I have determined, after some research, that in order to generate and sign certificates programmatically in java I need the bouncycastle library.
Unfortunately it appears that the library has gone through a major overhaul sometime fairly recently. A great deal of their classes are now deprecated and all of the tutorials and code samples I can find that are simple enough to understand are deprecated along with them.
I am reasonably new to cryptography. Armed with only basic knowledge and fuzzy idea of what I'm actually trying to accomplish, I've fumbled through the out of date tutorials and the assumed-knowledge Bouncycastle documentation, and its been an arduous experience.
Are there any simple to understand, up to date Bouncycastle tutorials, or alternative libraries I should look at? Or should I grit my teeth, ignore the deprecation warnings and hope for the best?
It is a little hard to find, but the bouncycastle wiki has some short but sweet documention. In particular this first example at this page entitled A Simple Operator Example should get you started.
Another perfectly fine alternative is to just use version 1.46 of the library, the last version to use the old api.
Do you really need to use Bouncycastle directly or can't you use it as a Cryptographic Service Provider? So you do not need to use BCs API. See the JCA Reference Guide. I use for some encryption these lines:
static {
Security.addProvider(new BouncyCastleProvider());
}
public void someMethod() {
KeyFactory fact = KeyFactory.getInstance("RSA", "BC");
Key key = fact.generatePublic(PUB_KEY_SPEC);
// do stuff
}
You might take a closer look at the CertificateFactory.
Related
I have the following way of generating a self signed certificate using the class CertandKeyGen.
CertandKeyGen cert = new CertandKeyGen("RSA", "SHA256withRSA);
cert.generate(size);
..
X509Certificate certificate = cert.getSelfCertificate(name, validity);
Since these are internal APIs from keytool, I am looking at a similar approach using java.security.* APIs.
I want to know if this is possible currently. If yes, what are those APIs? I dug around but I am unable to find anything about it. I am aware of bouncy castle APIs (X509V3CertificateGenerator) but I do not want to use third party APIs.
Thanks.
At present, I do not believe that the generation/signing mechanisms that are used in keytool are part of the public API for Java.
I have implemented a very simple CA/Signing mechanism utilizing BouncyCastle for testing purposes.
I don't think you're going to be able to do this without a 3rd party api or implementing a very significant amount of code on your own.
I am new to OAuth, I am looking for a simple java example program on how to login with google using OAuth 2.0, I searched a lot but didn't find any appropriate solutions. Can anyone Please help me with this.
I had a hard time with this myself. There are examples in different languages out there, but none of them really explain what's going on, and many rely on third-party libraries for the actual implementation. I do not recommend implementing a solution that uses any third-party libraries. Why? Because a lot of third-party libraries can easily fall behind in maintenance, security and bug fixes, and are sometimes abandoned altogether. I even caution against using Google's own libraries, because you are then still relying on Google to continue supporting that language. Not a risk worth taking when you're dealing with security and authentication.
A few years ago I dug in and figured out how to actually perform OAuth2 login and verification using nothing but standard libraries, complete with necessary validation to ensure the integrity of the data coming from Google. This is all in C#, but I tried to explain the code line-by-line as much as I could, so that should help you figure out how to do it in Java.
This article covers the series (three parts) along with links to a bunch of documentation I found that helped immensely in understanding the OAuth2 process and how JWTs work.
Google uses JWT - JavaScript Web Token - to return to your application the digitally-signed information you need to validate that the user is who they say they are. JWT is a standardized JSON-based format with three segments in a Base64-encoded string. The first two segments are straightforward and can be converted from Base64 into regular JSON. The third segment is a digital signature. This documentation from the IETF explains, step-by-step, how the digital signature is created and how to use it to validate the data returned by Google. Read it thoroughly so that you understand what you need to accomplish in your application.
I just did a quick search on Java's available libraries to support RSA PKCS#1 (this is what you need to validate the JWT signature against Google's public certificates) and am coming up empty-handed, but I'm also not a Java dev, so you might have an easier time finding what you need.
I want to stress something on this.
If you can't figure out how to use RSA PKCS#1 to validate the digitally-signed data Google returns after the user authorizes your application, don't try to implement OAuth2 on your own.
There are serious security implications of allowing your application to authorize a user without properly validating their login information, and you definitely do not want to open yourself up to that possibility.
That being said, it's really not that hard once you figure out the digital signature part. The third part of my article series covers how this works pretty in-depth, so you should be able to figure out how to translate that into Java.
In the most high-level view, here's what you want to achieve:
Send the user to Google’s login service via URL
Process the GET data returned by Google
Request user details from Google via POST
Verify the returned, digitally-signed user data is valid
The important bits you'll need are:
POST for submitting data to Google's OAuth2 service
Base64 for decoding Google's JWT response into usable data
Some way of locally caching Google's public certificates (they change about every 24 hours)
X.509 for converting Google's public certificate (which is just the Base64 text representation of the cert) into an actual X.509 certificate object
RSA PKCS#1 (not the same as RSA PKCS#11; they're two different standards and are not interchangeable) for validating the signed JWT against Google's public X509 certificate.
Please comment here (or on the blog) if you have questions about how it works, and I'll do my best to help. I have a background in both development and a little cryptography, so hopefully I can help you understand how everything works and why.
Disclaimer: If it's against the rules to link to an article versus explaining here, I'll revise my post. OAuth2 is fairly involved, though, so trying to copypasta the entire code with explanation would be pretty arduous.
Hello I am trying to make an applet in Java which reads Smart Cards ( as Security Tokens) and I didn't manage to handle it at all. I already found this :http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunPKCS11Provider which should give me some details... but I have never added a provider in Java ... and I also can't find any of the classes mentioned there for the provider...
Thank you.
You shouldn't need to reference the provider directly. You ask the API for a particular algorithm and it finds the appropriate provider. PKCS#11 is quirky, though. You'll have to read the detailed doc very carefully. I strongly recommend writing the app to do something with a software provider first. For example, create a Java Keystore, create a key in it and sign it then verify the signature. Definitely write a positive and negative test case. In other words, show that tampering with the data makes the verification fail. Next, figure out how to use the PKCS#11 provider by changing your program to use it. Using the Java cryptography APIs is hard enough without adding all the complications of PKCS#11 and your specific smart card to the mix.
I'm looking for a secure symmetric-key encryption algorithm compatible with both JavaScript and Java.
I've tried implementing one but I had some encoding issues.
You don't want to encrypt with JavaScript, especially on the client-side where it is open to tampering, and has no cryptographically secure random number generator.
I've tried implementing one but I had some encoding issues.
You tried to write your own encryption algo? You've gone against everything that the security world hold dear. No. Actual tutorials that explain how encryption works are so scared that people are going to screw things up because they don't understand the math behind it, I've actually seen this in one of them:
If you don't understand encryption, things like, what "cryptographically secure pseudo random number generator" actually is, and common attacks on it, you shouldn't do that.
If you don't understand things like side-channel attacks, you shouldn't do it.
If you don't understand what's going on in crypto and have read at-least two books on it you have no business implementing it.
Crypto is not a magic black box, it's something that is very VERY easy to screw up, even without touching any bit of code in a packaged solution.
What should you do? Forget about JS encryption. I know, I've tried it myself. It's a waste of time. Learn from my mistakes.
Go get an SSL certificate, SSL is the best way for us to encrypt messages on the transport level from a server to a client. It's about as secure as you can get. If you face an advesary that can defeat SSL, trust me, your JS-based crypto is also compromised.
Once it's at the server where it's secure from being tampered with, encrypt it. Anything else is a really long way to waste your time.
Also, go read these books:
![This one is free][4]
[![This one is cash money][5]][5]
(source: [schneier.com](https://www.schneier.com/images/book-ce-150w.jpg))
Then when you understand them come back and scream at me about why I'm wrong and don't understand how much you need JS on the client to do crypto.
There is an excellent DES (and by extension 3DES) implementation in JS, which I use quite often. I'll put up the link Monday, when I'm at the office and have it ready. Results from this (after base64 encoding for the transport) work perfectly with .Net/Mono (builtin), Java (bulitin) and PHP (mcrypt).
Found the links, but both are dead: http://www.shopable.co.uk/des.html and http://www.netdealing.com. I have put it up on http://pastebin.com/KbRsWKJY
This page has CTR mode, which is available in Java. I would recommend keys of 128 bits or you might run into trouble regarding the Java export policies on larger key sizes.
Here is a page which uses some very usefull methods of encryption, including password encryption techniques and ciphres with integrity checks and authentication, although you may need the bouncy castle libraries on Java to match those all.
There are oodles of libraries for JavaScript, but character encoding issues will be present on any of them. So make sure you use the same encoding both on the JavaScript side as well as on the Java side. A quick look up assures me that JavaScript uses UTF-16 internally, but don't hang me up on that.
Finally, don't try this at home, the libraries are there, use them (especially if they mention tests and/or official test vectors).
Like the other answers said, if you don't have to encrypt with JavaScript, avoid it. However, there are some valid use cases to encrypting in JavaScript.
When you need to, I recommend this library: https://keybase.io/triplesec/.
It's more secure than DES, which another answer links to.
I wanted to develop code in java for a cryptographic algorithms like Blowfish,RC5. I searched on the internet too but I got to know that Blowfish has ready made methods available. So writing own methods is like 'reinventing wheel' so is the same case with 'RC5' too?
If this is the case, can you please suggest me some algorithms of cryptography for which code can be developed within the duration of 2 months using 2 people having average knowledge about 'Java'?
There have recently been several questions here relating to format preserving encryption. I tried to find an implementation of FFX (an attempt to standardize Feistel-network based FPE), but failed to find any.
So if you are looking for an example of a useful cryptographic algorithm for which there is no (easily findable) implementation on the net, that is one option.
You might want to restrict yourself to FFX-A2 and/or FFX-A10.
Starting out any cryptography project without knowing a lot about the idiosyncrasies of the language you are working with and the cryptographic algorithms involved is a really, really bad idea. If you are just doing it to learn, then why not just go ahead and reinvent the wheel? If you actually expect it to be secure, you really should use a pre-existing, well-tested implementation, or you should carefully investigate the algorithmic approaches involved and the language-based security issues involved.
There is nothing inherently labor-intensive about the implementation of any of these algorithms - they tend to have clear descriptions published. It would be entirely possible for you to do a not-necessarily-cryptographically-secure implementation of RC5, Blowfish, AES, RSA or just about anything else commonly used within 2 months (although I'd put the real figure somewhere nearer 2 days if you're just messing around for learning/fun).
Visit BouncyCastle.org. They provide a full and open source JCE / JCA crypto API for Java and C#. There are also other APIs for PGP for example. Unpinning these APIs are implementations of virtually every common cipher and digest algorithm. Documentation is a bit light (especially the PGP implementation) but it is a very well known and used crypto package.