File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes How to do novice-level RSA Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "How to do novice-level RSA" Watch "How to do novice-level RSA" New topic
Author

How to do novice-level RSA

Nicholas Jordan
Ranch Hand

Joined: Sep 17, 2006
Posts: 1282
I spent the last two weeks, coming up with about 26,000 keystrokes of Java Source ( 30% copy-paste ) trying to get decent progress on the security module for my project, and now find the whole JavaTM Cryptography Architecture pivots on the idea of TA's and all it's mindset.

This morning I got to the point of KeyStore Exception: "KeyStore requires Certificate chain."

I have deep, detailed knowledge of the program's security strengths/needs: Actual program security will be done with beginner methods such as s-boxes in software and a little shifting and shuffling, but want to save program state, in encipered form, at each run: Leaving that as an audit-trail in case anyone tries to use me for a scapegoat .... I have been on too many large projects and know how this works all to well. Where I go you take care of your own ___ and don't Rust or Trust, nor take seconds to hear the voice of Authority -- you just keep moving forward and let the Hounds of Baskerville meet with the Authorities.

Right now I have ordered: Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series) ISBN: 9781584885511 / ISBN 10: 1584885513 due in this Friday, and right now looking at Public Key Cryptography 101 Using Java

Any coments welcome, but to they extent they advise the use of JCA for real cryptographic effectiveness, I must understand how they work or I will not use them.
[ October 07, 2007: Message edited by: Nicholas Jordan ]

"The differential equations that describe dynamic interactions of power generators are similar to that of the gravitational interplay among celestial bodies, which is chaotic in nature."
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4657
    
    5

I can't imagine why you would want to use RSA for what you are describing. If you want to securely store data on a machine (say in a database) use a symmetric cipher, such as AES-128.

RSA is useful only when you want to pass messages through an untrusted media, such as email, or HTTP. And even then, you just use it to send the session key, the real messages are always enciphered using the session key. RSA is way too slow to use for messages.

You can chose to be your own CA. Or you can buy certs from a commercial CA. If you are setting up an eCommerce site, you need a commercial CA for most uses. For an intranet, or a system where you are sending data from one site you control to another you control, there is no value in paying for a cert, just use openSSL to make your own.

You can also look at Carl Ellison's SPKI, which is old and valid, it skips all the CA bs because what the CAs sell is not worth much.
Nicholas Jordan
Ranch Hand

Joined: Sep 17, 2006
Posts: 1282
I bought yet another book this week (had been sent to Fry's to get some wrapper software for someone else); <cite>Modern Cryptography - Theory and Practice by Wenbo Mao www.hp.com/hpbooks</cite> which immediately runs headlong into an issue an arena of which I have exquisite claim. Concisely, TextBook crypto v FieldCrypto.

Working the advanced forum moments ago, I noticed:

posted Wednesday, October 31, 2007 10:24 PM by P.F.
]... The keys are usually kept in a nasty binary format defined by RSA labs called PKCS #1 or #7, which is really ANS.1 BER/DER format. It is unreadible without serious binary mangling.

and vis-a-vis I can't imagine why you would want to use RSA for what you are describing. I want to clarifiy what it is I am trying to acheive.

Suffice it to say crypto is beyond my skills, so also as well is the fact that if the machine exposes "File" constructs to the other persons around whom I will be working in a directory listing or any other whatchamacallit that the user can see or point at in the routine use of the computer, then there exists the risk of tampering by we just do not know who, how or when.

I therefore reasoned that I could go to Team Lead's office and generate a key pair: a public private key pair - for which AES-128 would not be effective as it is a symmetric cipher. I do not want to securely store data on a machine (say in a database) and intend, with great thought and detailed knowledge of the operational environment, to leave that sort of DataSet exposed short of shielding the stored information from routine curiosity seekers.

When we are around people with rats that cost $22,000 dollars apiece, I do not want to have the abiltiy to tamper with an incontrovertible record.

I therefore reasoned that I could study established engineering on <a href="http://www.weidai.com/scan-mirror/ca.html#RSA">RSA cryptosystem</a> by using the Java Cryptography Architecture to obtain an RSA public key which I would hardcode into my Java Application.

At program unload, I could write a CYArecord that would be essentially untamperable by me, given a Team Lead who is trained in computer security and does that sort of thing professionally in truly secured environments, and knows about all the what-if's and prevent-it-before-it-happens that a field-operational tech sees too many times. I would generate a Public/Private key pair there at Team Lead's desk and walk away with only the public key.

Any data-base fixups would be done by beginner methods such as s-boxes in software and a little shifting and shuffling and just plain "adjust data" dialog boxes, me like anyone else with no special access and no: The person with administrative rights for the computer should make sure the user should have the special privileges assigned.... such that I could tamper a record.

If they ( anyone ) wants to get the decrypted record, they would have a badge and a warrant and obtain the private key from Team Lead under process of law ( in which Team Lead works every day ) and pass the private key to a disinterested third party holding a baccalaureate computer scientist, who would then function under formal directions from The Bench of Law.

Anyone else gets to read my specialized theories on parallel computer architecture such as that worked by Seth Lloyd Room 3-160

This work is advanced and is beyond most people.

When I tried to use JavaTM Cryptography Architecture , my coding was not effective in obtaining a public key.

A keystore would be of great value to Team Lead in protecting the private key. A Certificate chain, if any, would be essentially useless unless and solely if such Certificate chain could be used by the baccalaureate computer scientist to do clean computer science at The Bench of Law.

Preliminary questions, if any, should be put to an efficient and perfunctory review of Spam v Muppets with the concern of how to apply known crypto to enhance security in an operational arean where ... (consumers) fear that the use of the Spa'am character will cause a drop off in the consumption of SPAM, a tasty and appealing commercial potted meat product from a great example of marketing expertise.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to do novice-level RSA