Basics of Security and JAVA

    enRaiser
    By enRaiser

    Introduction

    Normally we want security of two kind.

    Security inside the System i.e. SandBox architecture
    Security while two Systems is communicating. i.e. network Cryptography
    Security inside system

    What type of security is prevailed in your house, You have some resources like a box of money some toys, kitchen, bedroom, guestroom,

    Only Your parents have access to the box of money, the children have full access of toys but not of a breakable and costly item are kept aside, guest have access of guestroom, mother have full access of kitchen list is endless.

    This a best model of Sandbox architecture i.e. Security inside System

    Security between Systems

    What type of security the communication mechanism provides when two systems communicate?

    1 The message should not be altered by third part in the communication channel.

    2 Capable of verifying the remote party is really what he says what he is.

    Let us study the security over communication first

    Cryptography

    Cryptography was always a burning topic in history, particularly it played a major roll in battles and world war, The Origin of Cryptography that we discuss today is nothing but the World WAR II. The major focus was on How we can change the message such a way that in can be reproduced only by the party whom we trust and not by any third party.

    After World War II many scientist and mathematician have developed some computational algorithm for this purpose. Let us discus few Concepts of today’s cryptography.

    Synchronous Encryption.
    Asynchronous Encryption.
    Message Digest
    Before discussing these algorithms let us get cleared with some cryptographic terminology.

    Encryption
    It is a process, which converts one text into another text in such a manner that the reverse process is possible.

    PlainText
    The first text is called PlainText.

    CipherText
    The second text is called cipher Text.

    Decryption
    The processes of converting cipher text back into plain text.

    Synchronous Encryption

    Let us take a PlainText as “One lake RS by check and one lake RS cash ” .

    Let us develop a algorithm

    MyAlgo(n)

    {

    CipherText =

    ( move each alphabet forward by n alphabet of PlainText )

    return CipherText

    }

    So if n is 1 my CipherText is now pof mbli ST cz difdl boe pof mbli ST dbti

    So that’s good, I can send this CipherText to my friend provided he know the value of n

    He can easily make out that it is “One lakh RS by check and one lakh RS cash”.

    What is n here?

    In cryptographic terminology n is called SecretKey.

    Why it is called synchronous?

    Here me and my friend both should know SecretKey. I.e. Encryption and decryption

    both are done using the same SecreteKey that’s way it is called synchronous.

    This is the simplest possible example of synchronous encryption.don’t assume that the

    The algorithms actually used are also so simple.

    Some well-known algorithms for synchronous encryption are

    Data Encryption Standard (DES)

    Triple DES

    International Data Encryption Standard (IDEA)

    Revert Cipher #4 (RC4)

    Blowfish

    SKIPJACK

    US government has restricted the length of secretkey in case of these algorithms.

    Some other interesting statistic about these algorithms is there but we will not discuss

    them here.

    Asynchronous Encryption.

    The problem in above algorithms is I can talk to my friends only I mean I can communicate to a person who knows the SecretKey what about if I want to talk to a guy who don’t have the SecreteKey.

    The mathematicians have developed another type of algorithms in which you need two secrete keys. The algorithms are such that if you encrypt the message using one secrete u can decrypt it only using the another secrete key.

    You have to blindly trust above sentence because it is not possible by me to give a practical example like I gave in synchronous encryption.

    So let us start communication

    First generate two key using this algorithm, I will encrypt the message using one secrete key with me and send the encrypted message along with the other secrete key to the remote guy. Let us called the key with me PrivateKey and the key I am giving to other person as PublicKey.

    Is everything OK?

    No because here we are sending the PublicKey along with message which is dangerous.

    The forger sitting in between can easily reproduce the message because he also has the public key and he also know the algorithm.

    So let us modify the rules of communication. Now I will not generate the KeyPair but request the other party to generate the KeyPair and he will send me the PublicKey now I will encrypt the message using the PublicKey and send back to the other party. So even if the forger has the PublicKey he can not understand the message.

    Here let me repeat that these algorithms are such that encryption can be done using any key but the decryption can only be done using the complementary key.

    The above paragraph is more important if you do not understand it please try to concentrate more on it. This is also called as a Public Key Cryptography.

    The known algorithms for Public Key Cryptography are.

    Digital Signature Algorithm (DSA)

    Revert Shamir and Adleman (RSA)

    Differ Halman (DH)

    Message Digest

    A message digest is a digital fingerprint of a message. We all know the properties of a fingerprint.

    1 It happens once in million that fingerprint of two people do exactly match.

    2 We can produce the fingerprint of a person but not the person of a fingerprint .

    Here also it is difficult to give a practical example like I gave in Synchronous encryption. But late me give one such.

    Message: “One lake RS by check and one lake RS cash “.

    Myalgo ()

    {

    Calculate the repetition of each alphabet A B C D E

    Return the repetition;

    }

    So in this case the message digest or simply digest will be 41305.It is possible that other sentences also have the repetition of ABCDE as 41305 but the possibility is rare. Here only 99999 fingerprint are possible and as we increase the length of digest the possibility will decrease more.

    The well-known SHA#1(Secure Hash Algorithm 1) condenses any block of data no matter how long it is into sequence of 160 bit. So there can be only 2 power 160 fingerprints possible in the world but 2 power 160 is such a large number that the possibility of duplication is even less then the possibility of duplication of fingerprints of two different persons.

    You can easily notice that message digest have both the characteristic of a fingerprint

    That rare possibility of duplication and no possibility of reproducing the message back form the digest.

    Why it is called Digest?

    Simple because he just digests the message and there is no way to get the message back.

    So let us start communication using message digest .Let us take a case. A Father Mr. F has two sons Mr. good and Mr. Bad. He wants to make a will of his property. He calls two advocates A1 and A2. The F first calculates the digest D of will M gives the M to A1 and D to A2. Now after his death both the advocates meet in the court the digest of the message is again calculated and if the new digest match with D the will is being authenticate.

    We can notice here that the message (M) and the digest (D) should reach the destination (judge) through two different channels (A1 and A2). Otherwise the forger can easily replace both.

    Message digest only gives the first kind of solution that is third party does not alter message but third party can easily read the message.

    Here we can see that Digest has not significant importance from the communication point of view because we are communicating through only one channel. But it has one big advantage. That is the size of the digest is only 160 bit no matter whatever big is the message. We will explore this advantage letter on.

    The known algorithms for message digest are

    MD5 invented by Ronald Revert of NIT.

    SHA#1 Secure Hash Algorithm developed by National Institute of Standards and

    Technology.

    Usage of the algorithms

    Remember the very first goal of our discussion was

    1 the message should not be altered by third party

    2 there should be a mechanism by which we can assure that the Sender is what he claim to be.

    Now we discussed three types of algorithm of Cryptography. So which algorithm is best for communication?

    Truly speaking none, because all have some disadvantages.

    We can not use only synchronous Encryption in case were other party do not have the secrete key

    The Asynchronous Encryption solves this problem easily but it has its own disadvantage. i.e. It needs a big amount of time to encrypt and decrypt compare to Synchronous encryption .

    Message can not be used because we don’t have two separate channels.

    The mathematician’s gets more tempted by message, digest that they work out the problem of two separate channel and named the solution as digital signature.

    Usage 1: Digital Signature

    A digital signature is nothing but a message digest but here the digest is being encrypted by PublicKey cryptography.

    So the problem of two separate channels is solved because the digest is encrypted the forger can not modify it .so it just like only message is going through the channel.

    Let us discuss all in proper sequence. If Mr. X wants to communicate to Mr. Y

    X < ——————————– > Y

    Y sends his public key Kp to X
    X calculate the digest D1 of Message M
    X encrypt the Digest D1using Kp ( it is nothing but a digital signature) S
    X send the message along with the signature MS
    On getting the message Y decrypt the signature and get the Digest from it
    Then Y calculate the digest of D2 of M
    If D1 and D2 does not match it understands that the some forger has tried to alter the
    Message.

    That’s good we achieve very first goal of our discussion that is the message should not be

    altered by third party.

    Usage 2: Digital Certificate

    See the step 1 In Usage #1: Y sends his public Key

    But even a forger can also send his own public key and through away the public key of Y.

    X<——————————— > forger < ———————————– > Y

    Kpf Kpy

    Here I do not feel to give another sent of sequence u can easily get it.

    So second goal is not achieved, i.e. I am communicating to a forger understanding that he is Y, i.e. sender is not what he claims to be.

    So people have developed a cosept of certficate .The only modification in above steps is add zeroth steps

    0: Y prooves that he is really Y by sending his certificate

    now what is certficate ?

    Simply speaking a certificate is a combination of individuals name and a digital signature of his public key.

    In all the discussion the concept of Certificate authority comes into picture.

    Let’s make the discussion simple.

    X and Y both trust a third party called T. Here trust word does not mean that T is a good guy. But trust means that both X and Y has the public key of T.

    Now Y request T to certify himself. So T combine the name of Y together with Y’s public key generate the message digest and encrypt it using his own private key, That’s all Y got certified by T and X believes T so X believe Y. But How?

    Again come to above steps.

    Now before sending the public key Y send his certificate and the same his name

    X generates the digest of (name + public key) and compare the digest with decrypted certificate .

    If both do not match then the Sender is not Y even though he says that he is Y.

    Basic of SSL

    If you understand everything till this point of discussion then you understand the basic of SSL as a byproduct.

    Let again ask the same question. What algorithm or technique we should adopt for communication?

    The answer is synchronous encryption, because it is very faster.

    To share the secrete key we will use public key cryptography.

    And to authenticate the public key w will ask certificate of remote user.

    You just arrange these sentences in proper steps and it will become SSL communication.

    Y sends his certificate (given by T) and name + public Key.
    X verifies Y by comparing digest of (name + public key ) again certificate using T’s public
    Key.

    X generates a secrete key and send to y by encrypting it using Y’s public key
    Now both send messages to each other using this Secrete key.
    Java and Cryptography

    Does Java implements Cryptography?

    The answer is yes. Java has implemented some of the cryptographic concepts.

    But Java does not kept monopoly in implementing Cryptography.Let us understand how.

    Java has given some packages dedicated to Cryptography. But and user has to use those classes to achieve the goal of Cryptography, But the beautiful part of it is most of the classes are abstract classes. And provide the actual implementation in SUN package, the classes in SUN package are extending the corresponding class in Java package and provide the implementation into by overriding appropriate abstract method.

    Another point to be notice here is that it is not necessary that only sun package should give the implementation of cryptography .Any third party vendor can create another package and create classes which extends corresponding classes in Java package.

    You can notify the JVM that the actual implementation should be used from third party vendor instead of SUN package.

    How to tell the JVM about location of third party vendors package.

    There is file called java.security in (java_HOME/jre/lib/security directory)

    You just add the one line informing JVM the location of third party vendor’s package.

    As shown bellow.

    security.provider.1= sun.security.provider.Sun

    security.provider.2=com.dstc.security.provider.DSTC

    security.provider.3=au.com.forge.provider.ForgeProvider

    You can use as many numbers of providers as possible.

    What is a Security provider?

    “Security Provider” referes to a package or set of packages that suply a concrete implementation of a subset of cryptographic aspects

    KeyStore

    A keystore is a file where we store all certificates of Trusted party like T as we discussed

    And also the private key of the user.

    There are different types of formate of storing these certficates are available

    Which formate You want to use that also you can specify by writing it in java.security file

    The default is Java Key Store

    You may have noticed this line in java.security file

    Keystore.type = JKS