Musings about Coding, Business and other Geek Stuff Live and Direct from somewhere on the planet
April 28, 2004
Released new updated crypto tools

I have just released NeuClear-Commons version 0.7 which is turning into more of crypto library than a general purposes utilities library.

There are many parts of the library that make crypto a easier:

Signers and Agents

Signers are designed to shield the developer from the average complexities of writing code to handle digital signatures. It also can hide many average security user interface issues, allowing developers to focus on the actual functionality of their code.

Signers and Agents are pretty much required for everything to do with programming for NeuClear and help providing much of the core functionality.

What are Signers?

Signers are pretty much supposed to be black boxes. You ask them to sign something and they figure out how to get the passphrase, loading the keys etc.

We have several implementations of Signers:

  • JCESigner (Uses a Sun JCE KeyStore class)
  • SQLSigner (Uses a database via Hibernate to store the keys)
  • DefaultSigner (Interactive Signer which wraps around JCESigner for end user applications)

Passphrase Agents

Most signers need to interact with the user or administrator via a passphrase agent. You instantiate one of these in your code and pass it to the constructor of the Signer:

Signer signer=new DefaultSigner(new SwingAgent());

We have the following interactive agents available:

  • ConsoleAgent
  • SwingAgent
  • GuiDialogAgent (Java awt)
  • ServletPassPhraseAgent

Of which SwingAgent is the recommended and most advanced.

Non interactive passphrase agents

Anytime the signer needs a passphrase it asks the agent for it. Not all of them are designed for interactive usage. Imagine a server application. You dont want the administrator there typing the passphrase like crazy everytime there is a hit on the server.

  • AlwaysTheSamePassphraseAgent
  • AskAtStartupAgent
  • StoredPassphraseAgent

All provide a passphrase transparently to a server based digital signature application. The administrator can configure and pick which type he chooses to use.

Signing Data with a Signer

So how do you do something simple like sign some data? Simply speaking you have a reference to a Signer and just tell it to sign something:

byte signature[]=signer.sign("operations",data);

“operations” is the alias of the private key to use for the signature. This is useful for servers, where an administer sets up the KeyPairs and can specify which one to use.

If you are however writing an interactive gui application and you would like to give the user a choice of which key to use. You need to use a BrowsableSigner

byte signature[]=signer.sign(data);

This would pop up the following dialog:

This allows the end user to pick his own keystore file, create new personalities etc.

Crypto Streams

While there is already a CipherStream in the JCE. You still need to setup the cipher etc. These were designed for absolute ease of use.

Encrypting an OutputStream with a Password

PassphraseAgent agent=new GuiDialogAgent();
FileOutputStream fos=new FileOutputStream("encrypted.data");
PasswordEncryptingOutputStream sos = new PasswordEncryptingOutputStream(bos, agent.getPassPhrase("encrypted.data"));
sos.write("hello world".getBytes());
sos.close();

You can similarly decrypt with PasswordDecryptingInputStream. For serializing and deserializing password encrypted objects use SealedObjectInputStream and its Output equivalent. In addition there are streams that simplify Digests, Sigining and Verifying data.

Crypto Channels

If you are using NIO you may like to use these channels as they simplify performing crypto on channels:

Using DigestChannel to calculate the SHA1 Digest of a file

DigestChannel ch=new DigestChannel();
FileChannel fch=new FileInputStream(file).getChannel();
fch.transferTo(0,fch.size(),ch);
byte digest[]=ch.getDigest();

Using SigningChannel to calculate a signature of a file

SigningChannel ch = new SigningChannel(kp.getPrivate());
FileChannel fch = new FileInputStream(file).getChannel();
fch.transferTo(0, fch.size(), ch);
byte sig[]= ch.getSignature();

Using VerifyingChannel to verify the signature of a file

VerifyingChannel ch = new VerifyingChannel(kp.getPublic());
byte sig[]= .... // get the signature from somewhere
FileChannel fch = new FileInputStream(file).getChannel();
fch.transferTo(0, fch.size(), ch);
ch.verify(sig);

Related Entries about Crypto & Security:
Posted by pelleb at April 28, 2004 05:33 PM
This entry was posted in the following Categories: Crypto & Security
Comments
Post a comment
Name:


Email Address:


URL:


Comments:


Remember info?