Busy Java Developer's Guide to Cryptography

ted.neward@newardassociates.com | Blog: http://blogs.newardassociates.com | Github: tedneward | LinkedIn: tedneward

Objectives

What are we going to do today?

Cryptography

Hiding secrets in plain sight

Cryptography

Cryptography

Cryptography

Quick comparison

Cryptography

Dramatis Personae

Cryptography: A History

Stretching back through the ages

Java and Cryptography

Doing crypto on the JVM

Java and Cryptography

Java Crypto 101

Java and Cryptography

History

Java and Cryptography

Java11: Modularization

Java and Cryptography

Basic Security Architecture

JVM Keystores

Where Java stores sensitive stuff

JVM Keystores

java.security.KeyStore

keytool

Manage a KeyStore of cryptographic keys, X.509 certificate chains, and trusted certificates

keytool

Overview

Symmetric Key Cryptography

Symmetric Key Cryptography

Symmetric Key Crypto

Symmetric Key Cryptography

Substitution Cipher

Symmetric Key Cryptography

Substitution Cipher

Symmetric Key Cryptography

Word-substitution Cipher

Symmetric Key Cryptography

Letter-substitution Cipher

Symmetric Key Cryptography

Example: ROTx

Symmetric Key Cryptography

Example: Vigniere

Symmetric Key Cryptography

Symmetric Key Weaknesses

Symmetric Key Crypto

In Java

Symmetric Key Crypto

Principal Java types

Symmetric Key Crypto

A word about algorithms

Symmetric Key Crypto

Generating a SecretKey

Symmetric Key Crypto

Generating a SecretKey

        // Generate secret key
        KeyGenerator keygen = KeyGenerator.getInstance(ALGORITHM);
        keygen.init(128);
        SecretKey aesKey = keygen.generateKey();
        
        // Store into args[0]
        try (FileOutputStream fos = new FileOutputStream(args[0] + ".key")) {
            byte[] rawKey = aesKey.getEncoded();
            fos.write(rawKey);
        }

Symmetric Key Crypto

Using the SecretKey

Symmetric Key Crypto

Using Cipher

Symmetric Key Crypto

Encrypting

        Cipher cipher = Cipher.getInstance(ALGORITHM);
        cipher.init(Cipher.ENCRYPT_MODE, secretKey);
        byte[] cipherdata = cipher.doFinal(cleartext);

Symmetric Key Crypto

Decrypting

        Cipher cipher = Cipher.getInstance(ALGORITHM);
        cipher.init(Cipher.DECRYPT_MODE, secretKey);
        byte[] plaindata = cipher.doFinal(ciphertext);

Symmetric Key Crypto

Using I/O streams

Cryptographic functions

Some foundational pieces

Cryptographic functions

One-way functions

Cryptographic functions

Hash functions

Cryptographic functions

One-way hash function

Cryptographic functions

Message Authentication Code (MAC)

Message Digests

Ensure message integrity

Message Digests

What are they?

Message Digests

Different digests

JVM Message Digest API

Producing or consuming

JVM Message Digest API

Java types

JVM Message Digest API

Usage

Asymmetric Key Cryptography

Solving the key management problem

Asymmetric Key Cryptography

Asymmetric Keys

Asymmetric Key Cryptography

Usage

Asymmetric Key Cryptography

Weaknesses

Asymmetric Key Cryptography

In Java

Asymmetric Key Cryptography

Principal Java types

Asymmetric Key Cryptography

A word about algorithms

Asymmetric Key Cryptography

Generating a KeyPair

Asymmetric Key Cryptography

Generating a SecretKey

        // Generate pub/priv key
        KeyPairGenerator kpg = KeyPairGenerator.getInstance(ALGORITHM);
        kpg.initialize(2048);
        KeyPair pair = kpg.generateKeyPair();

Asymmetric Key Cryptography

Using the KeyPair

Asymmetric Key Cryptography

Using the KeyPair

Asymmetric Key Cryptography

Using Cipher

Asymmetric Key Cryptography

Encrypting

        Cipher cipher = Cipher.getInstance(ALGORITHM);
        cipher.init(Cipher.ENCRYPT_MODE, privateKey);
        byte[] cipherdata = cipher.doFinal(cleartext);

Asymmetric Key Cryptography

Decrypting

        Cipher cipher = Cipher.getInstance(ALGORITHM);
        cipher.init(Cipher.DECRYPT_MODE, publicKey);
        byte[] cipherdata = cipher.doFinal(cleartext);

Asymmetric Key Cryptography

Using I/O streams

Digital Certificates

Secure ways to exchange public keys

Digital Certificates

What are they?

Digital Signatures

Ensuring what was sent was sent by you

Digital Signatures

The case for handwritten signatures

Digital Signatures

The case for handwritten signatures

Digital Signatures

Digital signatures

Digital Signatures

Digital signatures

Digital Signatures

Possible solution

Digital Signatures

Possible solution

Digital Signatures

Analysis

Digital Signatures

Analysis

Digital Signatures

Another solution: Asymmetric Crypto

Digital Signatures

Analysis

Digital Signatures

Asymmetric Key + One-Way Hash Functions

JVM Digital Signatures

Is that REALLy from you?

JVM Digital Signatures

Core Java types

JVM Digital Signatures

Algorithm usage

JVM Digital Signatures

Signing a document

JVM Digital Signatures

Signing a document

        Signature privateSignature = Signature.getInstance("SHA256withRSA");
        privateSignature.initSign(privateKey);
        privateSignature.update(cleartext);
        byte[] signature = privateSignature.sign();

JVM Digital Signatures

Verifying a document

JVM Digital Signatures

Verifying a document

        Signature publicSignature = Signature.getInstance("SHA256withRSA");
        publicSignature.initVerify(publicKey);
        publicSignature.update(cleartext);
        if (publicSignature.verify(signatureBytes)) {
            System.out.println("Verified!");
        }
        else {
            System.out.println("NO MATCH");
        }

Summary

Java has rich support for cryptography and security

Resources

Where to go to go get more

Resources

Books

Resources

Websites

Credentials

Who is this guy?