CSC 479/579 Computer and Network Security

Homework 2/ Take Home Lab

Due Wednesday of Week 5

1. Introduction

This homework/lab will help you explore the security and cryptographical concepts we are learning in class so you can better understand them. Let us begin by recapping the main concepts in security and cryptography. We will also introduce some terminology and concepts that we have not previously covered.

2. Exploring the java.security package

A lot of the classes for performing security and cryptographical functions is in the java.security package. Look up the Java documentation on this package by typing the phrase

 java 8 java.security package

or by pointing your browser to

http://docs.oracle.com/javase/8/docs/api/java/security/package-summary.html

Lab Learning Exercise Make a note of the following interfaces and classes in the java.security package. Research these terms as they apply to java cryptographical architecture and to security in general. Write a short paragraph that explains each of these classes and submit as part of this homework. You should include a few of the methods of these classes and interfaces in your discussion. Use your judgement as to the methods or fields you consider the most important for discussion. Keep your notes for future reference. This exercise will not be graded.

  1. Key
  2. Principal
  3. PrivateKey and its sub-interfaces.
  4. PublicKey and its sub-interfaces.
  5. KeyFactory
  6. KeyPair
  7. KeyPairGenerator
  8. KeyStore
  9. MessageDigest
  10. Provider
  11. Signature

3. Listing JCA Security Providers

Homework Problem 1. Write a Java program that lists all the java security providers available on your system. You can think of a security provider as a collections of services, where each service has a type and an algorithm. To do this, you will need to research the java.security.Provider and java.security.Security classes.

Your program should start by listing the name of every provider available, followed by information on the provider. You can use the getName() and getInfo() methods of the Provider class to achieve this.

Your program should also list for each provider, the type and algorithm for every service that that particular provider provides. Here is an example of what your output should look like.

Information on Available Providers:
 
SUN
SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; 
SecureRandom; X.509 certificates; JKS keystore; PKIX CertPathValidator; 
PKIX CertPathBuilder; LDAP, Collection CertStores, JavaPolicy Policy; 
JavaLoginConfig Configuration)

SunRsaSign
Sun RSA signature provider

SunEC
Sun Elliptic Curve provider (EC, ECDSA, ECDH)

SunJSSE
Sun JSSE provider(PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)

SunJCE
SunJCE Provider (implements RSA, DES, Triple DES, AES, Blowfish, ARCFOUR,
RC2, PBE, Diffie-Hellman, HMAC)

SunJGSS
Sun (Kerberos v5, SPNEGO)

SunSASL
Sun SASL provider(implements client mechanisms for: DIGEST-MD5, GSSAPI, 
EXTERNAL, PLAIN, CRAM-MD5, NTLM; server mechanisms for: DIGEST-MD5, 
GSSAPI, CRAM-MD5, NTLM)

XMLDSig
XMLDSig (DOM XMLSignatureFactory; DOM KeyInfoFactory)

SunPCSC
Sun PC/SC provider

SunMSCAPI
Sun's Microsoft Crypto API provider

Here are all providers with types of service and algorithm provided:

SUN
	Service Type: SecureRandom   Algorithm: SHA1PRNG
	Service Type: Signature   Algorithm: SHA1withDSA
	Service Type: Signature   Algorithm: NONEwithDSA
	Service Type: KeyPairGenerator   Algorithm: DSA
	Service Type: MessageDigest   Algorithm: MD2
	Service Type: MessageDigest   Algorithm: MD5
	Service Type: MessageDigest   Algorithm: SHA
	Service Type: MessageDigest   Algorithm: SHA-256
	Service Type: MessageDigest   Algorithm: SHA-384
	Service Type: MessageDigest   Algorithm: SHA-512
	Service Type: AlgorithmParameterGenerator   Algorithm: DSA
	Service Type: AlgorithmParameters   Algorithm: DSA
	Service Type: KeyFactory   Algorithm: DSA
	Service Type: CertificateFactory   Algorithm: X.509
	Service Type: KeyStore   Algorithm: JKS
	Service Type: KeyStore   Algorithm: CaseExactJKS
	Service Type: Policy   Algorithm: JavaPolicy
	Service Type: Configuration   Algorithm: JavaLoginConfig
	Service Type: CertPathBuilder   Algorithm: PKIX
	Service Type: CertPathValidator   Algorithm: PKIX
	Service Type: CertStore   Algorithm: LDAP
	Service Type: CertStore   Algorithm: Collection
	Service Type: CertStore   Algorithm: com.sun.security.IndexedCollection
SunRsaSign
	Service Type: KeyFactory   Algorithm: RSA
	Service Type: KeyPairGenerator   Algorithm: RSA
	Service Type: Signature   Algorithm: MD2withRSA
	Service Type: Signature   Algorithm: MD5withRSA
	Service Type: Signature   Algorithm: SHA1withRSA
	Service Type: Signature   Algorithm: SHA256withRSA
	Service Type: Signature   Algorithm: SHA384withRSA
	Service Type: Signature   Algorithm: SHA512withRSA
SunEC
	Service Type: KeyFactory   Algorithm: EC
	Service Type: AlgorithmParameters   Algorithm: EC
	Service Type: Signature   Algorithm: NONEwithECDSA
	Service Type: Signature   Algorithm: SHA1withECDSA
	Service Type: Signature   Algorithm: SHA256withECDSA
	Service Type: Signature   Algorithm: SHA384withECDSA
	Service Type: Signature   Algorithm: SHA512withECDSA
	Service Type: KeyPairGenerator   Algorithm: EC
	Service Type: KeyAgreement   Algorithm: ECDH
SunJSSE
	Service Type: KeyFactory   Algorithm: RSA
	Service Type: KeyPairGenerator   Algorithm: RSA
	Service Type: Signature   Algorithm: MD2withRSA
	Service Type: Signature   Algorithm: MD5withRSA
	Service Type: Signature   Algorithm: SHA1withRSA
	Service Type: Signature   Algorithm: MD5andSHA1withRSA
	Service Type: KeyManagerFactory   Algorithm: SunX509
	Service Type: KeyManagerFactory   Algorithm: NewSunX509
	Service Type: TrustManagerFactory   Algorithm: SunX509
	Service Type: TrustManagerFactory   Algorithm: PKIX
	Service Type: SSLContext   Algorithm: TLSv1
	Service Type: SSLContext   Algorithm: TLSv1.1
	Service Type: SSLContext   Algorithm: TLSv1.2
	Service Type: SSLContext   Algorithm: Default
	Service Type: KeyStore   Algorithm: PKCS12
SunJCE
	Service Type: Cipher   Algorithm: RSA
	Service Type: Cipher   Algorithm: DES
	Service Type: Cipher   Algorithm: DESede
	Service Type: Cipher   Algorithm: DESedeWrap
	Service Type: Cipher   Algorithm: PBEWithMD5AndDES
	Service Type: Cipher   Algorithm: PBEWithMD5AndTripleDES
	Service Type: Cipher   Algorithm: PBEWithSHA1AndRC2_40
	Service Type: Cipher   Algorithm: PBEWithSHA1AndDESede
	Service Type: Cipher   Algorithm: Blowfish
	Service Type: Cipher   Algorithm: AES
	Service Type: Cipher   Algorithm: AESWrap
	Service Type: Cipher   Algorithm: RC2
	Service Type: Cipher   Algorithm: ARCFOUR
	Service Type: KeyGenerator   Algorithm: DES
	Service Type: KeyGenerator   Algorithm: DESede
	Service Type: KeyGenerator   Algorithm: Blowfish
	Service Type: KeyGenerator   Algorithm: AES
	Service Type: KeyGenerator   Algorithm: RC2
	Service Type: KeyGenerator   Algorithm: ARCFOUR
	Service Type: KeyGenerator   Algorithm: HmacMD5
	Service Type: KeyGenerator   Algorithm: HmacSHA1
	Service Type: KeyGenerator   Algorithm: HmacSHA256
	Service Type: KeyGenerator   Algorithm: HmacSHA384
	Service Type: KeyGenerator   Algorithm: HmacSHA512
	Service Type: KeyPairGenerator   Algorithm: DiffieHellman
	Service Type: AlgorithmParameterGenerator   Algorithm: DiffieHellman
	Service Type: KeyAgreement   Algorithm: DiffieHellman
	Service Type: AlgorithmParameters   Algorithm: DiffieHellman
	Service Type: AlgorithmParameters   Algorithm: DES
	Service Type: AlgorithmParameters   Algorithm: DESede
	Service Type: AlgorithmParameters   Algorithm: PBE
	Service Type: AlgorithmParameters   Algorithm: PBEWithMD5AndDES
	Service Type: AlgorithmParameters   Algorithm: PBEWithMD5AndTripleDES
	Service Type: AlgorithmParameters   Algorithm: PBEWithSHA1AndDESede
	Service Type: AlgorithmParameters   Algorithm: PBEWithSHA1AndRC2_40
	Service Type: AlgorithmParameters   Algorithm: Blowfish
	Service Type: AlgorithmParameters   Algorithm: AES
	Service Type: AlgorithmParameters   Algorithm: RC2
	Service Type: AlgorithmParameters   Algorithm: OAEP
	Service Type: KeyFactory   Algorithm: DiffieHellman
	Service Type: SecretKeyFactory   Algorithm: DES
	Service Type: SecretKeyFactory   Algorithm: DESede
	Service Type: SecretKeyFactory   Algorithm: PBEWithMD5AndDES
	Service Type: SecretKeyFactory   Algorithm: PBEWithMD5AndTripleDES
	Service Type: SecretKeyFactory   Algorithm: PBEWithSHA1AndDESede
	Service Type: SecretKeyFactory   Algorithm: PBEWithSHA1AndRC2_40
	Service Type: SecretKeyFactory   Algorithm: PBKDF2WithHmacSHA1
	Service Type: Mac   Algorithm: HmacMD5
	Service Type: Mac   Algorithm: HmacSHA1
	Service Type: Mac   Algorithm: HmacSHA256
	Service Type: Mac   Algorithm: HmacSHA384
	Service Type: Mac   Algorithm: HmacSHA512
	Service Type: Mac   Algorithm: HmacPBESHA1
	Service Type: Mac   Algorithm: SslMacMD5
	Service Type: Mac   Algorithm: SslMacSHA1
	Service Type: KeyStore   Algorithm: JCEKS
	Service Type: KeyGenerator   Algorithm: SunTlsPrf
	Service Type: KeyGenerator   Algorithm: SunTls12Prf
	Service Type: KeyGenerator   Algorithm: SunTlsMasterSecret
	Service Type: KeyGenerator   Algorithm: SunTlsKeyMaterial
	Service Type: KeyGenerator   Algorithm: SunTlsRsaPremasterSecret
SunJGSS
	Service Type: GssApiMechanism   Algorithm: 1.2.840.113554.1.2.2
	Service Type: GssApiMechanism   Algorithm: 1.3.6.1.5.5.2
SunSASL
	Service Type: SaslClientFactory   Algorithm: DIGEST-MD5
	Service Type: SaslClientFactory   Algorithm: NTLM
	Service Type: SaslClientFactory   Algorithm: GSSAPI
	Service Type: SaslClientFactory   Algorithm: EXTERNAL
	Service Type: SaslClientFactory   Algorithm: PLAIN
	Service Type: SaslClientFactory   Algorithm: CRAM-MD5
	Service Type: SaslServerFactory   Algorithm: CRAM-MD5
	Service Type: SaslServerFactory   Algorithm: GSSAPI
	Service Type: SaslServerFactory   Algorithm: DIGEST-MD5
	Service Type: SaslServerFactory   Algorithm: NTLM
XMLDSig
	Service Type: TransformService   
	Algorithm: http://www.w3.org/2002/06/xmldsig-filter2
	Service Type: TransformService   
	Algorithm: http://www.w3.org/2000/09/xmldsig#enveloped-signature
	Service Type: TransformService   
	Algorithm: http://www.w3.org/2001/10/xml-exc-c14n#WithComments
	Service Type: TransformService   
	Algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
	Service Type: TransformService   
	Algorithm: http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
	Service Type: XMLSignatureFactory   
	Algorithm: DOM
	Service Type: TransformService   
	Algorithm: http://www.w3.org/2006/12/xml-c14n11
	Service Type: TransformService   
	Algorithm: http://www.w3.org/2000/09/xmldsig#base64
	Service Type: TransformService   
	Algorithm: http://www.w3.org/TR/2001/REC-xml-c14n-20010315
	Service Type: TransformService   
	Algorithm: http://www.w3.org/TR/1999/REC-xpath-19991116
	Service Type: TransformService   
	Algorithm: http://www.w3.org/TR/1999/REC-xslt-19991116
	Service Type: TransformService   
	Algorithm: http://www.w3.org/2006/12/xml-c14n11#WithComments
	Service Type: KeyInfoFactory   Algorithm: DOM
SunPCSC
	Service Type: TerminalFactory   Algorithm: PC/SC
SunMSCAPI
	Service Type: SecureRandom   Algorithm: Windows-PRNG
	Service Type: KeyStore   Algorithm: Windows-MY
	Service Type: KeyStore   Algorithm: Windows-ROOT
	Service Type: Signature   Algorithm: NONEwithRSA
	Service Type: Signature   Algorithm: SHA1withRSA
	Service Type: Signature   Algorithm: SHA256withRSA
	Service Type: Signature   Algorithm: SHA384withRSA
	Service Type: Signature   Algorithm: SHA512withRSA
	Service Type: Signature   Algorithm: MD5withRSA
	Service Type: Signature   Algorithm: MD2withRSA
	Service Type: KeyPairGenerator   Algorithm: RSA
	Service Type: Cipher   Algorithm: RSA
	Service Type: Cipher   Algorithm: RSA/ECB/PKCS1Padding

3. The javax.crypto Package

This package contains classes that support the creation of MACs and ciphers, as well as facilities for working with cryptographic keys.

Spend some time studying the documentation for the following classes and/or interfaces

  1. SecretKey
  2. Cipher
  3. CipherInputStream
  4. CipherOutputStream
  5. KeyAgreement
  6. KeyGenerator
  7. MAC
  8. SecretKeyFactory

4. Encrypting and Decrypting

Let us take a look at how to use the Cipher class to encrypt and decrypt. You use the getInstance() method of this class to obtain a Cipher object. A cipher object has an internal buffer that it uses to hold data that has been passed to it to be encrypted. Because data is encrypted in blocks of fixed size, the buffer will hold data until there is enough to form a block, at which time additional encryption will take place. An update() method is used to add data to the cipher so the data can be encrypted. A doFinal() method optionally adds data to the cipher for the last time, and causes all outstanding data to be encrypted. See the Java documentation of these methods.

I found the following clarification of the distinction between update and doFinal() online, you may find it useful.

  1. update( )
  2. This method adds data to the Cipher's internal buffer, then returns all currently completely encoded blocks. If there are any encoded blocks left over, they remain in the Cipher's buffer until the next call, or a call to doFinal(). This means that if you call update() with a four byte array to encrypt, and the buffer size is eight bytes, you will not receive encoded data on the return (you'll get a null instead). If your next call to update() passes five bytes of data in, you will get an 8 byte (the block size) array back, containing the four bytes passed in on the previous call, the first four bytes from the current call - the remaining byte from the current call is left in the Cipher's buffer.
  3. doFinal()
  4. on the other hand is much simpler: it encrypts the passed data, pads it out to the necessary length, and then returns it. The Cipher is essentially stateless.
Example

The following example uses an encryption algorithm called Blowfish in Electronic Code Book mode to encrypt an string entered by the user. Recall that block ciphers may need to pad the data at the end if the amount of data is not a multiple of the blocks size: this example uses a standard way of padding called PKCS5Padding. Note also that the string must be converted to an array of byte before being encrypted. The program prints out the plain text array of bytes, and then encrypts the array to get a cipher text array of bytes. The cipher text bytes are printed out, and then decrypted to recover the plain text array of bytes. The plain text array is converted to string, and the string is printed.

package securityprog2;
import javax.crypto.*;
import javax.swing.*;

public class Main
{
    public static void main(String[] args) throws Exception
    {
        String input = JOptionPane.showInputDialog("Enter a string to encrypt:");
        KeyGenerator keyGenerator = KeyGenerator.getInstance("Blowfish");
        //
        keyGenerator.init(128);
        SecretKey key = keyGenerator.generateKey();
        System.out.println("Done generating the key");

        // Attempt to encrypt some text
        Cipher cipher = Cipher.getInstance("Blowfish/ECB/PKCS5Padding");
        cipher.init(Cipher.ENCRYPT_MODE, key);

        byte[] plainText = input.getBytes("UTF-8");
        // Print out the bytes of the plainText
        System.out.println("\nPlaintext: ");
        for (int i = 0; i < plainText.length; i++)
        {
            System.out.print(plainText[i] + " ");
        }

        //Perform the actual encryption
        byte[] cipherText = cipher.doFinal(plainText);

          // Print out the bytes of the plainText
        System.out.println("\nCiphertext: ");
        for (int i = 0; i < cipherText.length; i++)
        {
            System.out.print(cipherText[i] + " ");
        }
        System.out.println("\nOK");

        //Reinitilialize the cipher to decrypt mode
        cipher.init(Cipher.DECRYPT_MODE, key);

        //Perform the decryption
        byte[] decryptedText = cipher.doFinal(cipherText);
        // Print out the decrypted text
        System.out.println("\nDecrypted text: ");
        for (int i = 0; <  decryptedText.length; i++)
        {
            System.out.print(decryptedText[i] + " ");
        }
        System.out.println("\nOK");

        System.out.println("Decrypted string is :");
        System.out.println(new String(decryptedText, "UTF-8"));
    }
}

Use Cut and Paste to get this program into Netbeans (or whatever your favorite IDE is) and run it. Consult the list of Security Providers you printed out previously, and modify this program to use a different (symmetric) encryption algorithm. For example, you might use AES (Advanced Encryption Standard), DES, or RC2. Submit the zipped up Netbeans folder, or the source file.