1 / 18

Session 4

Session 4. Module 6: Digital signatures. Module 4, 5 - Review (1). Java 2 security model provides a consistent and flexible policy for applets and applications. Types of Security Restrictions: File Access Restrictions Network Restrictions Other Security Restrictions Securing applet

zarola
Download Presentation

Session 4

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session 4 Module 6: Digital signatures

  2. Module 4, 5 - Review (1) • Java 2 security model provides a consistent and flexible policy for applets and applications. • Types of Security Restrictions: • File Access Restrictions • Network Restrictions • Other Security Restrictions • Securing applet • Securing application Digital Signatures / Session4 / 2 of 18

  3. Module 4, 5 - Review (2) • Java Authentication & Authorization Service (JAAS) is an API that enables Java applications to access authentication & access control services without being tied to those services. • Authentication • Authorization • Cryptography is mechanism of encoding information in a secret coded form • JCA is the java security API is a new addition to library of java APIs. It is a framework written in java to access and develop cryptographic functionality • JCE is a set, it provides implements for encryption, key generation and agreement and message authentication code Digital Signatures / Session4 / 3 of 18

  4. Module 6 - Objectives • Introduction to Digital Signatures • Signing and verifying data using java tools • Signing and verifying data using security API Digital Signatures / Session4 / 4 of 18

  5. Digital signature • Digital signatures are used to digitally sign messages or objects. • Digital signatures is used to verify that the content of a message is unaltered, and help to identify the creator of a message. • Digital signature is used for: • Ensuring message content integrity • Verifying the authenticity of the message sender Digital Signatures / Session4 / 5 of 18

  6. How to create digital signature? • Digital signatures are generated by Public Key Cryptography, using public and private keys to encrypt and decrypt messages. • Public key: • used by a receiver to decrypt a message • Private key: • Used encrypt a message with his/her private key • Message digest: • A message digest is a fixed-length result of converting the contents of a message into a hash-like a cyclic redundancy check • SHA-1 and MD-5 are examples of algorithms for converting message text into a message digest Digital Signatures / Session4 / 6 of 18

  7. Working of digital signatures (1) • Digital signatures work by using the mechanisms of encryption and decryption. • Encryption • A hash or a message digest is prepared using the Hashing Algorithm. • The hashed data or message digest is encrypted using the sender’s private key. • The digital signature and the sender’s public key are appended to the end of the message. Digital Signatures / Session4 / 7 of 18

  8. Working of digital signatures (2) • Decryption • The receiver receives the message and a digital signed message digest. • The receiver separately calculates a message digest for the received message. • The receiver uses the sender’s public key to decrypt the signed message digest that was received and compares this to the independently calculated message digest. • If the two digests do not match, the data may have been tampered with or the data may not be authentic or may not have been intended for the receiver. Digital Signatures / Session4 / 8 of 18

  9. Working of digital signatures (3) Encrypted Message Sender Receiver Signed hash+public key Calculate new hash Encryption using hash Message hash New hash Calculate hash Compared with signed hash Message Un-tampered Message Digital Signatures / Session4 / 9 of 18

  10. Drawbacks of digital signatures • Non-Repudiation • Disclaiming responsibility for a sent message • Time Stamping • Do not contain any record of the data and time when a particular document was signed Digital Signatures / Session4 / 10 of 18

  11. Digital Certificates • Digital certificates prevent impersonation by storing a widely known and distributed public key • A certification authority (CA) issues these certificates and ensures the validity of the public key contained in the certificate and the authenticity of the certificate owner. • Standards of digital certificates • X.509: • was created by the international telephone standards body • is used by Microsoft’s Authenticode, Netscape’s Object Signing, and Marimba’s Channel Signing • PGP (Pretty Good Privacy) • was developed by Phil Zimmermann • is used for encrypting, compressing and authenticating email messages and attachments. Digital Signatures / Session4 / 11 of 18

  12. Working with certificates • keytool utility can display, import and export certificates in addition to key pairs. • When a new public / private keypair is created, a self-signed certificate signed by the same entity that created the key pair is obtained. • The request for the certificate is made as follows: • Example: • keytool –alias aptechkey –certreq –file test.txt Digital Signatures / Session4 / 12 of 18

  13. Verifying Data • Signing and Verifying Data using: • Java Tools • Using Jar tool and Jarsigner tool • Security API Digital Signatures / Session4 / 13 of 18

  14. Using jar tool and jarsigner • Before java program can be digitally signed, it must be packaged into an archive form consisting of all class files and other files with the help of jar tool • jarsigner then digitally signs a java archive • Example: • jarsigner MyApplet.jar aptechkey • The key must have go through a verification process before use. • Password of the keystore and the password associated with the private key is required to authenticate an archive when the jarsigner is used. • The jarsigner is also used to verify a digitally signed archive by checking if the private key matches the Java archive. Digital Signatures / Session4 / 14 of 18

  15. Signing data using security API (1) • Step 1: Generate a Key-Pair Generator • KeyPairGenerator kpg = KeyPairGenerator.getInstance(“DSA”, “SUN”); • Step 2: Initialize the Key-Pair Generator • SecureRandom r = SecureRandom.getInstance(“SHA1PRNG”,”SUN”); • keyGenerator.initialize(1024,r); • KeyPair p = keyGenerator.generateKeyPair(); • PrivateKey privKey = p.getPrivate(); • PublicKey pubKey = p.getPublic(); • Step 3: Get a Signature Object • Signature dsa = Signature.getInstance(“SHA1withDSA”,”SUN”); • Step 4: Initialize the Signature Object • dsa.initPriv(privKey); Digital Signatures / Session4 / 15 of 18

  16. Signing data using security API (2) • Step 5: Supply the data to be signed to the Signature Object FileInputStream input = new FileInputStream(data.txt); BufferedInputStream inputBuf = new BufferedInputStream(input); byte [] dataBuffer = new byte[1024]; int len; while(inputBuf.available()!=0) { len = inputBuf.read(dataBuffer); dsa.update(databuffer,0,len); } • Step 6: Generate the Signature byte [] dataSignature = dsa.sign(); • Step 7: Saving digital signature and public key in two different files Digital Signatures / Session4 / 16 of 18

  17. Verifying the signature • Create a Signature instance using the same signature algorithm as that used to generate the signature. • Initialize the signature instance with the public key. • Supply the signature object with the data to be verified by reading one byte array at a time. • Invoke the verify() method on the newly created Signature object to compare the two signatures. • The verify() method returns a Boolean value denoting the authenticity of the signature. Digital Signatures / Session4 / 17 of 18

  18. Module 6 - Summary • Digital signatures are used to digitally sign messages or objects to identify their creators • A digital certificate must be first imported as a trusted certificate and then the signature has to be verified to authenticate the sender • Signing and Verifying Data using: • Java Tools • Security API Digital Signatures / Session4 / 18 of 18

More Related