In 2017 we launched a series of blogs about the secure implementation of a cryptographic system on Java. How to start using Java Cryptography Reliably touches the basics of Java cryptography and then publishes messages using various Secure Primitive Cryptographic Random Number Generators (CSPRNG), encryption/encryption and message summaries. We have also developed a Java encryption module to facilitate the connection of injectable modules that open encryption services via the API.
The last time we talked about it, we were on Java 8 of the world. In only 3,5 years time we released 7 new versions of Java! Let’s re-launch this series by looking for the latest and greatest events in the wider cryptographic community for the first time. In this article we show how this map is linked to new versions of Java. In the following articles we will talk about how some of the most common cryptographic schemes can be written securely.
Special thanks to my wonderful colleagues Jess Garrett and Andrew Shelton for their contributions to the important parts of this role.
Looking at what we discussed in the article How to safely start using Java Cryptography, the central topic of the Java Cryptography Architecture (JCA) ﾂ?the definition of abstract engine classes for different cryptographic services and the existence of independent implementations by different vendors have not changed.
Highlighting the most striking changes in the ACA :
1. Probably the best improvement for lazy people like me would be to no longer have to take up the issue of unlimited jurisdiction. The unlimited power of the algorithms (e.g. the use of 256 key sizes for symmetric algorithms) is out of reach. It is enabled by default in theﾂ?java.security file, with the crypto.policy=unlimited property.
2. The security configuration file (java.security) can now be found at adresseﾂ? $JAVA_HOME/Contents/Home/conf/security/. Third-party pot files are now treated as libraries instead of extensions. Therefore, ISP files are stored in the $CLASSPATH folder like any other library and not as extensions in the $JAVA_HOME/Contents/Home/jre/lib/ext folder.
As discussed in Postﾂ?CSPRNG, Java already offers algorithms (*PRNG) for the secure generation of CSPRNG. To add support for algorithms specified by NIST , Java offers a new algorithm called DRBG.
Why use the DRBG?
The main reason for using DRBGs is that they have been standardised by the government. In addition, the specification of the DRBG algorithm provides more detailed configurations on how the main algorithm should work. It still causes entropy in the basic operating system, if you’re interested.
Like: Design and code
Some of the additional algorithm-specific configurations and our recommendations :
- DRBG mechanism : The main mechanism used must be Hash or HMAC. Hash_SHA256 standard, which is completely safe.
- The power of security: 128 bits, can be increased.
- Resistance to prediction : If the internal status of the CSPRNG is compromised, this will not affect the future performance of the DRBG. Turn it on.
- I eat: ﾂis reset from time to time to prevent too much emission of one seed. Turn it on.
- Adjustment line : This is a recommended but not mandatory hard-coded string that plays a role in landing, but not in adding entropy.
All this can be configured with the Drbg parameter.
The safest way to configure a SecureRandom object with the DRBGﾂ?
SecureRandom drbgSecureRandom = SecureRandom.getInstance(DRBG , DrbgParameters.instantiation(256, // Security requirement PR_AND_RESEED, // Configuration of the algorithm to ensure resistance to prediction and to reload any_hardcoded_string.getBytes() objects // Customization string used to obtain seeds not involved in entropy. ) ) ;
Look, um..: Fully protected random sampling with DRBG
Since version 8 exciting progress has been made in Java cryptography and in the cryptographic community in general since we last talked about it in the Encryption / Encryption section. Java usually consists of adding support for newer and brighter algorithms (ChaCha20, Elliptic Curves), which is good, but rarely corrects unreliable algorithms (DES, RC2, etc.).
It is 2020 and most of our data will be online. To protect against certain text encryption attacks, we can only focus on the use of authenticated encryption systems. Java offers two coding schemesﾂAES-GCM and ChaCha20-Poly1305 authenticated coding schemes. Let’s see what happens to each of them:
We explained this in detail in our article on coding/decoding. The only thing that has changed since then is the way we define the food model.
The internal GCM mode is essentially a continuous encryption where padding is not relevant. The definition of the conversion chain is done after activation of an exception for all fillings other than NoPadding . So, uh…
// This is the only conversion chain that works // AES/GCM/PKCS5Padding throws an exception: Encryption = Cipher.getInstance (AES/GCM/NoPadding) ;
Look, um..: Fully functional example AES-GCM
Why a different authentication and encryption system?
While the AES-GCM is the gold standard for authenticated symmetric encryption, imagine a world where AES is violated by advances in cryptanalysis. This means thatﾂinternet and some other protocols (Bluetooth, Wi-Fi, etc.) will be disconnected and the worst of all worlds will not even have a fully verified backup plan. Fortunately, the entire industry is preparing for the implementation of such a security code by adopting ChaCha20 .
Another reason to take the ChaCha20-Poly1305 is the speed. For the AES to work faster, special hardware is required, which is not always possible with small and inexpensive devices such as IoT or smartphones.
Google, Cloudflare and major browsers such as Chrome and Firefox already use it in their TLS protocols [17,18].
How? Design and code?
It is nice to see that Java offers an encryption design that is authenticated against thealgorithm ﾂ?ChaCha20-Poly1305. Thanks to this system, we can encrypt data up to 256 GB. This is sufficient for all online communication needs, but may not work for file and disk encryption.
How? Select the numberﾂ?correct algorithm and authenticator?
AES is a block code where the operating mode and replenishment parameters are relevant. The ChaCha20 is a symmetric flow code where these parameters are not important. In AES, the use of GCM mode enables authentication. In ChaCha20, Poly1305 offers authentication services. This is why the processing line used is located at the very bottom:
Code = instance coding.get (ChaCha20-Poly1305) ;
How? Generate the key?
Symmetric keys are always generated with thealgorithm ﾂKey generator with thealgorithm ﾂChaCha20ﾂ. Keys must be 256 bits long. So, uh…
KeyGenerator keyGenerator = keyGenerator.getInstance(ChaCha20); // The keyGenerator has been initialized to generate a symmetric key for use with the ChaCha20 keyGenerator.init(256 , new SecureRandom) algorithm; // Generation of a 256 bit keyKey = keyGenerator.generatedKey(); // Generation and storage in SecretKey.
How? Setting the initialization vector
As in MCG AES mode, transparent specifications must be entered with IvParameterSpec to set the initialization vector. Chacha20 encoding requires a 96-bit (12-byte) initialization vector.
byte iv = new byte ; // 96 bit IV for ChaCha20, byte-array required byte-size.instantiation(256, PR_AND_RESEED, any_hardcoded_string.getBytes()); secRandom.nextBytes(iv); // DRBG SecureRandom is initialized by self-loading IvParameterSpec chachaSpec = new IvParameterSpec(iv) ;
Look, um..: Fully Functional Example ChaCha20-Poly1305
An important step forward is the support of Elliptic Curve Cryptography (ECC) for various asymmetric encoding applications. It comes with a pre-built, clean and simplified PLC support, delivered on a dish.
Why is industry moving towards elliptical curves?
RSA has for decades been a de facto algorithm used in asymmetric cryptographic applications,ﾂ, such as key agreement protocols and digital signatures. However, despite its popularity, RSA is a bit vulnerable, which makes its use more nuanced than it might seem at first glance. The subtle difficulties in generating prime numbers make it difficult to use RSA library implementations safely. Moreover, it has been the subject of numerous well-documented oracle-filling attacks over the years, many of which still affect modern systems today .
ECC has been providing cryptanalysis services and promising advanced applications for 25 years. Over the years many curves have been proposed and executed. Not everyone’s safe. We will discuss which are protected and which should be used and which should be avoided.
If you use RSA, you should not sleep on it, but you may need to check if your code is encrypted/decrypted. For all new applications, we strongly recommend the use of a CEC-based API.
Let’s take a quick look at some of the most widely used public key applications, whose API will be extended with future versions of the JDK :
Besides the already trained support for NIST-approved elliptical curves, I am very happy with Edward’s support for Java 15 curves for digital signatures and Key-Agreement Engine classes. We will tell you more about secure ways to use digital signatures in a special issue of the next edition of Notice.
If you are too impatient, you can use the Edward and NIST curves to refer to complete working examples of digital signatures.
The Class Key Tuning Engine is equipped with an ECC implementation of the classic Analoga Diffie Hellman and MQV protocols. It supports NIST curves in the EDCH and ECMQV algorithms and Edward curves in the XDH, X25519 and X448 algorithms.
The JDK supports the encryption of elliptical curves using ECIES (Integrated Encryption Scheme). It is a kind of hybrid algorithm between symmetric and asymmetric mechanisms. Elliptical encryption/decryption curves are rarely used because they are limited by the amount of data they can handle securely at the same time.
In addition to what we discussed in ourDigests ﾂMessage Digests, aka Hashing Functions post, the SHA3 family of algorithms is now a government-approved hashing algorithm. Despite their name, they should not be considered a replacement for the SHA2 family of algorithms. There is nothing uncertain about the SHA2 family.
Support for SHA3 algorithms is provided by the MessageDigest Engine class. You can consult the full code for using SHA3 algorithms to calculate message summaries.
So far, we have compiled remarkable improvements for the last 3.5 years of the Java versions. You can experiment with several secure Java cryptography libraries discussed in this series. In the future we will only focus on the latest version. Next, we will start discussing the different cryptographic applications that make use of these basic elements. Keep watching this play!
- The use of cryptographic algorithms with unlimited power does not require any additional configurations or parameters.
- The security configuration file (java.security) can be found atﾂ?$JAVA_HOME/Contents/Home/conf/security/.
- Third party jar files must be placed at $CLASSPATH.
- Supports ChaCha20-Poly1305, a future-proof security plan for AES-GCM authenticated encryption.
- When using elliptical curves in public key cryptographic applications. Support is available in all application APIs.
- Support for the SHA3 family of algorithms in the MessageDigest Engine class.
Oracle/Java Documentation :
1. JEP 273 : 1. Reliable and random application based on DRBG
GEP-329 : ChaCha20 and Poly1305 Cryptographic Algorithms
3. JDK-8180392: GCM mode only supports NoPadding
4. Java 15 Notes on version
5. Java 14 Explanation of version
6. Java 13 Explanation of version
7. Java 12 Notes on version
8. Java 11 Explanation of version
9. Java 10 notes on version
10. Java 9 Version information
Documentation on the Java architecture :
11. Java cryptography architecture
12. Names of standard Java security algorithms
13 SP 800-90A DRBG Recommendations
14. ChaCha20-Poly1305 Standard
15. Standard for digital signatures NIST 186-4
16. JS 800-57 Recommendation for key management
17. AES, that’s great… But we need a retreat: Meeting with ChaCha and Poly1305 – Professor Bill Buchanan
18. Two are required in ChaCha (Poly) – CloudFlare Blog Post.
19. Stop seriously with the RSA
*** This is a syndicated network of security bloggers from the Application Security Research, News, Education Blog, sponsored by [email protected] (msheth). The original message can be found at the following address: https://www.veracode.com/blog/research/java-crypto-catchup.