aspose file tools*
The moose likes Security and the fly likes KeyGenerator using JCE Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "KeyGenerator using JCE" Watch "KeyGenerator using JCE" New topic
Author

KeyGenerator using JCE

James Dekker
Ranch Hand

Joined: Dec 09, 2006
Posts: 215
All,

I am trying to build a KeyGenerator using JCE...

Have built two different ones using the standard core Java libraries.

Am a complete n00b when it comes to security and need to use JCE to build something which outputs something similar to the FirstKeyGenerator.

More specifically, I need the generated key to look like the FirstKeyGenerator's output (strictly alphanumeric and no other characters and/or symbols).

FirstKeyGenerator:



Ouput:



SecondKeyGenerator:





Here's the actual one that I am trying to build using JCE:



I got the following exception:



Question(s):

(1) Am I going about this the right way with the JCEKeyGenerator?

(2) Am wondering how to incorporate the usage of multiple input seeds (such as a timestamp or a database sequence id which would always generate the same length of keys following the same exact alphanumeric format of the FirstKeyGenerator's output).

Would be very grateful if someone could help me because at this point I am confused...

Happy coding to all,

James
[ April 19, 2008: Message edited by: James Dekker ]
greg stark
Ranch Hand

Joined: Aug 10, 2006
Posts: 220
You are confusing a cryptographic key generator with a product key generator. The KeyGenerator class is for cryptographic keys. What you want I guess is a secure random byte source; that is what SecureRandom is for. And since SecureRandom extends Random, all you need to do to create your second key generator is change one line from your first; from to You will have to deal with the exception that SecureRandom.getInstance throws.

SecureRandom, by the way, is a JCE class. When you use SecureRandom, you are using the JCE.

However, SecureRandom does not produce a repeatable sequence of bytes; that would not be secure. I'm not really familiar with product key security, so I can only guess at what is needed, but I think something like the following will work:

use the BouncyCastle DigestRandomGenerator class with the a SHA1 hash object (MessageDigest.getInstance("SHA1"); ) . Use this object to implement you own subclass of Random. You only need to override one method of Random, the int next(int) method, and the Javadocs for this basically show you what to do. Use an instance of this class instead of Random() in your first example.
[ April 20, 2008: Message edited by: greg stark ]

Nice to meet you.
James Dekker
Ranch Hand

Joined: Dec 09, 2006
Posts: 215
Thank you so much, Greg!

Here's what I've come up with (according to your feedback):



The client:



Outputs:



How do I insert different input types into the ProductKeyGenerator class (such as Date timestamp, String, or database sequence id)?

It seems that the java.util.Random class only processes seeds which are array of bytes placed inside the Random.nextBytes() method.

I need it to be able to process different types of input seeds instead of just bytes?

Happy coding to you, dude!

James
[ April 20, 2008: Message edited by: James Dekker ]
greg stark
Ranch Hand

Joined: Aug 10, 2006
Posts: 220
Random.nextBytes() does not process a seed; rather, it returns bytes from the randomizer into the supplied byte array.
James Dekker
Ranch Hand

Joined: Dec 09, 2006
Posts: 215
Thanks for the help, Greg:

How could I go about having this KeyGenerator support multiple input seeds?

Do I have to create convertDateToBytes() method which converts a Date timestamp into a byte[] ?

Thanks for all of your help!

-James
James Dekker
Ranch Hand

Joined: Dec 09, 2006
Posts: 215
Greg,

I just posted the same question on the Bouncy Castle mailing list (regarding how to use Bouncy Castle's libraries to build a similar KeyGenerator) and this is what one of the moderators stated:

"We don't have a UUID generator though - you'd have to write one yourself."

Is there anyway to do this using Bouncy Castle?

Is KeyGenerator creation using Bouncy Castle or JCE an overkill?

I mean are those libraries only for encryption / decryption?

Thanks for all the help!

-James
Nicholas Jordan
Ranch Hand

Joined: Sep 17, 2006
Posts: 1282
Originally posted by James Dekker:
Greg,

I just posted the same question on the Bouncy Castle mailing list (regarding how to use Bouncy Castle's libraries to build a similar KeyGenerator) and this is what one of the moderators stated:

"We don't have a UUID generator though - you'd have to write one yourself."

Is there anyway to do this using Bouncy Castle?

Is KeyGenerator creation using Bouncy Castle or JCE an overkill?

I mean are those libraries only for encryption / decryption?

Thanks for all the help!

-James


You are certianly going about it the right way. Why you are throwing the exception does not jive with the level of work you are accomplishing in such short time. There is a widely available document called: JavaTM Cryptography Architecture API Specification & Reference which is available at http://cycleserv2.csail.mit.edu/jdk/guide/security/CryptoSpec.html amoung other places. I can dig through your code and find out why the exception is present, but it is much, much better if you do the work.

Anytime crypto is involved it is paramount that you practice and practice. Your UUID's look decent but is that paticular format already built-in on your design? I succeded a few days ago in generating Public / Private key pairs over 900 decimal digits long. In general I would prefer that most keys be in bytes ( or other native machine format ) in that experience shows ( my experience ) that virtual oblivion is the only attention you will get from users for non-trivial keys. Thus, the machine can handle the keys and the human factors come to play with your best efforts like the Banshees From Hell on an an invitation to cool off.

Try: http://www.homeport.org/~adam/crypto/ - look around awhile. See what others have done. The only plain language get-going book that is useful that I have found is Jason Weiss - Java Cryoptography Extensions. With that, I had DES in skeleton form ( pun intended ) working in four or five hours. I still have to go back and get AES to work, then it's on and on .... but always there is the lurking risk that something was overlooked.

Rote rules the day for now. The question of overkill should be directed to the Banshees, they can provide experienced overviews on that. Never underestimate your adversary, never overestimate the capabilities of the people you want to use the keys. Not all of the code you may need has been written, that is part of what Java is all about, you can write tookits yourself. Start with working on why you are getting the exception. Even if you do not need the strength of Crypto-Grade Encipherment the skills gained to get various packages translate immediately into skills useable throughout your packge and can even translate into cs skills in other programming approaches.

It will not go fast, nor should it.


"The differential equations that describe dynamic interactions of power generators are similar to that of the gravitational interplay among celestial bodies, which is chaotic in nature."
greg stark
Ranch Hand

Joined: Aug 10, 2006
Posts: 220
Sorry, I don't know anything about UUIDs. As to whether Bouncycastle is overkill I cannot answer either, as I am not familiar with your requirements. Bouncycastle implements cryptography, of which encryption/decryption and random number generation are important components. If you need a cryptographic solution such as cryptographically strong random numbers then Bouncycastle is definitely something to consider.
Nicholas Jordan
Ranch Hand

Joined: Sep 17, 2006
Posts: 1282
Originally posted by greg stark:
Sorry, I don't know anything about UUIDs.


  java.util.UUID  

As to whether Bouncycastle is overkill I cannot answer either, as I am not familiar with your requirements. Bouncycastle implements cryptography, of which encryption/decryption and random number generation are important components.


Well if Pat says it's good, then he probably intends to cast a favorable view on BC's crypto quality. A key generator may well be implemented by a paticular vendor ( author ) of cryptographic tools, but patient study to learn correct use of the tools exceeds the likelyhood that any one-day analysis of SecureRandom v Math.random() is or is not applicable to posters current design. I hope above all else that we do not have a student who thinks he is going to study crypto for one week, then continue with other areas of computer science as primary study of crypto having been being accomplished.

If you need a cryptographic solution such as cryptographically strong random numbers then Bouncycastle is definitely something to consider.


Cryptix has java.security.SecureRandom in it's source code. ( Cryptix's source code listing ) I presume from this that Cryptix did not re-implement a cryptographic strength randomizer. I expect to find that BC did not re-invent the wheel here either, so being what I am I went and hired a bench technician to design a Krypton-85 enhanced fire-wire to deliver kilobit per second bitstream with not paticularly crypto-grade entrophy. At least by doing that I could gain physical control of the data-stream.

So far I have wasted fourty dollars on a neophyte grade "report", embarrassed myself in front of real cryptographers and gotten nothing done. Whether using BC is overdone does not directly answer issues related to SecureRandom.getNextBytes() or initialization of KeyGenerator. What is at issue here is that the poster is doing work in formal education. Thus, with some time to acclimatize to the work, may be directed at some point to study the relative strengths of Suite B tools.

I note for the poster that leaving the wrongly spelled word at the end of my previous post is to direct attention to the always needful review for correctness. My source directory for c/cpp sources lists 113 cryptologic algorithm names. For example:



Because I can copy paste some algo name I never heard of does not mean I know how to use it.

It is for some reason common in crypto for people to think they know more than they do.
[ April 21, 2008: Message edited by: Nicholas Jordan ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: KeyGenerator using JCE