A access control lists (ACL), 248
addActionListener(), 42
addCertificate(), Identity class, 70
addIdentity(), IdentityScope class, 72, 77
addProvider(), Security class, 35
addToBufferedData(), BlockCipher, 147
AlgorithmParameters class, 279-280
AlgorithmParameterSpec interface, 53, 104, 304
AlgorithmParametersSpi class, 280-281
algorithm-specific initialization, 53, 104, 144
-alias option (keytool), 84, 87
API (Application Programming Interface) methods, 31
applet security permissions
in HotJava, 169, 170
in Internet Explorer, 179
in Navigator, 175
applets, applying cryptography to, 247-248. See also signed applets
applications
access control lists in, 248
cryptography in client applets, 247-248
cryptography in client/server, 246-247
cryptography in demonstration, 245-246
cryptography in self-contained, 244-245
preventing decompiling of, 248-249
preventing memory scanning of, 252
preventing modification of class files, 249-250
architecture of cryptographic classes, 31
ASCII characters, representing as byte data, 8. See base64
ASN.1 (Abstract Syntax Notation) language, 115
asymmetric ciphers, 15-16, 121
authenticate(), ProtectedServer class, 98, 101
altering for doubly protected passwords, 101
authentication, 3, 92-93
proving with certificates, 20-22
proving with Macs, 101-103
proving with message digests, 93-101
proving with signatures, 103-111
AWTEventMulticaster class, 42, 44
B
base64, 8, 258-262
Base64 class, 259-261
BigInteger class, 185, 255-257
converting between numbers and byte arrays, 256-257
ElGamal key pair generation, 256-257
block ciphers, 121
BlockCipher class, 145-150
modes of, 123-127
padding of, 121-123
block sizes, for ElGamal cipher, 192, 193
BlockCipher class, 145-150
byte data, representing as ASCII. See base64
bytecode obfuscators, 249
bytecode verifiers, 4
C
-c option (jar tool), 264
-c option (javakey), 268-269, 275
-c option (KeyManager), 73, 77, 222
cabinet files, 177
calculateBlockSizes(), ElGamalCipher class, 194
Capabilities API system, 171-172
CAs (certificate authorities), 271
CBC (cipher block chaining), 123, 124-125
implementing, 150-155
CBCWrapper class, 150-155
Certificate Authorities (CA), 21, 271
certificate chaining, 21-22
Certificate class, 30, 112-119, 297-298
certificate fingerprints
printing, 90, 117
verifying certificates with, 22, 273
Certificate Revocation Lists (CRLs), 118-119
Certificate Signing Requests (CSRs), generating with -csr option, 87-88
certificates, 112-119
as authentication tool, 20-22
Certificate Signing Requests (CSRs), 87-88
displaying with javakey, 272-273
generating, 113, 271-273
importing to keystores, 88-89
javakey options for, 274-275
managing with Identity class, 70
printing, 90, 117
retrieving from KeyStore, 83
revoking, 118-119
saving to file, 90
Spill tool, 115-118
storing in KeyStore, 82-83
verifying, 113-114, 273
X.509 standard, 114-115, 274
CFB (cipher feedback), 123, 125-127
CFBWrapper class, 155-159
checkBufferedData(), BlockCipher class, 146-147
Cipher class, 30, 128-135, 308-309
adding data to ciphers, 132-135
BlockCipher subclass, 145-150
CBCWrapper subclass, 150-155
CFBWrapper subclass, 155-159
CipherSpi class, 142-145
getInstance() in, 32
implementing, 142-145
initializing ciphers, 131-132
obtaining ciphers with, 129-130
cipher streams, 135-137
CipherInputStream class, 135-137, 309-310
CipherMail, 219-243
architecture of, 223-224
CipherMail class, 224, 234-243
Composer class, 224, 232-234
decrypting messages, 224-225
display window in, 220
email messages with, 222-223
encrypting messages, 224
first-time setup for, 220-222
Message class, 226-228
POP3 class, 223, 224, 228-230
SMTP class, 223, 224, 230-232
CipherOutputStream class, 135-137, 310
ciphers, 8, 13-16
asymmetric, 15-16, 120
block
modes of, 123-127
padding of, 121-122
Cipher class, 128-135
ElGamal. See ElGamal cipher algorithm
hybrid systems, 16, 120, 159-162
modes, 123-127, 128, 130
padding, 121-123, 130
private key, 14-16, 120
public key, 15-16, 120
symmetric, 14-16, 120
CipherSpi class, 142-145, 310-311
ciphertext, 13
Class 2 certificates, VeriSign, 171
Class 3 certificates, VeriSign, 171
classes
cryptographic concepts supported by, 30-31
encrypting in applications, 249
factory, 34
factory methods in, 31-32
method architecture of, 31
preventing modification of files, 250
client/server applications, 246-247
client/server security protocols, 60-68
digital signatures, 108-111
doubly protected passwords, 99-101
protected password logins, 95-99
Skip class, 60-61
SkipClient class, 63-64
Skipper class, 64-68
SkipServer class, 61-63
client sockets
password protection and, 95-97
private keys access, 108-111
cloning keys, 90
Composer class, 224
concatenate(), Session class, 203, 206
ConcreteIdentity(), IdentityScope class, 71
confidentiality, 3
importance in secure systems, 12
protecting with ciphers, 13-16
protecting with hybrid systems, 16
connect(), Session class, 203, 204-205
connections, realtime network, 199-200, 201
Receiver class, 210-211
SafeTalk class, 211-218
Session class, 202-209
SessionServer class, 210
Counter class, 43-44
create(), 76
CRLs (Certificate Revocation Lists), 118-119
cryptanalysis, 3
Cryptix, 129, 159
cryptographic algorithms, names for, 32-33
cryptographic concept classes, 30-32
cryptographic hash. See message digests
cryptographic providers
algorithm identification by, 180-181
algorithms recognized by, 128
architecture of, 33-36
configuring, 35
creating new, 180, 181-183
Jonathan provider. See Jonathan provider
recognized algorithms in, 32-33
cryptography, 3-4, 44
adding to applets, 247-248. See also signed applets
authentication with, 20-22, 92-93
concepts supported by classes or interfaces, 30-31
confidentiality with, 12-17
data integrity with, 17-19
in demonstration software, 245-246
Masher demonstration, 6-7
of online conversations by SafeTalk. See SafeTalk tool
random numbers in, 22-24
SecretWriting demonstration, 7-11
in self-contained applications, 244-245
cryptology, 3
-cs option (javakey), 268-269, 275
-csr option (keytool), 87-88
CSRs (Certificate Signing Requests), generating, 87-88
D
data integrity, maintaining, 3, 17-19
with MACs, 18, 101-103
-dc option (javakey), 272, 275
decode(), Base64 class, 260
decompilers, 248-249
decrypt(), CipherMail, 236, 240
decryptBlock()
CBCWrapper class, 152, 153, 154
ElGamalCipher class, 195, 197
decryptByte(), CFBWrapper class, 158
decryption, 13
of conversations by SafeTalk tool, 206-209
-delete option (keytool), 91
deleting files, security concerns, 251
demonstration software, applying cryptography to, 245-246
DER (Distinguished Encoding Rules), 115
DER-encoded certificates, 115-116
DES algorithm, 25, 26
provider support, 33
DESede algorithm, 25, 26-27
provider support, 33
DESedeKeySpec class, 321
DESKeySpec class, 54-55, 320
DH algorithm, 25, 27
provider support, 33
DHGenParameterSpec class, 321-322
DHKey interface, 317
DHParameterSpec class, 322
DHPrivateKey interface, 317-318
DHPrivateKeySpec class, 322-323
DHPublicKey interface, 318
DHPublicKeySpec class, 323-324
dictionary attacks, preventing, 138-140
with iterations, 139
with salt, 138-139
Diffie-Hellman algorithm, 27, 57-58
digest(), MessageDigest class, 94
DigestInputStream class, 94-95, 281
DigestOutputStream class, 94-95, 281-282
digital signatures, 103-111
certificates and, 112-119
for client authentication, 108-111
generating, 104-105
Hancock utility, 105-107
Signature class, 103-111
SignedObjects class, 111
verifying, 105
See also message digests
directive files, 271, 273-274
disconnect(), Session class, 203, 205
dispose(), Composer class, 233
distinguished names (DNs), 84
-dname option (keytool), 84
DNs (distinguished names), 84
doFinal()
Cipher class, 132, 133-135
Mac class, 102-103
doFingerprint(), X509Certificate class, 117
doPhase(), KeyAgreement class, 59-60
doubly protected passwords, 99-101
DSA algorithm, 24, 26
provider support, 33
DSAKey interface, 301-302
DSAKeyPairGenerator interface, 302
DSAParameterSpec class, 304
DSAParams interface, 302-303
DSAPrivateKey interface, 303
DSAPrivateKeySpec class, 305
DSAPublicKey interface, 303
DSAPublicKeySpec class, 305-306
E
-e option (KeyManager), 74, 77-78, 222
-ec option (javakey), 275
ECB (electronic code book), 123-124
-ek option (javakey), 275
ElGamal cipher algorithm, 25, 27
algorithms for, 184-185
BigInteger class, 256-257
implementing the ElGamalCipher class, 192-198
ElGamal signature algorithm, 25, 26
BigInteger class, 255-257
converting between numbers and byte arrays, 256-257
generating key pairs, 255-256
generating signatures, 184
implementing the ElGamalSignature class, 188-191
ElGamalCipher class, 192-198, 257
ElGamalKeyPairGenerator class, 187-188
ElGamalSignature class, 257
implementing in Jonathan, 188-191
email encryption. See CipherMail
encode(), Base64 class, 259
encodeBlock(), Base64 class, 259, 260
EncodedKeySpec class, 306
encrypt(), CipherMail class, 238
encryptBlock()
CBCWrapper class, 152, 154
ElGamalCipher class, 195-197
encryptByte(), CFBWrapper class, 158
encryption, 13
algorithms for, 127-128
block cipher modes, 123-127
cipher streams, 135-137
of conversations by SafeTalk tool, 206-209
on IP networks, 252-253
javax.crypto.Cipher class, 128-135
padding block ciphers, 121-123
passphrase-based, 27, 138-142
SealedObject class, 137-138
endpoint security concerns, 249-250
engineDoFinal()
BlockCipher class, 146, 148-149
CFBWrapper class, 157-158
CipherSpi class, 144, 145
engineGetBlockSize(), CFBWrapper class, 156
engineGetBlockSize(), CipherSpi, 143
engineGetIV(), CipherSpi class, 144
engineGetOutputSize()
CBCWrapper class, 151
CipherSpi class, 143-144
engineInit()
CipherSpi class, 144
ElGamalCipher class, 195
engineInitSign(), 189
engineInitVerify(), SPI method, 188
engineOutBufferSize(), CBCWrapper class, 151
engineSetMode(), CipherSpi class, 143
engineSetMode(), ElGamalCipher class, 192
engineSetPadding(), CipherSpi class, 143
engineSetPadding(), ElGamalCipher class, 192
engineSetParameter(), SPI, 191
engineSign(), ElGamalSignature class, 189
engineSign(), SPI method, 189
engineTransformBlock(), BlockCipher class, 145-146, 195
engineTransformBlockFinal()
BlockCipher class, 146, 149-150, 195
CBCWrapper class, 152-153
engineUpdate()
BlockCipher class, 146, 147, 148-149
CFBWrapper class, 157
CipherSpi class, 144-145
SPI method, 189
-export option (keytool), 90
F
-f option (jar tool), 264, 265
factory methods, 31-32, 34
-file option (keytool), 87
files on local disks, security of, 250-252
G
-gc option (javakey), 166, 275
generateKey(), KeyGenerator class, 52
generatePrivate(), KeyFactory class, 56
generatePublic(), KeyFactory class, 56
generateSecret(), SecretKeyFactory class, 55, 60
generating certificates, 113
with javakey tool, 271-273
generating key pairs, 51-52
ElGamal, 184, 187-188, 255-257
with javakey tool, 270, 275
with keytool options, 83-86
generating signatures, 104-105
ElGamal equation for, 184
generating single keys, 52
-genkey option (keytool), 83, 84, 85, 90
genKeyPair(), KeyPairGenerator class, 51-52
getAlgorithm(), Key interface, 49
getBitLength(), Seeder class, 42
getBody(), Message class, 227
getBufferedDataLength()
BlockCipher, 147, 194
CBCWrapper class, 151
getBytes()
ElGamalCipher class, 197, 257
ElGamalSignature, 191
getCertificateChain(), 83
getCertificates(), Identity class, 70
getChar(), Base64 class, 260
getCurrentBitIndex(), Seeder class, 42, 43
getEncoded()
Certificate class, 113
Key interface, 50
X509CRL class, 119
getFormat(), Key interface, 50
getFull(), Message class, 228
getHeader(), Message class, 227, 228
getIdentity(), IdentityScope class, 72, 73
getInstance()
Cipher class, 129-130
classes with, 32
KeyAgreement class, 58-59
KeyFactory class, 56
KeyGenerator class, 52
KeyPairGenerator class, 51
KeyStore class, 80
Mac class, 101-102
MessageDigest class, 93
SecretKeyFactory interface, 54-55
Signature class, 103-104
specifying provider name with, 36
X509Certificate class, 114, 115
X509CRL class, 118-119
getIssuerDN(), X509CRL class, 119
getIV(), ElGamalCipher class, 194
getKeySpec(), KeyFactory class, 56-57
getMessages(), CipherMail class, 235, 236
getName(), Principal interface, 68-69
getObject(), SealedObject class, 137, 138
getOK(), POP3 class, 230
getPrivate(), SecretKey interface, 50
getPrivateKey(), Signer class, 71
getProvider(), Security class, 35
getPublic(), SecretKey class, 50
getPublicKey()
Certificate class, 113
Identity class, 70
getResponse(), SMTP class, 231, 232
getRevokedCertificate(), RevokedCertificate class, 119
getRevokedCertificates(), RevokedCertificate class, 119
getSeed(), SeederDialog class, 47
getSigAlgName(), X509CRL class, 119
getValue(), Base64 class, 261
-gk option (javakey), 270, 275
grabTimeBit(), Seeder, 42-43
-gs option (javakey), 167, 275, 277
H
Hancock utility, 105-107
Hashjava, 249
-help option (keytool), 91
HmacMD5 algorithm, provider support, 24, 26, 33
HmacSHA1 algorithm, 24, 26
provider support, 33
HotJava, 163, 164
applet security permissions, 169, 170
creating signed applets in, 165-169
hybrid systems, 16, 120, 159-162
SafeTalk as, 199
I
-i option (KeyManager), 74, 78
IAIK-JCE, 129
-ic option (javakey), 275
identities, 68, 69, 282
creating with javakey, 268-269, 275
scope of, 71-73, 283
viewing with javakey, 269
Identity class, 68-71, 282-283
identity key management paradigm, 68-79
identities in, 71-73
key holders, 68-71
KeyManager class, 73-79
Identity(), Identity class, 69
IdentityDatabase class, 71
IdentityScope class, 68, 71-73, 283-284
-ii option (javakey), 275, 276
-ik option (javakey), 270, 275
-ikp option (javakey), 275
-import option (keytool), 88
importing key pairs, with javakey tool, 270-271
init()
Cipher class, 131-132
KeyAgreement class, 59
KeyGenerator class, 52
Mac class, 102
initialization vectors (IV), 124
initialize(), KeyPairGenerator class, 51
initializing key pair generators, 51
with specific algorithms, 53
initializing single key generators, 52
with specific algorithms, 53
initiateConnection(), Session class, 203, 204-205, 206, 207, 209
initSign(), Signature class, 104, 189
initVerify(), Signature class, 104, 188
input streams
creating encrypted with SafeTalk, 206-209
message digest, 94-95, 281
insertProviderAt(), Security class, 35
Internet Explorer
creating signed applets in, 175-179
signed applet support, 163
Internet Protocol (IP) network security, 252-253
See also CipherMail; SafeTalk
Internet Protocol (IP) networks, security of, 4
Internet secret key protocol
Skip class, 60-61
SkipClient class, 63-64
Skipper class, 64-68
SkipServer class, 61-63
isConnected(), Session class, 203, 205
isRevoked(), X509CRL class, 119
iterations, preventing dictionary attacks with, 139
J
JAD, 249
JAR files
creating with jar tool, 263-264
extracting files from, 264-265
manifest files, 265-266
signing, 266-267
jar tool
adding to manifest file with, 266
creating JAR files with, 263-264
extracting JAR files with, 264-265
jarsigner utility, 167
signing JAR files, 266-267
Java
Java Security API, 28-30
Masher cryptography example, 6-7
platform security, 4-5
preventing code decompilation, 248-249
SecretWriting cryptography example, 7-11
Java Activator, 179
Java Archive files. See JAR files
Java Cryptography Extension. See JCE
Java Security API
download sites, 30
packages in, 28-30
java.crypto.SecretKeyFactory class, 53-56
javakey tool, 68, 71, 268-278
creating identities, 268-269
creating signers, 268-269
preparing signers with, 166
private key file storage, 277-278
signing applets, 165, 167
signing JAR files, 266-267, 276-277
summary of options, 274-275
java.math.BigInteger class, 185, 255-257
javap tool, 249
java.security package, classes in, 279-297
java.security.AlgorithmParameters class, 279-280
java.security.AlgorithmParametersSpi class, 280-281
java.security.cert package, classes in, 297-301
java.security.cert.Certificate class, 30, 112-114, 297-298
java.security.Certificate class, 112, 113
java.security.cert.RevokedCertificate class, 119, 298
java.security.cert.X509Certificate class, 114-118, 299-300
Spill tool, 115-118
java.security.cert.X509CRL class, 118-119, 300-301
java.security.cert.X509Extension class, 301
java.security.DigestInputStream class, 94-95, 281
java.security.DigestOutputStream class, 94-95, 281-282
java.security.Identity class, 68-71, 282-283
java.security.IdentityScope class, 68, 71-73, 283-284
java.security.interfaces package, classes in, 301-303
java.security.interfaces.DSAKey interface, 301-302
java.security.interfaces.DSAKeyPair-Generator interface, 302
java.security.interfaces.DSAParams interface, 302-303
java.security.interfaces.DSAPrivateKey interface, 303
java.security.interfaces.DSAPublicKey interface, 303
java.security.Key class, 30
java.security.Key interface, 49-50, 284
java.security.KeyFactory class, 31, 56-57, 284-285
getInstance() in, 32
java.security.KeyFactorySpi class, 285-286
java.security.KeyManager class, 73-79
java.security.KeyPair class, 50, 286
java.security.KeyPairGenerator class, 31, 51-52, 286-287
java.security.KeyPairGenerator getInstance() in, 32
java.security.KeyPairGeneratorSpi class, 287-288
java.security.KeyStore class, 79-91, 288-289
java.security.MessageDigest, 31
getInstance() in, 32
java.security.MessageDigest class, 289-290
implementing, 93-95
java.security.MessageDigestSpi class, 290
java.security.Principal interface, 68-69, 291
java.security.PrivateKey interface, 30, 50, 291
java.security.ProtectedServer class, 98-99
java.security.Protection class, 97-98
java.security.Provider class, 291-292
in cryptographic providers, 180
as new provider, 181-182
java.security.PublicKey interface, 30, 50, 292
java.security.SecureRandom class, 31, 38-48, 293
keyboard event seeding of SecureRandom, 40-48
self-seeding by, 40
java.security.Security class, 293-294
as provider manager, 33, 34-36
java.security.Signature class, 31, 294-295
generating signatures, 104-105
getInstance() in, 32
implementing, 103-104
signature protected passwords, 108-111
verifying signatures, 105, 111
java.security.SignatureSpi class, 295-296
java.security.SignedObject class, 111, 296
java.security.Signer class, 68, 71, 297
java.security.spec package, classes in, 304-308
java.security.spec.AlgorithmParameterSpec interface, 53, 304
java.security.spec.DSAParameterSpec class, 304
java.security.spec.DSAPrivateKeySpec class, 305
java.security.spec.DSAPublicKeySpec class, 305-306
java.security.spec.EncodedKeySpec class, 306
java.security.spec.KeySpec interface, 306-307
java.security.spec.PKCS8EncodedKeySpec class, 307
java.security.spec.X509EncodedKeySpec class, 307-308
java.security.StrongClient class, 108-109
java.security.StrongServer class, 109-111
javax.crypto package, classes in, 308-317
javax.crypto.Cipher class, 30, 308-309
adding data to ciphers, 132-135
BlockCipher subclass, 145-150
CBCWrapper subclass, 150-155
CFBWrapper subclass, 155-159
getInstance() in, 32
implementing, 142-145
initializing ciphers, 131-132
obtaining ciphers with, 129-130
javax.crypto.CipherInputStream class, 135-137, 309-310
javax.crypto.CipherOutputStream class, 135-137, 310
javax.crypto.CipherSpi class, 142-145, 310-311
javax.crypto.interfaces package, classes in, 317-320
javax.crypto.interfaces.DHKey interface, 317
javax.crypto.interfaces.DHPrivateKey interface, 317-318
javax.crypto.interfaces.DHPublicKey interface, 318
javax.crypto.interfaces.RSAPrivateKey interface, 318-319
javax.crypto.interfaces.RSAPrivateKeyCrt interface, 319
javax.crypto.interfaces.RSAPublicKey interface, 319-320
javax.crypto.KeyAgreement class, 30, 58-60, 311-312
getInstance() in, 32
SKIP and, 60-68
javax.crypto.KeyAgreementSpi class, 312-313
javax.crypto.KeyGenerator class, 31, 52, 313
algorithm-specific initialization, 53
getInstance() in, 32
javax.crypto.KeyGeneratorSpi class, 314
javax.crypto.Mac class, 31, 101-103
getInstance() in, 32
javax.crypto.NullCipher class, 314-315
javax.crypto.SealedObject class, 137-138, 315
javax.crypto.SecretKey interface, 30, 315
javax.crypto.SecretKeyFactory
getInstance() in, 32
javax.crypto.SecretKeyFactory class, 316
javax.crypto.SecretKeyFactory interface, 31
javax.crypto.SecretKeyFactorySpi class, 316-317
javax.crypto.spec package, classes in, 320-327
javax.crypto.spec.DESedeKeySpec class, 321
javax.crypto.spec.DESKeySpec class, 54-55, 320
javax.crypto.spec.DHGenParameterSpec class, 321-322
javax.crypto.spec.DHParameterSpec class, 322
javax.crypto.spec.DHPrivateKeySpec class, 322-323
javax.crypto.spec.DHPublicKeySpec class, 323-324
javax.crypto.spec.IvParameterSpec class, 324
javax.crypto.spec.KeySpec interface, 54-55
javax.crypto.spec.PBEKeySpec class, 324-325
javax.crypto.spec.PBEParameterSpec class, 325
javax.crypto.spec.RSAPrivateKeyCrtSpec class, 325-326
javax.crypto.spec.RSAPrivateKeySpec class, 326
javax.crypto.spec.RSAPublicKeySpec class, 327
javax.crypto.spec.SecretKeySpec class, 53-54
JCA (Java Cryptography Architecture), 29
cryptographic concept classes in, 30-31
factory methods in, 31-32
JCE (Java Cryptography Extension), 29
installation of, 36
javax.crypto.Cipher class, 128-135
Key interface extensions, 50
SecretWriting cryptography example, 7-11
JDK 1.1, javakey utility, 68, 71-73
JDK 1.2
Key interface extensions, 50
KeyStore class, 79-91
keytool utility, 68
Masher cryptography example, 6-7
platform security, 4
Jobe, 249
Jonathan provider
adding ElGamal classes to, 183
creating, 181-182
Jonathan provider (continued )
implementing the ElGamalCipher class, 192-198
implementing the ElGamalSignature class, 188-191
installing, 182-183
Jshrink, 249
K
key agreement protocol, 17
key agreements, 57-68
Diffie-Hellman protocol, 57-58
KeyAgreement class, 58-60
SKIP, 60-68
Key class, 30
Key interface, 49-50, 284
KeyAgreement class, 30, 58-60, 311-312
getInstance() in, 32
SKIP and, 60-68
KeyAgreementSpi class, 312-313
-keyalg option (keytool), 84
keyboard events, seeding with
integrating into applications, 45-48
Seeder class, 41-48
-keyclone option (keytool), 90
KeyFactory class, 31, 284-285
getInstance() in, 32
KeyFactorySpi class, 285-286
KeyGenerator class, 31, 52, 313
algorithm-specific initialization, 53
getInstance() in, 32
KeyGeneratorSpi class, 314
KeyManager class, 73-79
management of CipherMail keys by, 222
management of SafeTalk keys by, 202
KeyPair class, 50, 286
KeyPairGenerator class, 31, 51-52, 286-287
algorithm-specific initialization, 53
getInstance() in, 32
KeyPairGeneratorSpi class, 287-288
-keypass option (keytool), 84-85, 87-88
-keypasswd options (keytool), 90
keys, cryptographic, 13-14
agreement protocols, 57-68
BigInteger class, 255-257
creating for CipherMail, 222
distribution of, 17
effect of size on security, 24
exporting with CipherMail, 222
exporting with SafeTalk, 200-201
generating, 51-53
generating key pairs with javakey, 270, 275
Identity class, 68-71
identity key management, 68-79
IdentityScope, 71-73
importing with javakey, 270-271, 275
importing with SafeTalk, 201
Key interface, 49-50
KeyFactory interface, 56-57
KeyGenerator class, 52
KeyManager class, 73-79
KeyPairGenerator class, 51-52
KeyStore key management of, 79-91
PrivateKey interface, 50
public/private matched pairs, 50
PublicKey interface, 50
SecretKey interface, 50
SecretKeyFactory interface, 54-56
SecretKeySpec class, 53-54
Signer class, 71
storing private, 277-278
translating, 53-57
-keysize option (keytool), 84
KeySpec interface, 54-55, 306-307
translating, 54-57
KeyStore class, 79-91, 288-289
KeyStore key management, 79-91
KeyStore class, 80-83
keytool utility, 83-91
-keystore option (keytool), 85-86, 88
keystores
change password on, 90
creating new, 83-86
deleting entries from, 91
importing certificates into, 88-89
passwords for, 108-111
viewing contents of, 86-87
keytool utility, 68, 83-91
L
-l option (javakey), 269, 275
-l option (KeyManager), 74, 78-79
-ld option (javakey), 269, 275, 276
-li option (javakey), 269, 275, 276
-list option (keytool), 86
load(), 81
loadPreferences(), CipherMail class, 242
lookupPassword(), ProtectedServer class, 98-99
loopback testing of SafeTalk tool, 201-202
M
-m option (jar tool), 266
Mac class, 31, 101-103
getInstance() in, 32
MACs (message authentication codes), 18, 101-103
makeBytes(), Protection class, 97-98
makeDigest(), Protection class, 97-98
altering for doubly protected passwords, 100-101
manifest files, 265-266
Masher program, 6-7
MD5 algorithm, 24, 25
provider support, 33
Message class, classes in, 223-224
message digests, 93-101
double-strength password logins, 99-101
input/output streams, 94-95
Masher example program, 6-7
MessageDigest class, 93-101, 289-290
protected password logins, 95-99
See also digital signatures
MessageDigest class, 31, 93-101, 289-290
getInstance() in, 32
MessageDigestSpi class, 290
method architecture of cryptographic classes, 31
Microsoft Internet Explorer
creating signed applets in, 175-179
signed applet support, 163
Mocha, 248-249
modal dialog window for keyboard seeding, 45-48
modes, block cipher, 123-127, 130
CBC (cipher block chaining), 123, 124-125
CFB (cipher feedback), 123, 125-127
ECB (electronic code book), 123-124
OFB (output feedback), 123, 127
PCBC (propagating cipher block chaining), 123, 125
modPow(), BigInteger class, 256
N
names, distinguished (DNs), 84
Netscape Navigator
creating signed applets in, 169-175
signed applet support, 163
network security concerns, 252-253
See also CipherMail; SafeTalk tool
nextBytes(), SecureRandom, 39
-noprompt option (keytool), 89
NullCipher class, 314-315
O
object serialization, 251
OFB (output feedback), 123, 127
one-way functions, 7
oreilly.jonathan.crypto.BlockCipher class, 145-150
oreilly.jonathan.crypto.ElGamalCipher, 192-198
oreilly.jonathan.crypto.ElGamalKeyPair-Generator, 187-188
oreilly.jonathan.crypto.ElGamalSignature, 188-191
oreilly.jonathan.util.Base64 class, 259-261
oreilly.jonathan.util.Seeder class, 41-43
output streams
creating encrypted with SafeTalk, 206-209
message digest, 94-95, 281-282
P
pad(), CBCWrapper class, 153
padding block ciphers, 121-123, 130
passphrase-based encryption, 27, 138-140
PBE demonstration of, 140-142
preventing dictionary attacks, 138-140
passphrases, security of, 82
passwords
doubly protected for message digests, 99-101
keystore, 90
protected for message digests, 95-99
See also digital signatures
PBE class, 140-142
PBEKeySpec class, 324-325
PBEParameterSpec class, 325
PBEWithMD5AndDES algorithm, 25, 27
provider support, 33
PCBC (propagating cipher block chaining), 123, 125
PKCS#5
padding block with, 122-123
passphrase-based encryption with, 140
PKCS#5Padding, padding blocks with, 122-123
PKCS8EncodedKeySpec class, 307
plaintext, 13
POP3 class, 223, 224
populateKeys(), Composer class, 233, 234
populateUsers(), SafeTalk class, 213, 214, 217
ports, specifying for SafeTalk tool, 204
preferences files for CipherMail, 221, 236
Pretty Good Privacy software, 159
Principal interface, 68-69, 291
principals, 68-69
-printcert option (keytool), 90
private key ciphers, 14-16
private keys
in asymmetric ciphers, 15
changing passwords, 90
client access to, 108-111
cloning, 90
importing certificates as, 89
KeyPair class, 50
KeyPairGenerator class, 51-52
PrivateKey interface, 50
retrieving from KeyStore, 83
storing in javakey file, 277-278
storing in KeyStore, 81-82
in symmetric cipher, 14
translating to and from, 56-57
PrivateKey interface, 30, 50, 291
PrivilegedRenegade.class, signing, 173
progress bar for seed generator, 47-48
protected password logins for message digests, 95-99
ProtectedServer class, 98-99
Protection class, 97-98
Provider class, 291-292
in cryptographic providers, 180
as new provider, 181-182
providers, cryptographic. See cryptographic providers
PRNG (pseudo-random number generator), 23-24, 38-48
keyboard event seeding of SecureRandom, 40-48
SecureRandom class, 38-48
self-seeding of SecureRandom, 40
public key ciphers, 15-16
Public-Key Cryptography Standard, 122-123
public keys
in asymmetric ciphers, 15-16
distributing with certificates, 112-119
exporting with SafeTalk, 200-201
importing with SafeTalk, 201
KeyGenerator class, 52
KeyPair class, 50
KeyPairGenerator class, 51-52
PublicKey interface, 50
translating to and from, 56-57
PublicKey interface, 30, 50, 292
translating to and from, 56-57
Q
quit()
POP3 class, 230
SMTP class, 231
R
-r option (javakey), 275
-r option (KeyManager), 74, 78
random number generators, 22-23
See also PRNG (pseudo-random number generators)
realtime conversations, engaging in with SafeTalk, 201
Receiver class, 202, 210-211
receiverData(), Session class, 203, 205
receiving SafeTalk conversations, 201
removeActionListener(), 42
removeCertificate(), Identity class, 70
removeIdentity(), IdentityScope class, 72
removeProvider(), Security class, 36
Renegade applet
for HotJava, 165-169, 170
for Navigator, 169-175
source code for, 164-165
reset()
Mac class, 103
Message Digest class, 94
reset(), Seeder class, 41-42
respondToConnection(), Session class, 203, 207, 209
retrieve(), POP3 class, 230
revoked certificates, 118-119
RevokedCertificate class, 119, 298
RFC 1421 certificate representation, 115-116
rot13 cipher, 13-14
RSAPrivateKey interface, 318-319
RSAPrivateKeyCrt interface, 319
RSAPrivateKeyCrtSpec class, 325-326
RSAPrivateKeySpec class, 326
RSAPublicKey interface, 319-320
RSAPublicKeySpec class, 327
S
S/MIME (Secure/Multipurpose Internet Mail Extensions), 160
-s option (Hancock), 106
SafeTalk class, 202, 211-218
SafeTalk tool, 199-218
exporting public key with, 200-201
generating a key file for, 200
importing public keys, 201
KeyManager class, 202
loopback testing of, 201-202
Receiver class, 202, 210-211
SafeTalk class, 202, 211-218
Session class, 202-209
SessionServer class, 202, 210
salt, preventing dictionary attacks with, 138-139
save(), 76-77
SDK for Java 2.0, 176
SealedObject class, 137-138, 315
SealedObject(), SealedObject class, 137
secret key ciphers, 14-16
secret keys, 14
generating over the Internet, 60-68
generating to and from, 54-56
key agreements and, 17
secret values, protocols for, 57-68
SecretKey interface, 30, 50, 315
translating, 54-56
SecretKeyFactory interface, 31, 316
getInstance() in, 32
SecretKeyFactorySpi class, 316-317
SecretKeySpec class, 54
SecretWriting program, 7-11
Secure/Multipurpose Internet Mail Extensions (S/MIME), 160
Secure Sockets Layer (SSL), 3, 160-162
SecureRandom(), SecureRandom class, 39, 206
SecureRandom class, 31, 38-48, 293
keyboard event seeding of SecureRandom, 40-48
self-seeding by, 40
security
adding to local files with serialization, 251
of client/server applications, 246-247
controlling with access control lists (ACL), 248
of deleted local files, 251
of demonstration software, 245-246
effect of key size on, 24
of files on local disks, 250-252
importance in secure systems, 1-3
of Java platform, 4-5
security (continued )
network, 252-253
preventing memory scanning of, 252
preventing modification of class files, 249-250
of self-contained applications, 244-245
of virtual memory, 251-252
Security class, 293-294
security policies, defining, 165-166
security providers
algorithm identification by, 180-181
algorithms recognized by, 32-33, 128
architecture of, 33-36
configuring, 35
creating new, 180, 181-183
Jonathan provider. See Jonathan provider
security software, 28-30
seed data
keyboard event seeding of SecureRandom, 40-48
self-seeding of SecureRandom, 40
sources of, 23-24
Seeder class, 41-48
Counter class, 43-44
problems with, 44-45
SeederDialog for keyboard seeding, 45-48
selectMessage(), CipherMail class, 236
-selfcert option (keytool), 89-90
self-contained applications, applying cryptography to, 244-245
self-signed certificates, 89-90, 271
authenticating with fingerprints, 273
generating with javakey, 271-273
for HotJava signed applet, 166-167
in web browsers, 22
send(), Session class, 203, 205
sendAuthentication(), ProtectedClient class, 97
altering for doubly protected passwords, 100
sendMessage(), CipherMail class, 237
serialization, object, 251
server sockets
password protection and, 98-99
private key access and, 108-111
Service Provider Interface (SPI) methods
for ElGamalCipher class, 192-198
for ElGamalSignature class, 188-191
Session class, 202-209
session keys, 16
exchanging with SafeTalk, 206-209
sessionConnect(), Session class, 207, 215
sessionDisconnect(), Session class, 205, 215
sessionRespond(), Session class, 215
SessionServer class, 202, 207, 210
SET (Secure Electronic Transaction) protocol, 162
setBody(), Message class, 227
setCertificateEntry(), 82
setHeader(), Message class, 227
setKeyEntry(), 81-82
setKeyPair(), Signer class, 71
setSeed(), SecureRandom class, 39
setStatus()
CipherMail, 242
SafeTalk, 213, 215, 216
setupCipherStreams(), Session class, 203, 207, 209
setupWindow()
CipherMail, 242
Composer class, 233-234
SafeTalk class, 212, 216
SeederDialog class, 46, 47
SHA-1 algorithm, 24, 25-26
provider support, 33
in SecureRandom class, 39
shiftBuffer(), CFBWrapper class, 159
-sigalg option (keytool), 85, 87
sign(), Signature class, 104-105
Signature class, 31, 294-295
digital signatures and, 108-111
generating signatures, 104-105
getInstance() in, 32
implementing, 103-104
verifying signatures, 105, 111
signatures, maintaining data integrity with, 19, 103-111
SignatureSpi class, 295-296
implementing in Jonathan, 188-189
SignCode tool, 177
signed applets, 163-179
creating Renegade applet, 164-165
creating with HotJava, 165-169
creating with Internet Explorer, 175-179
creating with Netscape Navigator, 169-175
signing with javakey tool, 276-277
signed JAR files, 266-267, 276-277
SignedObject class, 111, 296
Signer class, 68, 71, 297
signers, certificate, 68, 71, 112
signers, creating, 268-269, 275
signing applets
in HotJava, 167
in Internet Explorer, 177-178
with javakey tool, 276-277
in Navigator, 172-173
signing certificates
purchasing for Navigator, 170-171
self-signed in HotJava, 166-167
test for Internet Explorer, 176-177
Simple Key Management for Internet Protocols. See SKIP
single keys, generating, 52
size(), 72, 229
Skip class, 60-61
SKIP (Simple Key Management for Internet Protocols), 60-68
SkipClient class, 63-64
Skipper class, 64-68
SkipServer class, 61-63
SMTP class, 223, 224
Software Publisher Certificate (SPC), 176
SourceAgain, 249
SPI methods, 31
SSL protocol, 3
starting SafeTalk conversations, 201
store(), 81
-storepass option (keytool), 85
-storepasswd option (keytool), 90
streams, message digest, 94-95
StrongClient class, 108-109
StrongServer class, 109-111
subjects, certificate, 112
SUN cryptographic provider
algorithms supported by, 33
architecture of, 33-36
SunJCE cryptographic provider
algorithms supported by, 33
architecture of, 33-36
sun.misc package, base64 classes in, 259
sun.security.provider.IdentityDatabase class, 71
sun.security.tools.JavaKeyStore class, 80
symmetric ciphers, 14-16
block. See block ciphers
generating single keys, 52
stream, 121
system scope management, 71-73
T
-t option (jar tool), 264, 265
-t option (javakey), 269, 275
talk utility, Unix, 199
adding cryptography to. See SafeTalk tool
test certificates, creating, 176-177
toByteArray(), BigInteger class, 257
translating keys, 53-57
KeyFactory, 56-57
SecretKeyFactory, 54-56
SecretKeySpec class, 53-54
triple DES. See DESede algorithm
U
U.S. cryptographic software restrictions, 7, 29
update()
Cipher class, 132-133, 135
Mac class, 102
MessageDigest class, 93-94
Signature class, 104, 189
usage(), KeyManager class, 79
V
-v option (Hancock), 106
-v option (jar tool), 264, 265
-v option (keytool), 85-86, 88
-validity option (keytool), 85
verify()
Certificate class, 113-114
Signature class, 105, 190
X509CRL class, 119
verifying certificates, 113-114
verifying signatures, 18-19, 105, 111
VeriSign certificates, 170, 177
virtual memory, security concerns, 251-252
viruses, preventing attacks by, 250
W
web browsers
creating signed applets for, 165-179
running client applets in, 247-248
signed applet support, 163-164
WingDis, 249
wireEvents()
CipherMail class, 242-243
Composer class, 233, 234
SafeTalk class, 212, 217
X
-x option (jar tool), 265
X.509 certificates, 114-118, 274
contents of, 114
loading, 115
revoked, 118-119
Spill tool, 115-118
X.509Certificate class, 114-118, 299-300
X509CRL class, 118-119, 300-301
X509EncodedKeySpec class, 307-308
X509Extension class, 301
Z
zigbert signing tool, 172-173
END