aspose file tools*
The moose likes Security and the fly likes KeyGenerator, Part II Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "KeyGenerator, Part II" Watch "KeyGenerator, Part II" New topic
Author

KeyGenerator, Part II

James Dekker
Ranch Hand

Joined: Dec 09, 2006
Posts: 219
All,

Okay, I decided to create a new post (rather than continuing the previous post, located here).

Sometimes when new questions are introduced, I think people dislike having to read the same long posts with all the same comments.

I figured out how to pass into my KeyGenerator, multiple input seeds! The java.util.UUID class only takes in byte[] so I decided to convert the sequence id and timestamp input seeds into strings and then in in turn convert the strings into a byte[]. The byte[] is then passed into the java.util.UUID.name.UUID() method and voila the magic happens!

Here it is:



The client:



Now, when you run the client this is what the output is:



As you can see, they are always the exact same length (irregardless of the type of input seed), because UUID is based on a 128-bit value.

Now, here are the new set of question(s):

(1) Is there a way to pass two different kinds of seeds in at the same time (instead of using two different methods, like I have done)? So that both seeds are used to generate a single key. This is just a further safety check for guaranteeing uniqueness.

(2) Encryption is not what I am looking for (sorry for the previous wild goose chase)... What I am looking for is a way to make these generated keys look more aesthetically pleasing (such as a Microsoft Word product key). An example of a key like this is:

BRDUQ-HPZWJ-SZDYR-KKT3Q-JAF12

(3) Is there a way to specify a shorter key length? I am assuming not since Java UUIDs are immutable and 128-bit. Is there a way to set it to use 64-bit?

(4) Is there a 3rd party library or product that people use to generate product keys for their shrink wrapped production release desktop Java Swing or Eclipse RCP (SWT) applications? Maybe I am trying to reinvent the wheel?

You guys rock!

-James
[ April 24, 2008: Message edited by: James Dekker ]
greg stark
Ranch Hand

Joined: Aug 10, 2006
Posts: 220
A product key and a UUID are two different things. So which one do you want? The microsoft word example you gave, BRDUQ-HPZWJ-SZDYR-KKT3Q-JAF12, is not a UUID, is it?


Nice to meet you.
James Dekker
Ranch Hand

Joined: Dec 09, 2006
Posts: 219
I want my UUID to look more like a product key... No, the sample Microsoft Word key I provided is (from the best of my knowledge) not a UUID. I am assuming that someone at Redmond probably used an external / internal app to generate them when Word was production ready.

In short, I guess, I was looking for a 3rd party library and / or an inexpensive product (hopefully, with Java integration) which generated product keys, instead of encrypted keys / tokens. The solution I discovered was the java.util.UUID class.

Is there any way to combine the timestamp input seed and sequence id input seeds as parameters inside a method to generate a single key?

Also, is there a way to obfuscate the keys to make them resemble a product key and less hex? Perhaps using Base10?

Since, UUIDs are immutable, and 128-bit based, is there a way to make them appear shorter?

Thanks for all the help!

James
[ April 24, 2008: Message edited by: James Dekker ]
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

128 bits is only 16 bytes, which is only 24 characters MIME encoded. only 32 characters hex. Five blocks of five characters each is not very long. Always feels like Microsoft keys are much longer than that.

If you want fewer characters, just truncate the hash. Pick a number you like, just verify against the Birthday paradox.
James Dekker
Ranch Hand

Joined: Dec 09, 2006
Posts: 219
Pat,

From the best of my understanding, the SHA1PRNG algorithm is the hash.

And it only exists in the KeyGenerator.getKey() method (the first method specified in the class).

Am not sure what you mean by truncate (in this particular situation)?

How would I truncate it (for starters) and how do I truncate the other methods' results?

I also want more alphabets (similar to the sample Microsoft Word key), than numbers...

Thanks so much!

James
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Originally posted by James Dekker:
Am not sure what you mean by truncate (in this particular situation)?
How would I truncate it (for starters) and how do I truncate the other methods' results?


You truncate the nonce by picking a bunch of bits out of the result. Typically a SHA1 returns its result in a byte[16] array. If you want a 64 bit result (truncated) you can pick any 8 bytes you want. You can just use the first eight, the last eight, some middle eight, the odd ones [1], [3], ... You could even use every other bit value within the bytes.

(technically, the result of a SHA is an array of octets, unsigned bytes. But Java doesn't do that).

Then you have to convert the binary to readible. You have to decide what you want, for example, do you want the characters to be case sensitive like most of the world's computers) or case insensitve (like Windows files)? Do you want to allow special characters *&#$? or just letters and digits?

You can output hex, uuencode, MIME, or any other conversion. When it needs to be case insensitive, I tend to use the characters [0-9A-Z] as a mapping.
James Dekker
Ranch Hand

Joined: Dec 09, 2006
Posts: 219
Thanks Pat!

Can you elaborate a bit more (by using some code examples)?

Am not a true CS bot, so I don't understand many of the things that you stated...

Like I said, the only method which uses the SHA1PRNG algorithm is the KeyGenerator.getKey() method. The other ones just turn Strings into byte[] and the pass the byte[] into UUID.nameFromBytes(convertedByteArray) method.

I want the keys to be more alphabetic and have one number in each section unlike what I have now (which is a mixture of numbers and alphabets).

Would really appreciate it if you could provide what you meant by using code...

Ideally, I want to pass in a timestamp and a sequence id (inside one method) to generate one key - combining the timestamp and sequence id. The first method in the my KeyGenerator class, getKey() only uses the SHA1PRNG algorithm as an example, in order, to show how it would look like in length and style compared to the others. I still don't understand how to make the UUIDs 64-bit.

-James
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Originally posted by James Dekker:
[QB]
Ideally, I want to pass in a timestamp and a sequence id (inside one method) to generate one key ..... the SHA1PRNG


I don't understand your use of SHA1PRNG, if you want the key to be created from your timestamp and sequence number. Your initial code fragment doesn't use the timestamp or sequence.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Originally posted by James Dekker:

Would really appreciate it if you could provide what you meant by using code...


Its really too long to post, I've put some code up on my website.

Sample code for James

You should run it and modify to suit
James Dekker
Ranch Hand

Joined: Dec 09, 2006
Posts: 219
Pat,

Thank you very much for providing me with this!

WOW! This is a little bit outside my grasp (as a programmer), but I am very impressed!

When I ran the Main.java class this is what I received as the output:



The trunc first 8 did seem shorter but at the same time, the letters were still lowercase and it didn't include dashes (-) inside it.

I am looking for something similar to:

XXXXX-XXXXX-XXXXX-XXXXX

When I ran the B64.java class, in Eclipse, there was no output!?

Very impressive piece of work!

Thank you very much for sharing!

James
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Originally posted by James Dekker:



The trunc first 8 did seem shorter but at the same time, the letters were still lowercase and it didn't include dashes (-) inside it.

XXXXX-XXXXX-XXXXX-XXXXX


You can do your own toUpperCase() on the string, and use Formatter to put the dashes into it.

The trunc bytes are the same because all I did was truncate it.
The mime/base64 are different, because that's a different encoding.

You should work to fully understand the code, its really simple. And if you are playing in this space, you want to grok it completely
Nicholas Jordan
Ranch Hand

Joined: Sep 17, 2006
Posts: 1282
Originally posted by James Dekker:
From the best of my understanding, the SHA1PRNG algorithm is the hash.James


It is the hashing algorithm. The hash, usually, is the name given to the unique pattern - generated by a paticular hashing algorithm - which results from a definte feed to a definitne algorithm. IOW - all hashing algorithm are deterministic. The characteristic behaviour of a hashing algoritm is that any small change in the value hashed produces a unique value from the hash. This means that you can take a hash to someone, then later ..... just keep reading. SHA1PRNG is the hashing algorithm that Java dot Security dot generate random number uses as part of it's work.


And it only exists in the KeyGenerator.getKey() method (the first method specified in the class).


Try not to make hard and fast rules that you do not go back and review again and again. That carries risks that are too strong to correctly word at some place like Java Ranch, even in a Saloon.

Am not sure what you mean by truncate (in this particular situation)?


Same as dictionary def.

How would I truncate it (for starters) and how do I truncate the other methods' results?


Whatever Pat said, I barely examined his work on the matter.

I also want more alphabets (similar to the sample Microsoft Word key), than numbers...


Perfect opportunity. I want you to write a scatter-splatter that picks mostly alpha characters but as well has some numerics and all of the ascii range. Start by writing a simple Cesar Shifter.

Given some "letter to Ledbetter - the Lotta Luck Louie of Loo" .... ( whatever - any arbitrary characters or string ) and shifts them ( the letters by an arbitrary amount taken as a function parameter. Start with character = '(space)' do char++ while char < ascii backspace with wraparound so you do not get runaway chars.

Write a program that detects as a numeric the counts of character offset from one character to the next in normal language. IOW: "a cat ran fast" has an 'a' and then a space. Then space and 'c' . Each of these characters has ascii values from 0x20 to 0x7e or f. ascii char charts are common in decent editors. Another way of approaching this on first effort is to just write a simple main() that prints all the ascii values from 0x20 to '~' to a file which you can open in an editor.

These tools are not considered enciperment. This is to get you to think about some things. EG: why do you want at least one alpha in each section. I can tell you why, it is because there is an evolution in this crypto thing. It takes all of us through a region of the mind we did not know we have.

Where are you going to get the timestamp? Local time can be changed on many platforms. It's the byte[] gas = hmac(secret, tmp.getBytes()); that you should study. There are a lot of hurdles that just take some work, since you are a cs student it is what you are here to do so start with: What is Hashed Messgae Authentication? ( Ask Pat what the C stands for ) Compare what Pat says to whatever info you can find. Contemplate the differing descriptions.

  •   Note especially Pat's last remark.
  •   Note especially Pat's last remark.
  •   Note especially Pat's last remark.

  • The code is not all that complex, compared to getting used to working in cryptologics. Accounting is a good contrasting study if you are made uncomfortable by The Body Farm.




    ....connection terminated: Igor Knuckleorski.

    [ April 27, 2008: Message edited by: Nicholas Jordan ]
    [ April 28, 2008: Message edited by: Nicholas Jordan ]

    "The differential equations that describe dynamic interactions of power generators are similar to that of the gravitational interplay among celestial bodies, which is chaotic in nature."
     
    jQuery in Action, 2nd edition
     
    subject: KeyGenerator, Part II