Encryption String in Java.

Don’t Just Get it Working, Use it Securely!

Learning from a well practical blog series

1. How get started using Java cryptography securely, See also KeyNote

• JCA spec
• JCA providers
• 3rd Party providers/bouncy castle
• 3rd Party providers/IBMJCE

2. Cryptographically Secure Random Number Generators

3. Encryption and Decryption

We choose AES/GCM/PKCS5Padding (Algorithm/mode/paddings)

• Algorithm AES(Advanced Encryption Standard)
  • KeySize 256
  • Symmetic algorithm, (same key for encryption and decryption)

  • Cracking a 128 bit AES key with a state-of-the-art supercomputer would take longer than the presumed age of the universe. And even uses 256 bit keys! As of today, no practicable attack against AES exists. Therefore, AES remains the preferred encryption standard for governments, banks and high security systems around the world.

• Mode

  1
  2
  3
  GCM is a streaming mode which means that the ciphertext is only as long as the plaintext (not including authentication tag). GCM doesn't require a padding. 
  This means that the PKCS5Padding version is actually only a synonym for NoPadding for convenience during programming. Some providers don't have this strange mode.
  The are cases where padding the plaintext makes sense. For example, you can hide the length of the actual plaintext by appending a random length PKCS5Padding.
  

• Padding

  Padding describes how blocks in the chain are aligned and filled up to match the expected block size.

  • Can PKCS5Padding be in AES/GCM mode?

4. Message Digest

5. HMAC

6. JKS local, howto exporting RSA private key and public key from a Java Keystore (.jks)

Firstly using Java keytool to convert keystore (.jks) into PKCS#12 (.p12) store and then use openssl extract

1
2
3
4
5
6
7
8
9
10
11
12
13
14
keytool -importkeystore \
-srckeystore atp-jwt-signer.jks \
-srcstorepass YYNUMus5D2BmrZPX6fVEpcR2tc6WsdZ \
-srckeypass YYNUMus5D2BmrZPX6fVEpcR2tc6WsdZ \
-srcalias atp-jwt-signer \
-destalias atp-jwt-signer \
-destkeystore atp-jwt-signer.p12 \
-deststoretype PKCS12 \
-deststorepass YYNUMus5D2BmrZPX6fVEpcR2tc6WsdZ \
-destkeypass YYNUMus5D2BmrZPX6fVEpcR2tc6WsdZ

openssl pkcs12 -in atp-jwt-signer.p12 -nodes -nocerts -out private_key.pem

keytool -export -alias newcert -keystore keystore.jks -file public_key.pem

References:

• Public-Key-Cryptography
• Math
• Standford Cryptography I
• Diff between RSA and AES
• The right way to use SecureRandom
• Just use /dev/urandom