptographic devices such as Smartcards and hardware
accelerators often come with software that includes a PKCS#11
implementation. For SafeNet e-token it is eTPKCS11.dll. We
add this Security provider to access the e-token.
EXTRACTING PUBLIC KEY FROM CERTIFICATE
(.CRT)
The following is an extract of code to obtain public key
from a .crt file.
-----------------------------------------------------------------------------
InputStream in=new FileInputStream("/Path/to/.crt/files");
CertificateFactory cf=CertificateFactory.getInstance("X.509");
X509Certificate -
cert=(X509Certificate)cf.generateCertificate(in);
PublicKey pk=(PublicKey)cert.getPublicKey();
-----------------------------------------------------------------------------
The variable in contains a reference to a .crt file. A
X.509 certificate instance is obtained in the variable cf and the
certificate is generated with the file stream in. The public key is
extracted from the certificate object cert using the built-in
function getPublicKey() which returns a reference of a
PublicKey object pk.
EXTRACTING PRIVATE KEY
Extracting Private Key from .p12 file on local file system.
The following is an extract of code to obtain private key from a
.pfx file on local file system.
---------------------------------------------------------------------------
KeyStore pfx = KeyStore.getInstance("pkcs12");
FileInputStream fin=new FileInputStream("path/to/private
key/certificate.p12");
char[] password="user_password".toCharArray();
pfx.load(fin,password);
fin.close();
String alias=”alias name of the .pfx file of interest”;
pfx.getCertificateChain(alias);
KeyStore.PasswordProtection pass=new
KeyStore.PasswordProtection(password);
KeyStore.PrivateKeyEntry pkEntry =
(KeyStore.PrivateKeyEntry) pfx.getEntry(alias, pass);
PrivateKey myPrivateKey = pkEntry.getPrivateKey();
----------------------------------------------------------------------------
Proceedings of International Conference on Advances in Engineering and Technology
www.iaetsd.in
ISBN : 978 - 1505606395
International Association of Engineering and Technology for Skill Development
4](https://image.slidesharecdn.com/iaetsd-secureemailsanintegrityassuredemail-150407214654-conversion-gate01/85/Iaetsd-secure-emails-an-integrity-assured-email-4-320.jpg)
![Java Cryptographic extension provides a Keystore to
store private keys and certificates. A keyStore object type
pkcs12 is obtained to a variable pfx. The variable fin holds the
reference of the certificate file on the local file system. A
function load() which takes two arguments, a file reference and
the corresponding passcode to the file loads the certificate. The
alias variable holds an alias name of the certificate which helps
identify the certificate in the keystore.
The PasswordProtection object is initialized with the
passcode. Entry to the E-Token is obtained with the built-in
function getEntry() which takes two arguments, the alias and the
password. The function getPrivateKey() returns a reference to
the private key stored in the certificate.
Loading Aladdin E-token and Extracting private key
from a .p12 certificate.
The following is an extract of code to load the E-Token, and
obtain a private key from a .p12 file.
-----------------------------------------------------------------------------
KeyStore keyStore = KeyStore.getInstance("PKCS11");
String Pass=”passcode_of_e-token”;
keyStore.load(null, Pass); // loads the token.
String alias=”alias name of the .pfx file of interest”;
keyStore.getCertificateChain(alias);
KeyStore.PasswordProtection pass=new
KeyStore.PasswordProtection(password);
KeyStore.PrivateKeyEntry pkEntry =
(KeyStore.PrivateKeyEntry) keyStore.getEntry(alias, pass);
PrivateKey myPrivateKey = pkEntry.getPrivateKey();
-------------------------------------------------------------------------
Here an instance of PKCS11 keystore is obtained since
e-token are categorized under PKCS11 standards. All other
procedures to extract the private key remain the same, as
explained in the above section.
SIGNING MESSAGES
The following is an extract of code which sign a
message with SHA-512 and RSA.
-----------------------------------------------------------------------------
import Java.security.*;
privateKey =(PrivateKey) keyStore.getKey(alias_dup, null);
Signature instance =
Signature.getInstance("SHA512withRSA");
instance.initSign(privateKey);
instance.update((sign1_extra.text1).getBytes());
byte[] signature = instance.sign();
char[] signature1 = Base64Coder.encode(signature);
sign1_extra.s5=new String(signature1);
String text2=sign1_extra.text1+":"+sign1_extra.s5;
char[] c2=Base64Coder.encode(text2.getBytes());
----------------------------------------------------------------------------
The variable alias_dup is the alias name of the private
key certificate in the e-token. The variable sign1_extra.text1
contains the text which is to be digitally signed. The variable
signature contained the signed data which is encoded using
base64 encoder and stored in signature1. The original text and
the signed data are concatenated and stored in the character
array c2.
VERIFYING MESSAGES
The following is an extract of code to verify digital
signatures.
-----------------------------------------------------------------------------
import Java.security.*;
Signature
instance1=Signature.getInstance("SHA512withRSA");
instance1.initVerify(publicKey);
instance1.update(sig2_text_split.getBytes());
if(instance1.verify(sig2)){System.out.println("true");
String param=sig2_text_split;
Object[] params = {param};
verify3.browserWindow.call("f1", params);
System.exit(0);}
---------------------------------------------------------------------------
The variable sig2_text_split contains the original text.
The Signature object is initialized with the signature algorithm.
The function call verify(sig2) verifies the digital signature on
the variable sig2.
ENCRYPTING MESSAGES
Messages are encrypted with RSA algorithm.
-----------------------------------------------------------------------------
Cipher
pkcipher=Cipher.getInstance("RSA/ECB/PKCS1Padding");
pkcipher.init(Cipher.ENCRYPT_MODE, publicKey);
byte[] buffer = plaintext.getBytes("UTF-8");
byte[] encrypted = pkcipher.doFinal(buffer);
byte[] encoded = Base64Coder.encode(encrypted);
-----------------------------------------------------------------------------
The above code illustrates encrypting and encoding
plain text messages. A pkcipher is initialized with RSA in ECB
mode. The plaintext message is converted to a byte
representation of the String. The function doFinal() takes one
argument, buffer and encrypts the data in the buffer returning an
array of encrypted bytes. The encrypted bytes are encoded to
base64 format to enable the database to store the encrypted data.
DECRYPTING MESSAGES
Messages are encrypted with RSA algorithm.
-----------------------------------------------------------------------------
Cipher
pkcipher=Cipher.getInstance("RSA/ECB/PKCS1Padding");
pkcipher.init(Cipher.DECRYPT_MODE, privateKey);
byte[] bts = Base64Coder.decode(encrypted.toCharArray());
byte[] text = pkcipher.doFinal(bts);
-----------------------------------------------------------------------------
The above code decrypts an encrypted data. First the
encoded data is decoded with a base64 coder. The decoded text
is decrypted by the pkcipher initialized with the RSA algorithm
in decrypt mode. The function doFinal() returns decrypted bits.
SIGNING AND ENCRYPTING MESSAGES
The message is first digitally signed with the private
key of the sender. This signature is encrypted with the public
key of the receiver. This double encryption satisfies all
properties of PAIN.
DECRYPTING AND VERIFYING MESSAGES
This operation takes place at the receiving end.
Messages which are signed and encrypted are fed to this
operation. The secure message is first decrypted with the private
key of the receiver and the signature on the data is verified with
the public key of the sender.
IX. OUTPUTS
Proceedings of International Conference on Advances in Engineering and Technology
www.iaetsd.in
ISBN : 978 - 1505606395
International Association of Engineering and Technology for Skill Development
5](https://image.slidesharecdn.com/iaetsd-secureemailsanintegrityassuredemail-150407214654-conversion-gate01/85/Iaetsd-secure-emails-an-integrity-assured-email-5-320.jpg)
![a. PKI MESSAGE HOME PAGE
b. NEW USER REGISTRATION
c. COMPOSING A TEXT MESSAGE
d. DIGITALLY SIGNING A TEXT MESSAGE
e. SELECTING A PRIVATEKEY CERTIFICATE
FROM THE KEYSTORE OF E-TOKEN
X. CONCLUSION
There is an increasing need for secure system with increase in
cyber fraud and crimes. With advancement in technology,
internet is now an alternative workspace for cloud users and
users of online project management services. Users of such
services work on data of private nature, which may be
detrimental to them if there happened to be a change in the
integrity of these data. PKI is an emerging technology based on
Asymmetric cryptography which proposes certain practices
which ensure information or data security.PKI Message service
is based on PKI and provides information security to user
messages through Privacy, Integrity, Authentication of end
users and Non-Repudiation services. PKI Message Service
ensure security of data over insure networks. PKI Message
Services’ dependence on certificates issued by CA makes it
more a reliable service. PKI Message Service proves to be
useful in the Online Banking, Online Purchasing and other areas
where security happens to be a critical concern. PKI Message
can also be embedded into social networking sites to provide a
higher level of security
XI. ACKNOWLEDGMENT
This work is to enable more security for Complex business
systems, e-Commerce and automated business transactions
who uses internet service.
XII. REFERENCES
[1].http://www.dartmouth.edu/~deploypki/overview.html
[2].http://www.dartmouth.edu/~deploypki/application.html
[3].http://www.blogs.technet.com/b/indust2006/06/438895.aspx
[4].http://www.2.dir.texas.gov/pubs/srrpubs13-providers.aspx
[5].http://www.en.wikipedia.org/wiki/certificate_authority
[8].http://www.en.wikipedia.org/wiki/Public-key_cryptography
[9].http://www.it.toolbox.com/wik/Asymmetric_key_encryption
[10].http://www.en.wikipedia.org/wiki/Cryptographic_function
[11].http://www.en.wikipedia.org/wiki/steganography
[12].http://www.vspages.com/Cryptography-vs-Steganography4
[13].http://www.technet.microsoft.com/cc77982(v=ws.10).aspx
[14].http://www.cca.gov.in/
[15].http://www.redbooks.ibm.com/redbooks/pdfs/s924978.pdf
Proceedings of International Conference on Advances in Engineering and Technology
www.iaetsd.in
ISBN : 978 - 1505606395
International Association of Engineering and Technology for Skill Development
6](https://image.slidesharecdn.com/iaetsd-secureemailsanintegrityassuredemail-150407214654-conversion-gate01/85/Iaetsd-secure-emails-an-integrity-assured-email-6-320.jpg)
More Related Content
Similar to Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured email
- 1. SECURE EMAILS: ANINTEGRITY ASSURED EMAIL SYSTEMS USING PKI Mohd Yousuf Md Touseef Sumer Dept. of Computer science & Engineering Dept. of Electronics and Communication Engineering Maulana Azad National Urdu University Maulana Azad National Urdu University Hyderabad Hyderabad yousuf.asifia@gmail.com touseefsumer@yahoo.com Abstract - Most important aspect of any application is security. Complex business systems, e-Commerce and automated business transactions require robust security measures. Companies using the internet environment as a platform to conduct business have a better probability of success if there is security. However, for e-commerce on the internet, additional security and integrity mechanism becomes necessary. Merchants are typically not willing to ship goods or perform services until a payment has been accepted for them. Authentication can allow for a measure of non-repudiation so the customer cannot deny the transaction occurred. Similarly, consumers need assurance that they are purchasing from a legitimate enterprise, rather than a hacker’s site whose sole purpose is to collect credit card numbers. With the changes in today’s business environments and the shift from the traditional face-to-face business models, mechanisms must be developed to ensure that trusted relationships are maintained. The PKI message service is intended to provide mechanisms to ensure trusted relationships are established and maintained. PKI Message Service with PKI Plug-in demonstrates how public key cryptography supports risk management requirements and solves e-commerce security problems in network environments. This is one such application which provides necessary security services to users. This application is also intended to help organizations determine their requirement and necessity for a PKI, and what features are needed for their specific business. The PKI Message Service and PKI Plug-in may find its application in business transactions, banking, military etc. I. INTRODUCTION As SMTP email is an open protocol in that a message can be intercepted and read by any number of third parties. When you send an email message, that message can be seen and read by anyone who comes in contact with the message; just like a postcard. For example, your message may pass through a number of Internet Service Providers on its journey and administrators for these ISPs will almost undoubtedly have access to the contents of messages that you send. When we talk about secure email, we are talking about the ability to secure a message in such a way that the contents of that message remain private between you and your intended recipient and vice versa. This is achieved through encryption. A second (and arguably more important) issue with SMTP email is that it is open to abuse and manipulation. It is very easy for a third party to forge an SMTP message and make up its content and address details. This act of impersonation is commonly known as spoofing. From this perspective, SMTP email is also unsecure. Therefore, any solution for secure email should not only provide encryption for privacy but also ideally authentication and validation that messages are genuine and can be guaranteed to have originated from the apparent sender. The act of validating the authenticity of a message is known as digital signing. II. REVIEW OF PKI The PKI Message Service is a mail application which is based on the idea of PKI. PKI assumes the use of key cryptography, which is the most common method on the Internet for authenticating a message sender or encrypting a message. The mail application provides Information Security of user messages over insecure networks such as the Internet. This application can be deployed in domains where monetary transactions happen seldom.The PKI Message Service offers two-factor authentication of messages sent, therefore providing privacy, authentication, integrity, and non-repudiation; these being referred as the PAIN properties satisfied by most of application pertaining to Security. The Message Service having been based on the idea of PKI is bound to use asymmetric keys for its operations. The application provides services to access private keys from hardware crypto-tokens such as Aladdin/SafeNet e- tokens. It also provides for accessing private keys from local file system. The public keys are maintained by the server of the PKI Message Service, thereby acting similar to a Key Distribution Centre (KDC).The users of this mailing application can send messages which are encrypted, digitally signed or signed and encrypted to their respective destinations. The users who receive these messages from other users of the same application can decrypt, verify or verify and decrypt the messages from their peers. The asymmetric cryptographic functions offered by the PKI Message Service is provided by software programs typically coded in JAVA which run on the client side of the PKI Messaging Service application. The PKI Message Service employs a server to manage user’s public key certificates and other details. The Server scripts are typically coded in PHP, HTML, CSS and JavaScript along with the services of a Database to store all the related user information. The purpose of having such an application on the web reduces effort to create and maintain similar such applications on multiple platforms. This application is platform independent and serves well in Microsoft Windows, Mac OS X Systems. III. PKI FEATURES AND APPLICATIONS PKI is a security architecture that has been introduced to provide an increased level of confidence for exchanging information over an increasingly insecure internet. PKI expands as Public Key Infrastructure, which is the most common method on the internet for authenticating a sender or encrypting a message. Public key infrastructure encompasses comprehensive security technologies and policies using cryptography and provides standards for fundamental computing infrastructure improvement [1].PKI involves the hardware, software, policies, and standards that are necessary to manage SSL (Secure Socket Layer) certificates. A PKI lets users: [1] Authenticate other users more securely than standard usernames and passwords. [2] Encrypt sensitive information. [3] Electronically sign documents more efficiently. The PKI technology works with a pair of keys. One of the two keys may be used to encrypt information which can only be decrypted with the other key. One key is made public and the other is kept secret. The secret key is usually called the Proceedings of International Conference on Advances in Engineering and Technology www.iaetsd.in ISBN : 978 - 1505606395 International Association of Engineering and Technology for Skill Development 1
- 2. private key. Sinceanyone may obtain the public key, users may initiate secure communications without having to previously share a secret through some other medium with their correspondent.PKI enables users of an insecure public network to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. PKI provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. Although the components of a PKI are generally understood, a number of different vendor approaches and services are emerging. Meanwhile, an internet standard for PKI is being worked on.PKI binds public keys with a person so in a way that allows users to trust the certificate. Public Key Infrastructures most commonly use a certificate authority (also called a Registration Authority) to verify the identity of an entity and create unforgeable certificates. Web browsers, web servers, email clients, smart cards, and many other types of hardware and software all have integrated, standards-based PKI support that can be used with each other. A PKI is only as valuable as the standards that are established for issuing certificates [1]. IV. APPLICATIONS OF PKI: The most widespread use of PKI is server identification of certificates. SSL requires a PKI certificate on the server to assert its identity in a trustworthy manner to the client. Every HTTPS (Hyper Text Transport Protocol Secure) web server connection uses SSL and therefore also uses PKI. This outreach web focuses on client-side applications of PKI - using end user PKI certificates instead of or in addition to server certificates [2]. Client-side applications of PKI fit into three main categories: Authentication Digital signatures Encryption Authentication applies to any application that needs to know with assurance the identity of the user and that the user is actually the one who is present. Traditional authentication typically uses usernames and passwords. PKI provides a more secure alternative to this whereby identity is proven by possession of a private key instead of a password. A password is still usually required to protect the private key, but that password is managed by the user instead of shared with the application server (a major improvement in security).Digital signatures enable a user to put their "digital signature" on an electronic document. This is directly analogous to signing in pen on a paper document except it goes one step further and associates the exact contents of the digital document with the signature in a way that makes tampering with the document's contents after the signature easy to detect. Again, it is possession of the private key that assures that only the owner of the PKI digital credentials could have executed the signature. Encryption is standard protection of data in a file with a twist. Anyone can encrypt data intended to be read by a particular user by using their public key for the encryption process, but only the designated user possesses the private key that can decrypt the data, so its privacy is assured by the security of their private key [2]. Some of the popular PKI applications: [I] Authentication [A] Web applications [a] Portals [b] Student information systems [c] Library online journals [B] Network appliances [a] VPN concentrators [b] Firewalls [c] Wireless access points [II] Digital signatures [A] S/MIME secure email (sign individual emails) [B] Electronic document processing [a] Signing XML forms [b] Signing electronic documents [c] Paperless authorization processes [C] Instant messaging (sign each message)[D] Encryption [a] S/MIME secure email (encrypt individual emails) [b] Instant messaging (encrypt each message) V. WHO PROVIDES THE INFRASTRUCTURE? A number of products are offered that enable a company or group of companies to implement a PKI. The acceleration of e-commerce and business-to-business commerce over the internet has increased the demand for PKI solutions. Related ideas are the virtual private network (VPN) and the IP security (IPsec) standard [4]. Among PKI leaders are: [1] RSA, which has developed the main algorithms used by PKI vendors.[2] VeriSign, which acts as a certificate authority and sells software that allows a company to create its own certificate authorities.[3] GTE Cyber Trust, which provides a PKI implementation methodology and consultation service that it plans to vend to other companies for a fixed price.[4] Xcert, whose Web Sentry product that checks the revocation status of certificates on a server, using the Online Certificate Status Protocol (OCSP).[5] Netscape, whose Directory Server product is said to support 50 million objects and process 5,000, queries a second.[6] Secure E-Commerce, which allows a company or extranet manager to manage digital certificates.[7] Meta- Directory, which can connect all corporate directories into a single directory for security management. VI. INFORMATION SECURITY AND PAIN PROPERTIES PKI technology is used in the project, because of its property of information security. Privacy, authentication, integrity and non-repudiation services together provide Information Security. Privacy/Confidentiality -Data confidentiality is designed to protect the data from disclosure attack. It is designed to prevent snooping and traffic analysis attack. It is provided by encrypting the message using Public key of the receiver. Authentication - Authentication is used to check the authentication of the sender and receiver during the connection establishment. It is provides by encipherment, digital signature and authentication exchanges. Integrity - Data Integrity security service is used to ensure whether the integrity of the data has been preserved or not. It is provided by signing the message using private key of the sender and verifying the message using sender’s public key. Non-Repudiation - Non-repudiation service protects against repudiation by either sender or receiver of the data. In non-repudiation with proof of origin, the receiver of the data can later prove the identity of the sender if denied. In non- repudiation with proof of delivery, the sender of the data can later prove that the data were delivered to the intended recipient. It is provided by digital signature, data integrity and notarization. VII. LITERATURE SURVEY Proceedings of International Conference on Advances in Engineering and Technology www.iaetsd.in ISBN : 978 - 1505606395 International Association of Engineering and Technology for Skill Development 2
- 3. Literature Survey aimsto review the critical points of current knowledge including substantive findings as well as theoretical and methodological contributions on the topic. A. BASICS OF CRYPTOGRAPHY Cryptography is the practice and study of techniques for secure communication in the presence of third parties (adversaries). It is about constructing and analyzing protocols that overcome the influence of adversaries and which are related to various aspects in information security such as data confidentiality, data integrity, and authentication [6]. Modern cryptography is heavily based on mathematical theory and computer science practice; cryptographic algorithms are designed around computational hardness assumptions, making such algorithms hard to break in practice by any adversary. It is theoretically possible to break such a system but it is infeasible to do so by any known practical means. These schemes are therefore termed computationally secure; theoretical advances and faster computing technology require these solutions to be continually adapted. Modern cryptography is based upon: Symmetric-key cryptography Asymmetric-key cryptography Hash SYMMETRIC KEY CRYPTOGRAPHY Symmetric-key algorithms are a class of algorithms for cryptography that use trivially related, often identical, cryptographic keys for both encryption of plaintext and decryption of cipher text. The encryption key is trivially related to the decryption key, in that they may be identical or there is a simple transformation to go between the two keys [7].The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. When used with asymmetric ciphers for key transfer, pseudorandom key generators are nearly always used to generate the symmetric cipher session keys. However, lack of randomness in those generators or in their initialization vectors is disastrous and has led to cryptanalytic breaks in the past. Therefore, it is essential that an implementation uses a source of high entropy for its initialization. A disadvantage of symmetric key algorithms is the requirement of a shared secret key, with one copy at each end. Since keys are subject to potential discovery by a cryptographic adversary, they need to be changed often and kept secure during distribution and in service. Choosing, distributing, and storing keys without error and without loss is difficult to reliably achieve. Cryptanalysis of symmetric key algorithms are easier when compared to that of asymmetric key algorithms. ASYMMETRIC KEY CRYPTOGRAPHY Asymmetric-key cryptography used two separate keys: one private and one public. If the encryption and decryption are thought of as locking and unlocking padlocks with keys, then the padlock with keys, then the padlock that is locked with a public key can be unlocked only with the corresponding private key [8]. Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cipher text. Neither key will do both functions. One of these keys is published or public and the other is kept private. If the lock/encryption key is the one published then the system enables private communication from the public to the unlocking key's owner. If the unlock/decryption key is the one published then the system serves as a signature verifier of documents locked by the owner of the private key. Thus, unlike symmetric key algorithms, a public key algorithm does not require a secure initial exchange of one, or more, secret keys between the sender and receiver. These algorithms work in such a way that, while it is easy for the intended recipient to generate the public and private keys and to decrypt the message using the private key, and while it is easy for the sender to encrypt the message using the public key, it is extremely difficult for anyone to figure out the private key based on their knowledge of the public key. The distinguishing technique used in public key cryptography is the use of asymmetric key algorithms, where the key used to encrypt a message is not the same as the key used to decrypt it. Each user has a pair of cryptographic keys―a public encryption key and a private decryption key. The publicly available encrypting-key is widely distributed, while the private decrypting-key is known only to the recipient. Messages are encrypted with the recipient's public key and can be decrypted with the corresponding private key. The keys are related mathematically, but parameters are chosen so that determining the private key from the public key is prohibitively expensive [9]. The two main branches of public key cryptography are: Public key encryption: a message encrypted with a recipient's public key cannot be decrypted by anyone except a possessor of the matching private key―presumably, this will be the owner of that key and the person associated with the public key used. This is used for confidentiality. Digital signatures: a message signed with a sender's private key can be verified by anyone who has access to the sender's public key, thereby proving that the sender had access to the private key (and therefore is likely to be the person associated with the public key used), and the part of the message that has not been tampered with. HASH Hash is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string. Hashing is used to index and retrieve items in a database because it is faster to find the item using the shorter hashed key than to find it using the original value. It is also used in many encryption algorithms [10]. STEGANOGRAPHY The word Steganography means covered writing in contrast with cryptography. Steganography means concealing the message itself by covering it with something else [11]. The advantage of Steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages-no matter how unbreakable-will arouse suspicion, and may in them be incriminating in countries where encryption is illegal. Therefore, whereas cryptography protects the contents of a message, Steganography can be said to protect both messages and communicating parties. However, it can also pose serious problems because it is difficult to detect. Network surveillance and monitoring systems will not flag messages or files that contain steganographic data. Therefore, if someone attempted to steal confidential data, they could conceal it within another file and send it in an innocent looking email. CRYPTOGRAPHY VS STEGANOGRAPHY The purpose of Cryptography and Steganography is to provide secret communication. However, Steganography is not Proceedings of International Conference on Advances in Engineering and Technology www.iaetsd.in ISBN : 978 - 1505606395 International Association of Engineering and Technology for Skill Development 3
- 4. the same ascryptography. Cryptography hides the contents of a secret message from a malicious people, whereas Steganography even conceals the existence of the message. Steganography must not be confused with cryptography, where we transform the message so as to make it meaning obscure to a malicious people who intercept it. Therefore, the definition of breaking the system is different. In cryptography, the system is broken when the attacker can read the secret message. Breaking a steganographic system need the attacker to detect that Steganography has been used and he is able to read the embedded message. In cryptography, the structure of a message is scrambled to make it meaningless and unintelligible unless the decryption key is available. It makes no attempt to disguise or hide the encoded message. Cryptography offers the ability of transmitting information between persons in a way that prevents a third party from reading it. Cryptography can also provide authentication for verifying the identity of someone or something.It is possible to combine the techniques by encrypting message using cryptography and then hiding the encrypted message using Steganography. The resulting stego- image is transmitted without revealing that secret information is being exchanged. Furthermore, even if an attacker were to defeat the steganographic technique and detect the message from the object, he would still require the cryptographic decoding key to decipher the encrypted message [12]. VIII. PROGRAM MODULES PUBLIC KEY CERTIFICATE VALIDATION The validation of the certificate is done with the help of the applet by checking the email id of the user and expiration date of the certificate. This date is verified with the server date to check if the certificate is valid. By this we validate the users public certificate. ALADDIN E-TOKEN ACCESS To access the e-token we use JCE. The following is an extract of code to access the e-token. ---------------------------------------------------------------------------- String os1=System.getProperty("os.name").toUpperCase(); if(os1.startsWith("WINDOWS")) { String configDir=""; if(os1.contains("Windows 9")) configDir = System.getenv("WinDir"); else configDir = System.getenv("SystemRoot"); String etoken_path=configDir+"system32eTPKCS11.dll"; String pkcs11ConfigSettings=""; if(os1.equalsIgnoreCase("WINDOWS XP") || os1.equalsIgnoreCase("WINDOWS NT") || os1.equalsIgnoreCase("WINDOWS 98") || os1.equalsIgnoreCase("WINDOWS 2000") || os1.equalsIgnoreCase("WINDOWS ME")) { pkcs11ConfigSettings ="name = SmartCardn" + "library = "+etoken_path; } else { pkcs11ConfigSettings = "name = SmartCardn" + "library = "+etoken_path+"n"+"slot=2"; } byte[] pkcs11ConfigBytes = pkcs11ConfigSettings.getBytes(); ByteArrayInputStream confStream = new ByteArrayInputStream(pkcs11ConfigBytes); sun.security.pkcs11.SUNPKCS11 Class sunPkcs11Class = Class.forName("sun.security.pkcs11.SunPKCS11"); Constructor pkcs11Constr = sunPkcs11Class.getConstructor( Java.io.InputStream.class); pkcs11Provider = (Provider) pkcs11Constr.newInstance(confStream); Security.addProvider(pkcs11Provider); ----------------------------------------------------------------------------- First, we check if the user operating system is windows; Sun PKCS#11 provider acts as a bridge between the Java JCA and JCE APIs and the native PKCS#11 cryptographic API, translating the calls and conventions between the two. Cryptographic devices such as Smartcards and hardware accelerators often come with software that includes a PKCS#11 implementation. For SafeNet e-token it is eTPKCS11.dll. We add this Security provider to access the e-token. EXTRACTING PUBLIC KEY FROM CERTIFICATE (.CRT) The following is an extract of code to obtain public key from a .crt file. ----------------------------------------------------------------------------- InputStream in=new FileInputStream("/Path/to/.crt/files"); CertificateFactory cf=CertificateFactory.getInstance("X.509"); X509Certificate - cert=(X509Certificate)cf.generateCertificate(in); PublicKey pk=(PublicKey)cert.getPublicKey(); ----------------------------------------------------------------------------- The variable in contains a reference to a .crt file. A X.509 certificate instance is obtained in the variable cf and the certificate is generated with the file stream in. The public key is extracted from the certificate object cert using the built-in function getPublicKey() which returns a reference of a PublicKey object pk. EXTRACTING PRIVATE KEY Extracting Private Key from .p12 file on local file system. The following is an extract of code to obtain private key from a .pfx file on local file system. --------------------------------------------------------------------------- KeyStore pfx = KeyStore.getInstance("pkcs12"); FileInputStream fin=new FileInputStream("path/to/private key/certificate.p12"); char[] password="user_password".toCharArray(); pfx.load(fin,password); fin.close(); String alias=”alias name of the .pfx file of interest”; pfx.getCertificateChain(alias); KeyStore.PasswordProtection pass=new KeyStore.PasswordProtection(password); KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) pfx.getEntry(alias, pass); PrivateKey myPrivateKey = pkEntry.getPrivateKey(); ---------------------------------------------------------------------------- Proceedings of International Conference on Advances in Engineering and Technology www.iaetsd.in ISBN : 978 - 1505606395 International Association of Engineering and Technology for Skill Development 4
- 5. Java Cryptographic extensionprovides a Keystore to store private keys and certificates. A keyStore object type pkcs12 is obtained to a variable pfx. The variable fin holds the reference of the certificate file on the local file system. A function load() which takes two arguments, a file reference and the corresponding passcode to the file loads the certificate. The alias variable holds an alias name of the certificate which helps identify the certificate in the keystore. The PasswordProtection object is initialized with the passcode. Entry to the E-Token is obtained with the built-in function getEntry() which takes two arguments, the alias and the password. The function getPrivateKey() returns a reference to the private key stored in the certificate. Loading Aladdin E-token and Extracting private key from a .p12 certificate. The following is an extract of code to load the E-Token, and obtain a private key from a .p12 file. ----------------------------------------------------------------------------- KeyStore keyStore = KeyStore.getInstance("PKCS11"); String Pass=”passcode_of_e-token”; keyStore.load(null, Pass); // loads the token. String alias=”alias name of the .pfx file of interest”; keyStore.getCertificateChain(alias); KeyStore.PasswordProtection pass=new KeyStore.PasswordProtection(password); KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry(alias, pass); PrivateKey myPrivateKey = pkEntry.getPrivateKey(); ------------------------------------------------------------------------- Here an instance of PKCS11 keystore is obtained since e-token are categorized under PKCS11 standards. All other procedures to extract the private key remain the same, as explained in the above section. SIGNING MESSAGES The following is an extract of code which sign a message with SHA-512 and RSA. ----------------------------------------------------------------------------- import Java.security.*; privateKey =(PrivateKey) keyStore.getKey(alias_dup, null); Signature instance = Signature.getInstance("SHA512withRSA"); instance.initSign(privateKey); instance.update((sign1_extra.text1).getBytes()); byte[] signature = instance.sign(); char[] signature1 = Base64Coder.encode(signature); sign1_extra.s5=new String(signature1); String text2=sign1_extra.text1+":"+sign1_extra.s5; char[] c2=Base64Coder.encode(text2.getBytes()); ---------------------------------------------------------------------------- The variable alias_dup is the alias name of the private key certificate in the e-token. The variable sign1_extra.text1 contains the text which is to be digitally signed. The variable signature contained the signed data which is encoded using base64 encoder and stored in signature1. The original text and the signed data are concatenated and stored in the character array c2. VERIFYING MESSAGES The following is an extract of code to verify digital signatures. ----------------------------------------------------------------------------- import Java.security.*; Signature instance1=Signature.getInstance("SHA512withRSA"); instance1.initVerify(publicKey); instance1.update(sig2_text_split.getBytes()); if(instance1.verify(sig2)){System.out.println("true"); String param=sig2_text_split; Object[] params = {param}; verify3.browserWindow.call("f1", params); System.exit(0);} --------------------------------------------------------------------------- The variable sig2_text_split contains the original text. The Signature object is initialized with the signature algorithm. The function call verify(sig2) verifies the digital signature on the variable sig2. ENCRYPTING MESSAGES Messages are encrypted with RSA algorithm. ----------------------------------------------------------------------------- Cipher pkcipher=Cipher.getInstance("RSA/ECB/PKCS1Padding"); pkcipher.init(Cipher.ENCRYPT_MODE, publicKey); byte[] buffer = plaintext.getBytes("UTF-8"); byte[] encrypted = pkcipher.doFinal(buffer); byte[] encoded = Base64Coder.encode(encrypted); ----------------------------------------------------------------------------- The above code illustrates encrypting and encoding plain text messages. A pkcipher is initialized with RSA in ECB mode. The plaintext message is converted to a byte representation of the String. The function doFinal() takes one argument, buffer and encrypts the data in the buffer returning an array of encrypted bytes. The encrypted bytes are encoded to base64 format to enable the database to store the encrypted data. DECRYPTING MESSAGES Messages are encrypted with RSA algorithm. ----------------------------------------------------------------------------- Cipher pkcipher=Cipher.getInstance("RSA/ECB/PKCS1Padding"); pkcipher.init(Cipher.DECRYPT_MODE, privateKey); byte[] bts = Base64Coder.decode(encrypted.toCharArray()); byte[] text = pkcipher.doFinal(bts); ----------------------------------------------------------------------------- The above code decrypts an encrypted data. First the encoded data is decoded with a base64 coder. The decoded text is decrypted by the pkcipher initialized with the RSA algorithm in decrypt mode. The function doFinal() returns decrypted bits. SIGNING AND ENCRYPTING MESSAGES The message is first digitally signed with the private key of the sender. This signature is encrypted with the public key of the receiver. This double encryption satisfies all properties of PAIN. DECRYPTING AND VERIFYING MESSAGES This operation takes place at the receiving end. Messages which are signed and encrypted are fed to this operation. The secure message is first decrypted with the private key of the receiver and the signature on the data is verified with the public key of the sender. IX. OUTPUTS Proceedings of International Conference on Advances in Engineering and Technology www.iaetsd.in ISBN : 978 - 1505606395 International Association of Engineering and Technology for Skill Development 5
- 6. a. PKI MESSAGEHOME PAGE b. NEW USER REGISTRATION c. COMPOSING A TEXT MESSAGE d. DIGITALLY SIGNING A TEXT MESSAGE e. SELECTING A PRIVATEKEY CERTIFICATE FROM THE KEYSTORE OF E-TOKEN X. CONCLUSION There is an increasing need for secure system with increase in cyber fraud and crimes. With advancement in technology, internet is now an alternative workspace for cloud users and users of online project management services. Users of such services work on data of private nature, which may be detrimental to them if there happened to be a change in the integrity of these data. PKI is an emerging technology based on Asymmetric cryptography which proposes certain practices which ensure information or data security.PKI Message service is based on PKI and provides information security to user messages through Privacy, Integrity, Authentication of end users and Non-Repudiation services. PKI Message Service ensure security of data over insure networks. PKI Message Services’ dependence on certificates issued by CA makes it more a reliable service. PKI Message Service proves to be useful in the Online Banking, Online Purchasing and other areas where security happens to be a critical concern. PKI Message can also be embedded into social networking sites to provide a higher level of security XI. ACKNOWLEDGMENT This work is to enable more security for Complex business systems, e-Commerce and automated business transactions who uses internet service. XII. REFERENCES [1].http://www.dartmouth.edu/~deploypki/overview.html [2].http://www.dartmouth.edu/~deploypki/application.html [3].http://www.blogs.technet.com/b/indust2006/06/438895.aspx [4].http://www.2.dir.texas.gov/pubs/srrpubs13-providers.aspx [5].http://www.en.wikipedia.org/wiki/certificate_authority [8].http://www.en.wikipedia.org/wiki/Public-key_cryptography [9].http://www.it.toolbox.com/wik/Asymmetric_key_encryption [10].http://www.en.wikipedia.org/wiki/Cryptographic_function [11].http://www.en.wikipedia.org/wiki/steganography [12].http://www.vspages.com/Cryptography-vs-Steganography4 [13].http://www.technet.microsoft.com/cc77982(v=ws.10).aspx [14].http://www.cca.gov.in/ [15].http://www.redbooks.ibm.com/redbooks/pdfs/s924978.pdf Proceedings of International Conference on Advances in Engineering and Technology www.iaetsd.in ISBN : 978 - 1505606395 International Association of Engineering and Technology for Skill Development 6