The Java Crypto API ICW Lecture 3 Tom Chothia Reminder of Last Time: • Your programs defines “Classes”. • Each class defines “Objects”. • An Object is defined as having a number of “Fields” that store data... • ...and a number of “Methods” that perform computation. This Time: • Read and write from files. • Generate and handle keys. • How to encrypt and decrypt – public key encryption, – and symmetric key encryption. • Hashes. • Keystores But this Lecture is Really About: APIs • APIs are Application Programming Interfaces. • They are libraries of useful programs that do most of the work for us. • A lot of programming Java is using the right API. Reading and Writing to a File Make a java.io.File object. Get the input and output streams. Put wrappers round the steams, e.g., PrintReader for strings. DataInputString for bytes. Read and write using .read and .write. Close using .close. Code Demo See ReadWriteFile.java Symmetric Key Encryption • Symmetric key encryption uses the same key to encrypt and decrypt the message. encrypt (plain text, key) = cipher text decrypt(cipher text, key) = plain text Symmetric key encryption is fast, but handling the key can be difficult. Popular Types of Symmetric Encryption • Advanced Encryption Stardard (AES) – A good cipher, maybe the best. • Data Encryption Standard (DES)/3DES – The old stardard, key now to short. – Still OK if you us it 3 times. – Used in e-passports. Popular Types of Symmetric Encryption • BlowFish – Like AES, • RC4: Rivest Cypter 4 – Fast, used in SSL, WPA, problem is related keys are used in different sessions. Public Key Cryptography Public Key Cryptography uses 2 keys: – – A public key for encryption A private key for decryption. You can tell anyone you public and anyone can encrypt data just for you. Only you can read the message. Types of Public Key Cryptography • Diffie-Hellman – – First public key system. Security based on the logs. • RSA – – – Most common public key system. Security based on factoring large primes If in doubt use RSA • Elliptic Curve – Based on curves in a finite field. Useful APIs for Crypto javax.crypto.Cipher: – the Cipher object does the encryption. java.security.Key – a cryptographic key java.secuity.KeyFactory – Turn bytes into Key Objects. Also RSAPublicKey, X509EncodedKeySpec,... (remember cmd-shirt-O in Eclipse). java.security.KeyGenerator Create the object with: kg = KeyGenerator.getInstance(<Crypto Type>); Give the key length (if needed): kg.initialize(1024); Read out the key: Key key = kg.genKeyPair(); java.security.KeyPairGenerator Create the object with: kg = KeyPairGenerator.getInstance(<Crypto Type>); Key the key length: kg.initialize(1024); Read out the keys: KeyPair keypair = kg.genKeyPair(); PrivateKey privKey = keypair.getPrivate(); PublicKey publicKey = keypair.getPublic(); Encryption In Java Steps to encrypt data in Java (see example code): • Import package • Create a cipher object • Initiate the cipher object with the scheme you want in encrypt or decrypt mode. • Pass the object the data you want to encrypt. • Read the cipher text out. • Decrypt in the same way. Code Demo Encrypt file Summary I've just shown you how to • Read and write from files. • Generate keys. • How to encrypt and decrypt. Still to come: • Read and write keys to files • Keystores • Hashes Java keytool Most Java programs use existing keys rather than create keys themselves. The keytool command can be used to generate keys outside Java. Saving a Key We can read and write the bytes of a key to a file. This is a bad idea. We want to – – protect read access to private keys, and make sure the publics ones are real. The KeyStore Class • A KeyStore holds password protected private keys and public keys as certicates. • Make keystores using the keytool e.g. keytool -genkey -keyalg RSA -keypass password -alias mykey -storepass storepass -keystore myKeyStore Demo Making a KeyStore with the keytool KeyStore Methods • getInstance(“JKS”): – creates a keystore • Load(file,password): – loads key data from a file using password. • getKey(alias,password) – get the key “alias” with given password • getCertificate(alias) – gets a public key as a certificate File Encryption Program • Combining these we can write a program to encrypt files. • See demo. Hashes A hash of any Object is a short string generated from that Object. The hash of an object is always the same. Any small change makes the hash total different. It is very hard to go from the hash to the object. It is very unlikely that any two different objects have the same hash. Types of Hash Algorithm • SHA-1, SHA-2 current standard, however it is possible to file two messages that have the same hash. • MD5 often used for error checking can also find two files with the same hash. Hashes in Java See Hash.java Uses of Hashing • Download verification • Message Verification • Passwords (demo) Password Cracking • If an attacker gets the password shadow file – – they can try to guess a password and check if the hash of their guess is in the list. • Truly random passwords are safe. • Dictionary words are not. Exercise 1: SHA1 password cracker. In 1 week I will give you a shadow file of SHA1 hashed passwords. You have to write a program that – – – Guesses a password Hashes the Guess Checks to see if it is in the list. Hint: find a list of common passwords online, and use this to build more. Conclusion Encryption can be public key or symmetrical. Use a Cipher Object in Java to do de/encryption. Keep your keys in a password protected KeyStore. Next Time How to make connections across the Internet. TCP/IP protocol Sockets in Java.