jan04_daniels.txt

TechTips.zip

theorem which results in m^(e d) = m (mod N). For security, each 
party encrypts with the other party's public key.

You can find more information about the RSA algorithm at
http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/. You can find 
more information about the DSA algorithm at
http://www.itl.nist.gov/fipspubs/fip186.htm.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

ENCRYPTION AND DECRYPTION USING SYMMETRIC KEYS

The previous tip, Asymmetric Encryption Keys With the
KeyPairGenerator, discussed asymmetric encryption, where
encryption and decryption use different keys. However encryption
and decryption can be done symmetrically -- here the same key is
used to encrypt and decrypt the data. Because both parties have
the same key, the decryption essentially is performed by 
reversing some part of the encryption process. The Blowfish 
algorithm is an example of a symmetric key. It is supported by 
the Java Cryptography Extension (JCE). You can find the 
appropriate APIs in the javax.crypto.* packages. In addition to 
Blowfish, examples of cipher algorithms currently supported by 
the JCE are the Digital Encryption Standard (DES), Triple DES 
Encryption (DESede), and Password-based encryption algorithm 
(PBEWithMD5AndDES).

Symmetric key algorithms tend to be be much faster than
asymmetric key algorithms. In addition, as you saw in the first
tip, the size of the text that can be encrypted depends on the
size of the product of the two primes used to generate the public
and private keys. With symmetric key algorithms you do not have
a limitation on the total size of what can be encrypted. Although, 
depending on the symmetric cipher algorithms, the total input 
size has to be a multiple of block sizes and might require 
padding. A problem with symmetric keys is that keys must be 
shared among parties involved in encryption or decryption. So 
there is the danger of interception or unauthorized sharing.

You create a symmetric key much as you create a key pair. You use
a factory method from the KeyGenerator class and pass in the
algorithm as a String. When you call the generateKey() method,
you get back an object that implements the Key interface instead
of the KeyPair interface. The call looks something like this:

   SecretKey key =
         KeyGenerator.getInstance("DES").generateKey();

Next you need to create a Cipher. This is the workhorse for JCE.
You again use a factory method of the Cipher class so that you 
can take advantage of different providers without changing the 
application. You create a Cipher like this:

   Cipher cipher = Cipher.getInstance("DES");

A Cipher is used to encrypt and decrypt data that is passed in as
byte arrays. The two essential methods you must use are init(), 
to specify which operation will be called, and doFinal(), to 
perform that operation. For example, the following two lines use 
the cipher and key instances you created to encrypt a byte array 
called textBytes. The result is stored in a byte array called 
encryptedBytes.

   cipher.init(Cipher.ENCRYPT_MODE, key);
   byte[] encryptedBytes =
      cipher.doFinal( textBytes );

Putting this together, the following program takes an input
String and encrypts it. The encrypted String is then decrypted.

   import javax.crypto.Cipher;
   import javax.crypto.BadPaddingException;
   import javax.crypto.IllegalBlockSizeException;
   import javax.crypto.KeyGenerator;
   import java.security.Key;
   import java.security.InvalidKeyException;

   public class LocalEncrypter {

        private static String algorithm = "DESede";
        private static Key key = null;
        private static Cipher cipher = null;

        private static void setUp() throws Exception {
            key = KeyGenerator.getInstance(algorithm).generateKey();
            cipher = Cipher.getInstance(algorithm);
        }

        public static void main(String[] args) 
           throws Exception {
            setUp();
            if (args.length !=1) {
                System.out.println(
                  "USAGE: java LocalEncrypter " +
                                         "[String]");
                System.exit(1);
            }
            byte[] encryptionBytes = null;
            String input = args[0];
            System.out.println("Entered: " + input);
            encryptionBytes = encrypt(input);
            System.out.println(
              "Recovered: " + decrypt(encryptionBytes));
        }

        private static byte[] encrypt(String input)
            throws InvalidKeyException, 
                   BadPaddingException,
                   IllegalBlockSizeException {
            cipher.init(Cipher.ENCRYPT_MODE, key);
            byte[] inputBytes = input.getBytes();
            return cipher.doFinal(inputBytes);
        }

        private static String decrypt(byte[] encryptionBytes)
            throws InvalidKeyException, 
                   BadPaddingException,
                   IllegalBlockSizeException {
            cipher.init(Cipher.DECRYPT_MODE, key);
            byte[] recoveredBytes = 
              cipher.doFinal(encryptionBytes);
            String recovered = 
              new String(recoveredBytes);
            return recovered;
          }
   }



You can enter any text you like as a command line parameter. For
example, if you submit the following on the command line:

   java LocalEncrypter "Whatever phrase we would like to
    input at this point"

You should see something like this as output:

   Entered: Whatever phrase we would like to 
    input at this point
   Recovered: Whatever phrase we would like to 
    input at this point

In this example, both the encryption and the decryption were done
with the same Key object. Encryption and decryption ordinarily
occur on different VMs at different times, so you need a method
for securely transporting the key.

In the first tip you learned how to generate key pairs for 
asymmetric cipher algorithms. In the second tip, symmetric keys 
were used. Here's another technique, one that combines asymmetric 
and symmetric keys. In this technique a symmetric key is chosen 
at random and used to encrypt some data. The key itself is then
encrypted using the other party's public key. The recipient then 
uses their private key to decrypt the symmetric key and then uses 
that decrypted key to decrypt the message. The modulus used in 
the asymmetric technique need only be large enough to encrypt the
symmetric key. The symmetric key is used for a single 
transmission and then discarded. In this way, the weaknesses of 
each type are mitigated.

You can find out more about:

o DES Encryption at
  http://www.itl.nist.gov/fipspubs/fip46-2.htm

o Triple DES at 
  http://www.rsasecurity.com/rsalabs/faq/3-2-6.html
  
o AES encryption (FIPS-197), which is proposed as a replacement
  for DES, at http://csrc.nist.gov/CryptoToolkit/aes/
  
o Blowfish at http://www.schneier.com/paper-blowfish-fse.html
 
.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .

IMPORTANT: Please read our Terms of Use, Privacy, and Licensing 
policies:
http://www.sun.com/share/text/termsofuse.html
http://www.sun.com/privacy/
http://developers.sun.com/license/berkeley_license.html?uid=6910008

* FEEDBACK
  Comments? Please enter your feedback on the Tech Tips at: 
  
     http://developers.sun.com/contact/feedback.jsp?category=sdn
  

* SUBSCRIBE/UNSUBSCRIBE

  Subscribe to other Java developer Tech Tips:
  
  - Enterprise Java Technologies Tech Tips. Get tips on using
    enterprise Java technologies and APIs, such as those in the
    Java 2 Platform, Enterprise Edition (J2EE).    
  - Wireless Developer Tech Tips. Get tips on using wireless
    Java technologies and APIs, such as those in the Java 2 
    Platform, Micro Edition (J2ME).
    
  To subscribe to these and other JDC publications:
  - Go to the JDC Newsletters and Publications page,
    (http://developer.java.sun.com/subscription/), 
    choose the newsletters you want to subscribe to and click 
    "Update".
  - To unsubscribe, go to the subscriptions page,
    (http://developer.java.sun.com/subscription/), 
    uncheck the appropriate checkbox, and click "Update".
  - To use our one-click unsubscribe facility, see the link at 
    the end of this email:
    
- ARCHIVES
You'll find the Core Java Technologies Tech Tips archives at:

http://java.sun.com/developer/TechTips/index.html


- COPYRIGHT
Copyright 2004 Sun Microsystems, Inc. All rights reserved.
4150 Network Circle, Santa Clara, California 95054 USA.

This document is protected by copyright. For more information, see:

http://java.sun.com/jdc/copyright.html


Core Java Technologies Tech Tips 
January 16, 2004

Trademark Information: http://www.sun.com/suntrademarks/
Java, J2SE, J2EE, J2ME, and all Java-based marks are trademarks 
or registered trademarks of Sun Microsystems, Inc. in the 
United States and other countries.