Wednesday, January 02, 2008

Cryptography samples for dummies (RSA/DSA)

Over this past year I had the pleasure (read - angst, woe, terror) of trying to figure out how to use java cryptography. At the time we were running Luminis 3.3 (we still are, but hopefully not for much longer) and we were in the process of implementing GMail for our school which would tie into Luminis authentication. In short (I'll save the gory details for another time) we decided to use SAML (Security Assertion Markup Language) to tell Google that the user is properly authenticated to Luminis and we say that he/she is OK in our book so let them read their e-mail on your servers. This is all well and good, however during the setup 2 major things came up relating to cryptography.

Problem 1: Generating DSA keys for Google


In order for this whole SAML business to work we need to send an encrypted packet with information relating to what user is properly authenticated to Google. Google being the sly folks they are, said that they don't want this information in plain text so 'you utes need to encrypt it with DSA. Now send us the keys to the palace so we can decrypt it after you send it encrypted.' Hence the first problem, how do I generate DSA keypairs? I did not see this on Google's code site so I scoured the interweb for a few nibblets of info and I came across a sample which I updated ever so slightly (see attached file genDSAKeys.java at the end of this post). I apologize for not having the links to give credit as this was about a year ago now when I was searching. I had to dig this up now for other stuff I'm doing. Well after compiling this file with JDK 1.5 (at the time) and now with 1.6, it generates the public and private keys and saves it out to 2 files.
javac genDSAKeys.java
java genDSAKeys

I ran this on a Windows XP box fyi and then sent the goods to Google and all is swell.

Problem 2: WTF Luminis 3.3 only has JRE1.3 on it and GMail APIs require 1.4+??? Cryptography stuff only started coming out with neat packages in java 1.4!!!


More background since this is relevant. We are running Luminis 3.3 on Solaris and the only JRE they (Sungard/uPortal) supports is 1.3. So now comes the fun part, when using the Google Provisioning API to set up GMail authentication via SAML, it required a few servlets and JSPs in order to generate the tokens and do encryption and their API was written specifically for JRE 1.4+. I first tried compiling it on 1.3, however it failed miserably and I didn't think rewriting Google's api would help upgrades.

What we ended up doing is setting up a second box just for Tomcat 5.5 running JRE 1.5. This worked beautifully with Google's api code. Now comes the uber problem, interserver communications sent via the browser are not secure (bleh!). So we though the usual stuff like SSL, but it really comes down to this. We want the packets secure and we want the content within the packet protected to the fullest as it is being passed back and forth. As a result we looked into encryption.

Since we had a mixed environment of 1.3 and 1.5 JREs we had problems. After bouncing for a few hours in one of those bouncy castles at a carnival (and also endless hours of searching for anything cryptographically related), I came across an awesome site:


This site provides cryptography libraries for Java version 1.1 and up! It's a beautiful thing (and FREE). So now comes the fun part, we downloaded the jars for 1.3 and 1.5 and wrote some code to do encryption/decryption of the content sent back and forth between the servers. However back to the topic of this post - as with most encryption that has decryption you need a public/private key pair. So I took a look around and the DSA stuff I found didn't have an example (and as you can guess I'm not an evil genius when it comes to cryptography). So I bit the bull by the nose on a grindstone and pieced together numerous examples to create one single example that would generate RSA public and private keys. I chose RSA since that was an easy option that bouncy castle supported (they support a ton of stuff - check them out and did I mention it was FREE).

After a while I created the final java file that creates public/private keys, creates a string, encrypts it, decrypts it and writes out the keys to files. It is everything I ever wanted in an example and now it can be yours for the low low price of not flaming me on how easy this would be if you did A, B, or C ;-)
javac kGenerateKeys.java
java kGenerateKeys

Download source files below:
genDSAKeys.java (DSA Example)
kGenerateRSAKeys.java (RSA Example)

The code has some comments in there for the good stuff so feel free to take a look.

1 comment:

Niall said...

Thanks , this was a handy post for me.