Cryptography in Java
Encryption String in Java.
Don’t Just Get it Working, Use it Securely!
Learning from a well practical blog series
1. How get started using Java cryptography securely, See also KeyNote
We choose AES/GCM/PKCS5Padding (Algorithm/mode/paddings)
AES(Advanced Encryption Standard)
- KeySize 256
- Symmetic algorithm, (same key for encryption and decryption)
Cracking a 128 bit AES key with a state-of-the-art supercomputer would take longer than the presumed age of the universe. And even uses 256 bit keys! As of today, no practicable attack against AES exists. Therefore, AES remains the preferred encryption standard for governments, banks and high security systems around the world.
1 2 3 GCM is a streaming mode which means that the ciphertext is only as long as the plaintext (not including authentication tag). GCM doesn't require a padding. This means that the PKCS5Padding version is actually only a synonym for NoPadding for convenience during programming. Some providers don't have this strange mode. The are cases where padding the plaintext makes sense. For example, you can hide the length of the actual plaintext by appending a random length PKCS5Padding.
Padding describes how blocks in the chain are aligned and filled up to match the expected block size.
6. JKS local, howto exporting RSA private key and public key from a Java Keystore (.jks)
Firstly using Java keytool to convert keystore (.jks) into PKCS#12 (.p12) store and then use
1 2 3 4 5 6 7 8 9 10 11 12 13 14 keytool -importkeystore \ -srckeystore atp-jwt-signer.jks \ -srcstorepass YYNUMus5D2BmrZPX6fVEpcR2tc6WsdZ \ -srckeypass YYNUMus5D2BmrZPX6fVEpcR2tc6WsdZ \ -srcalias atp-jwt-signer \ -destalias atp-jwt-signer \ -destkeystore atp-jwt-signer.p12 \ -deststoretype PKCS12 \ -deststorepass YYNUMus5D2BmrZPX6fVEpcR2tc6WsdZ \ -destkeypass YYNUMus5D2BmrZPX6fVEpcR2tc6WsdZ openssl pkcs12 -in atp-jwt-signer.p12 -nodes -nocerts -out private_key.pem keytool -export -alias newcert -keystore keystore.jks -file public_key.pem