'cryptography'에 해당되는 글 1건

  1. 2010.08.23 Security & 암호화

Security & 암호화

Security 2010. 8. 23. 09:35
Java Security

Security Documentation

Java 1.5 Security Documentation

Java Security Architecture Overview

Java Cryptography Architecture


The JCE API covers:

  • Symmetric bulk encryption, such as DES, RC2, and IDEA
  • Symmetric stream encryption, such as RC4
  • Asymmetric encryption, such as RSA
  • Password-based encryption (PBE)
  • Key Agreement
  • Message Authentication Codes (MAC)
engine classes:
  • MessageDigest: used to calculate the message digest (hash) of specified data.

  • Signature: used to sign data and verify digital signatures.

  • KeyPairGenerator: used to generate a pair of public and private keys suitable for a specified algorithm.

  • KeyFactory: used to convert opaque cryptographic keys of type Key into key specifications (transparent representations of the underlying key material), and vice versa.

  • CertificateFactory: used to create public key certificates and Certificate Revocation Lists (CRLs).

  • KeyStore: used to create and manage a keystore.A keystore is a database of keys. Private keys in a keystore have a certificate chain associated with them, which authenticates the corresponding public key. A keystore also contains certificates from trusted entities.

  • AlgorithmParameters: used to manage the parameters for a particular algorithm, including parameter encoding and decoding.

  • AlgorithmParameterGenerator: used to generate a set of parameters suitable for a specified algorithm.

  • SecureRandom: used to generate random or pseudo-random numbers.
In the 1.4 release of the Java 2 SDK, the following new engines were added:
  • CertPathBuilder: used to build certificate chains (also known as certification paths).

  • CertPathValidator: used to validate certificate chains.

  • CertStore: used to retrieve Certificates and CRLs from a repository.

 Cryptographic Concepts

Encryption and Decryption
ncryption is the process of taking data (called cleartext) and a short string (a key), and producing data (ciphertext) meaningless to a third-party who does not know the key. Decryption is the inverse process: that of taking ciphertext and a short key string, and producing cleartext.

Password-based Encryption
Password-Based Encryption (PBE) derives an encryption key from a password. In order to make the task of getting from password to key very time-consuming for an attacker, most PBE implementations will mix in a random number, known as a salt, to create the key.

Encryption and decryption are done using a cipher. A cipher is an object capable of carrying out encryption and decryption according to an encryption scheme (algorithm).

Key Agreement
Key agreement is a protocol by which 2 or more parties can establish the same cryptographic keys, without having to exchange any secret information.

Message Authentication Code

A Message Authentication Code (MAC) provides a way to check the integrity of information transmitted over or stored in an unreliable medium, based on a secret key. Typically, message authentication codes are used between two parties that share a secret key in order to validate information transmitted between these parties.

A MAC mechanism that is based on cryptographic hash functions is referred to as HMAC. HMAC can be used with any cryptographic hash function, e.g., MD5 or SHA-1, in combination with a secret shared key. HMAC is specified in RFC 2104.

How to Implement a Provider for the JavaTM Cryptography Architecture

 JDK 1.1 contains some implementations of digital signature algorithm, message digest algorithm, key generation algorithm.
Java 2 SDK adds five services of key factory, keystore creation and management, algorithm parameter management, algorithm parameter generation, certificate factory. And it's provider can supply random number generation (RNG) algorighm.

The SUN provider package includes:

Java Security 기술

자바 암호화

Java Security Socket Extension

Java Security Tools

No more 'unable to find valid certification path to requested target'

HTTPS - is the URL string itself secure?

   SSL : Secure Socket Layer
   TLS : Transport Layer Security
   JSSE provide :
      data encryption
      server authentication
      message integrity
      optional client authentication
   integrated with JDK1.4
   The JSSE api can supports SSL 2.0/3.0 and TLS 1.0
   The JSSE impl of SUN supports SSL 3.0 and TLS 1.0
   JCA : Java Cryptography Architecture
   JAAS : Java Authentication and Authorization Service
   PKI : Public Key Infrastructure
   SunJSSE Provider
   DES : Data Encryption Standard


Secure Sockets Layer Documentation

Online resources:

Gmail - configuring other mail clients

Incoming Mail (POP3) Server - requires SSL: pop.gmail.com
Use SSL: Yes
Port: 995
Outgoing Mail (SMTP) Server - requires TLS or SSL: smtp.gmail.com (use authentication)
Use Authentication: Yes
Port for TLS/STARTTLS: 587
Port for SSL: 465
Account Name: your full email address (including @gmail.com or @your_domain.com)
Email Address: your email address (username@gmail.com or username@your_domain.com)
Password: your Gmail password


# keytool -list -keystore ${keystore.file}
keytool -list -keystore jssecacerts

# keytool -export -alias ${alias} -keystore ${keystore.file} -file ${file}
keytool -export -alias smtp.gmail.com-1 -keystore jssecacerts.gmail -file smtp.gmail.com-1.cer

# keytool -import -trustcacerts -file ${file} -keystore ${keystore.file}
keytool -import -trustcacerts -file ./smtp.gmail.com-1.cer -keystore ./jssecacerts

PKI (Public Key Infrastructure)


Internet X.509 Public Key Infrastructure Certificate and CRL Profile

Posted by 天下太平