Wednesday, 14 August 2013

Java Security

Java provides JCE (Java Cryptography Extension) API which helps us to create secure applications.

Below are some API's provided by JCE

Symmetric key Encryption / Decryption
Asymmetric key Encryption / Decryption
Digital Signature

Lets first define What is Security and relate it to Software security and then see how can we implement this using JCE.

Symmetric key Encryption / Decryption
In Symmetric key Encryption/ Decryption their is only one key which is used to encrypt and decrypt the message.
An analogy that can be used to understand the advantages of an asymmetric system is to imagine two people, Alice and Bob, who are sending a secret message through the public mail. In this example, Alice wants to send a secret message to Bob, and expects a secret reply from Bob.

With a symmetric key system, Alice first puts the secret message in a box, and locks the box using a padlock to which she has a key. She then sends the box to Bob through regular mail. When Bob receives the box, he uses an identical copy of Alice's key (which he has somehow obtained previously, maybe by a face-to-face meeting) to open the box, and reads the message. Bob can then use the same padlock to send his secret reply.
This is termed in Java as Symmetric key Encryption / Decryption. Here both parties can lock and unlock the message with the same shared key.
For Java code please refer Symmetric key Encryption / Decryption

Asymmetric key Encryption / Decryption
Asymmetric key Encryption/Decryption is based upon public key Encryption method. Where instead of one key their are two keys, private and public. The public key is used to encrypt and the private key is used to decrypt. Both the keys are different but are linked mathematically. No key can perform both operation of encryption and decryption. The public key can be distributed to senders and the private key is kept confidential with the receiver.

For analogy we can consider public key as a padlock as shown above and private key as the key to the padlock. A padlock can be used to lock a box without the key and than the key can be used to open the padlock opening the box.
Lets continue our example.

In an asymmetric key system, Bob and Alice have separate padlocks. First, Alice asks Bob to send his open padlock to her through regular mail, keeping his key to himself. When Alice receives it she uses it to lock a box containing her message, and sends the locked box to Bob. Bob can then unlock the box with his key and read the message from Alice. To reply, Bob must similarly get Alice's open padlock to lock the box before sending it back to her.

The critical advantage in an asymmetric key system is that Bob and Alice never need to send a copy of their keys to each other. This prevents a third party – perhaps, in this example, a corrupt postal worker – from copying a key while it is in transit, allowing the third party to spy on all future messages sent between Alice and Bob. So, in the public key scenario, Alice and Bob need not trust the postal service as much. In addition, if Bob were careless and allowed someone else to copy his key, Alice's messages to Bob would be compromised, but Alice's messages to other people would remain secret, since the other people would be providing different padlocks for Alice to use.
This is termed in Java as Asymmetric key Encryption / Decryption.
For  Java code please refer Asymmetric key Encryption / Decryption
For Java code with key tool please refer Asymmetric key Encryption / Decryption with Key tool

Digital Signature
Digital Signatures are used to authenticate the sender sending the message. Digital signature are also based on Asymmetric key Encryption mentioned above.
Here the sender signs the message by its private key and any receiver can verify the signature who has the public key.

An analogy for digital signatures is the sealing of an envelope with a personal wax seal. The message can be opened by anyone, but the presence of the unique seal authenticates the sender.
This is termed in Java as Digital Signature.Refer Java Code

Encryption Decryption + Digital Signature
Message Encryption / Decryption can be combined with Digital Signature to provide more security. Here message can be decrypted only by the party having the private key. And the authenticity of the sender can be verified by digital signature, by doing this the sender can also not deny that the message has been sent by him. Many Web Based services use both these security aspects

Symmetric + Asymmetric Security
Both Symmetric and Asymmetric key method can be used to secure message. First the message is encrypted with a symmetric key and then before sending the key to other party the key itself is encrypted with other parties public key. The other party on receiving the encrypted message and encrypted key, first decrypts the key with private key and than decrypts the message by using the decrypted key.

As shown in the figure the actual data is encrypted by the symmetric and than the symmetric key is made secure by putting it in a box locked by public key of the receiver. The receiver will have the private key and can open the box to retrieve the symmetric key. This symmetric key than can be used to decrypt data.
For Java code please refer Symmetric and Asymmetric key Encryption / Decryption 
Combination of Symmetric + Asymmetric + Signature can also be done. Please refer this post

KeyTool is a utility provided by java. It is used to create private(symmetric) key, Private key/Public Key Pair, Certificates, keystores, trustsores etc.
We will look in more details about all these in coming posts KeyTool Explored . Here will also see how data can be encrypted by keys generated by keytool. 


Share the post