J2-security Application -- bouncy castle crypto API

Http://blog.csdn.net/raorq/archive/2010/03/29/5427260.aspx

 

1
Preface

With the continuous development of mobile commerce
Wireless



Application
Program Development



Personnel,
Security



Sex is becoming an important party
.
Wireless communication is an easy-to-obtain target for radio wave interception, while wireless devices have almost no computing capability to support strong encryption of all communication data.
While
Currently
Well developed point-to-point security technologies (such
SSL/TLS
And
HTTPS
)
And
No
Suitable for multi-vendor, multi-intermediate
Web
Service
Of
Network
Topology
. Therefore
Key Points
Required
Focus on protecting content itself
Instead of connecting the transmitted content.

This article will discuss the use of a common security technology: digital signature. The digital signature can meet the four criteria of network communication security.
Accuracy:

Certification: Both parties must identify the device. The digital signature on the Public Key Certificate can verify the reliability of the public key and hold it
The reliability of that side.

Data Integrity: Both parties must ensure that the content is not changed during transmission. Digital signature is the most common technique to ensure data integrity.
.

Data Confidentiality: Sometimes, communication data is sensitive and must be kept confidential. Digital signatures do not provide data confidentiality. We must use
Data encryption.

Non-Repudiation: After a message is sent, the sender cannot deny it subsequently. Digital signatures provide some solutions. If
If a message is signed by a number, the sender cannot deny the message's liability because only the sender can provide the signature.

2
,
J2EE
Security Mechanism Overview

J2EE
The platform is configured (
Configuration
)
And short table (
Profile
. Configuration is the minimum class library set provided to devices in the maximum range.
Java
Virtual
VM preparation. A simple table is a collection of Development kits provided for a series of devices. In
J2EE
An important concept in (
Optional
Package
Is a class library provided for a specific device.

Currently,
J2EE
There are two major configurations
Set, which are
Connected limited devices Configuration
(
Cldc
)
And
Connected devices Configuration
(
CDC
).
They are differentiated based on the hardware performance of devices, such as processors and memory capacity.
Cldc
Mainly for those resources
Limited devices such as mobile phones,
PDA
, Duplex pager, etc. While
CDC
Master
We need to deal with household appliances, such as set-top boxes and vehicle navigation systems. Simple tables are configuration-based, such
Mobile Information
Devices Profile
(
MIDP
) Is
Cldc
Upper
An important summary table of the layer.

Cldc
Standardized Definition
3
Items
Level Security Mechanisms: underlying security mechanisms, application-level security mechanisms, and end-to-end security mechanisms. Here, we need to emphasize the bytecode verification process.
JVM
Submit
Provides services that prevent malicious code from entering the enterprise system. The bytecode verification process ensures that the application cannot access the memory space or use resources outside the domain. Bytecode verification also prevents application Overloading
Java
Language
Core library, which can be used to bypass other application-level security measures. However, due to the high computing overhead of such operations,
MIDP VM
No
Complete bytecode verification is performed at runtime, but the pre-audit and mechanism are added. Application developers are required to pre-verify the class on the development platform before deploying the application to a mobile device. Pre-verification process
Optimize the execution flow and create a stack ing that contains the command directory in the application (
Stackmap
), And then add the stack ing TO
Pre-verified class file. At runtime,
MIDP VM
Quickly performs a linear scan of bytecode and combines each valid instruction with the appropriate
The stack ing items of are matched.

In addition
Midp2.0
And
Protection domain concept. Applications are sensitive
API
Apply for a license to obtain the required permissions. Provides trust domains and non-Trust
The protection domains provided by different devices may be different.
MIDlet
They are all stored in untrusted domains. If
To be trustworthy
MIDlet
A trusted organization needs to apply for authentication.

For more details, see
Www.j2medev.com

Preparation
Written 《
J2EE
Chinese tutorial, which contains
J2EE
Security
Detailed description of the full mechanism.

 

3
,
Bouncy castle crypto API

Bouncy
Castle
 
Yes
For
Java
The open source code lightweight password package of the platform. It supports a large number of cryptographic algorithms and provides
JCE 1.2.1
Of
. Because
Bouncy castle
Designed to be lightweight
J2se
1.4
To
J2EE
(Including
MIDP
)
Platform, which can run. It is in
MIDP
The only complete password package running on.

No matter
Bouncy castle
The package has many powerful functions. It has a major problem: lack of documentation.
The online document does not exist.
Javadoc
Not well written. Similar to many other advanced password packages,
Bouncy
Castle
Package Type polymorphism is widely used to separate general concepts from implementation algorithms. For beginners, identifying the relationship between classes and the relationship between method parameters and returned values
Correct type is very difficult. Generally, developers must look at the source code and test cases to study the correct method of doing things.

4
, Sample code
4.1
Generate key pair

Use
RSA
Algorithm, generate
1024
Bit
Long key pair.

Public void generatersakeypair () throws
Exception {

Rsw.vatecrtkeyparameters rsw.vkey =
NULL;

Rsakeyparameters rsapubkey = NULL;

Securerandom sr = new securerandom ();

Biginteger pubexp = new biginteger ("10001 ",
16 );

Rsakeygenerationparameters rsakeygenpara =

New
Rsakeygenerationparameters (pubexp, Sr, 1024, 80 );

Rsakeypairgenerator rsakeypairgen = new
Rsakeypairgenerator ();

Rsakeypairgen. INIT (rsakeygenpara );

Asypolicriccipherkeypair keypair =
Rsakeypairgen. generatekeypair ();

Rsw.vkey = (rsw.vatecrtkeyparameters)
Keypair. getprivate ();

Rsapubkey = (rsakeyparameters)
Keypair. getpublic ();

}

4.2
Signature

Sign the byte array.

Public byte [] rsasign (byte [] tosign,
Cipherparameters rs1_vkey)

Throws
Exception {

If (rs1_vkey = NULL)

Throw new
Exception ("generate RSA keys first! ");

Sha1digest dig = new
Sha1digest ();

Rsaengine Eng = new
Rsaengine ();

Psssigner signer = new
Psssigner (ENG, dig, 64 );

Signer. INIT (true,
Rs1_vkey );

Signer. Update (tosign,
0, tosign. Length );

Return
Signer. generatesignature ();

}

4.3
Verify signature

Verify the signature value.

Public Boolean rsaverify (byte [] mesg,
Byte [] Sig, cipherparameters rsapubkey)

Throws
Exception {

If (rsapubkey = NULL)

Throw new
Exception ("generate RSA keys first! ");

Sha1digest dig = new
Sha1digest ();

Rsaengine Eng = new
Rsaengine ();

Psssigner signer = new
Psssigner (ENG, dig, 64 );

Signer. INIT (false,
Rsapubkey );

Signer. Update (mesg, 0,
Mesg. Length );

Return
Signer. verifysignature (SIG );

}

4.4
Encryption

Encrypt the string to generate the ciphertext.

Public byte [] rsaencrypt (string plaintext
, Cipherparameters rsapubkey)

Throws exception {

Byte [] Rv = NULL;

Asyuncricblockcipher
Eng = new rsaengine ();

Eng. INIT (true,
Rsapubkey );

Byte [] ptbytes =
Plaintext. getbytes ();

Rv =
Eng. processblock (ptbytes, 0, ptbytes. Length );

Return RV;

}

4.5
Decryption

Decrypt the ciphertext to generate the original text.

Public String rsadecrypt (byte [] ciphertext,
Cipherparameters rs1_vkey)

Throws
Exception {

Byte [] Rv = NULL;

Asyuncricblockcipher
Eng = new rsaengine ();

Eng. INIT (false,
Rs1_vkey );

Rv =
Eng. processblock (ciphertext, 0, ciphertext. Length );

Return new
String (RV). Trim ();

}

4.6
Certificate resolution

Read
Der
Certificate to obtain certificate information.

Public void showcert (byte [] CERT) throws
Exception {

Bytearrayinputstream
Bin;

Asn1inputstream ain;

Bin = new
Bytearrayinputstream (CERT );

Ain = new
Asn1inputstream (BIN );

Asn1sequence seq =
NULL;

SEQ = (asn1sequence)
Ain. readobject ();

X509certificatestructure
OBJ = new x509certificatestructure (SEQ );

Tbscertificatestructure
Tbscert = obj. gettbscertificate ();

Int version =
Tbscert. getversion ();

String subject =
Tbscert. getsubject (). tostring ();

String issuer =
Tbscert. getissuer (). tostring ();

Long serial =
Tbscert. getserialnumber (). getvalue (). longvalue ();

String Sign =
Tbscert. getsignature (). getobjectid (). GETID ();

 

// X509 extensions

X509extensions ext =
Tbscert. getextensions ();

If (EXT! = NULL ){

Enumeration en =
Ext. oids ();

While
(EN. hasmoreelements ()){

Derobjectidentifier
Oid = (derobjectidentifier) en

. Nextelement ();

X509extension
Extval = ext. getextension (OID );

}

}

}

5
, Summary

Bouncy castle
Powerful and supports a large number of cryptographic algorithms. Special
Yes
MIDP
The certificate application processing interface can meet the requirements of certificate applications on mobile devices. The disadvantage is that its document
It is too simple to understand the relationship between classes and the meaning of parameters. You need to read the original code. In terms of performance, the main bottleneck is the slow speed of public key algorithms. On
Wtk2.5
Upper
Generate
1024
Bit
RSA
Key Required
2
Minute
Around the clock.

References

L


The bouncy castle Project

Http://www.bouncycastle.org/

L


J2EE
Medium
Tutorial

J2EE
Development Network (
Www.j2medev.com

)

L


Data
Security in Mobile Java applications

Http://www.javaworld.com/javaworld/jw-12-2002/jw-1220-wireless.html? Page = 1