Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL encrypting to file

Some questions:
1) Is the client wanting to encrypt them on its server using the ssl certificate? Or on the client end? Either of these poses problems. First of all, most servers use unencrypted private keys to avoid the problem of manually typing in the key password on a reboot, so its security is questionable. If its on the client end, the server surely would not want to send the private key to the client for decryption.
2) I think you really want to use client PKI certificates. This allows the certificate to be used for identifying the user securely to the server, and it also allows the client to access the private key (which is on his machine) and enter the PKCS#12 password when needed. I do this all the time using Java and Tomcat. The only hard part is to verify that the certificate has not been revoked.

You might ant to look at my help page on using PKI to understand the issues involvd:

https://ca.sensornet.gov:8442/ejbca/HowTo/CertificateInfrastructure.html

Jim Rome 


------------------------------

Message: 10
Date: Mon, 21 Apr 2008 22:23:48 -0700
From: Jason Proctor <email@hidden>
Subject: Re: SSL encrypting to file
To: Ben Spink <email@hidden>
Cc: java-dev <email@hidden>
Message-ID: <a06200791c43324700229@[10.0.1.201]>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"

i'm jumping into the middle of this thread, and i hope i have the scenario straight here...

your description & code seem to confuse public-key encryption and symmetric-key encryption. usually, public key encryption (aka PKI) is not used to crypt content directly, as the maths is very CPU intensive. usually the content is crypted using a symmetric "session" key, and this key is then crypted for transit using PKI. (this is how PKI apps such as SSL conventionally work.)

in the code, your method getPrivateKey() seems to return a KeyPair rather than a private key, but i'll assume that's a typo or the method changed purpose at some point. in any case, if that routine does return a PKI keypair or private key, it's unlikely to be a DESede key as your next lines assume. DES is a symmetric algorithm. PKI key algorithms are usually RSA, DSA, or El-Gamal, etc.

your code also assumes that encrypt & decrypt use the same key, which is definitely not true of PKI. if you were doing everything with the PKI keys in the keystore, you'd have to get the public key and use that to encrypt, then the corresponding private key to decrypt -- or vice versa, naturally.

my product is built on JCE-based PKI, i can provide further help if necessary.

hope this helps
j



The requirements on this task are vague, but I will try and fill in as much as I understand it.

They want me to "use SSL Certificates to encrypt data files on the disk, and use SSL certificates to decrypt the data files when needed."

This is something I have never done before, nor have I found any references searching google on how to do this. With your additional tips, I may be able to get the right hits on google now.

It will be X509 certificates. The same cert they would be using
>from a keystore for handling HTTPS and a SSLSocket. The key will be 
retrieved from a webservice call.

They do not want to do PGP (I suggested it), and I would prefer to use the built in Java JCE and not use bouncy or cryptix.

This is the example code I have come up with...but it doesn't work.

public void testCert(String KEYSTORE, String keystorepass, String keypass) throws Exception
{
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream(KEYSTORE), keystorepass.toCharArray());
KeyPair kp = getPrivateKey(keystore, "mykey", keypass.toCharArray());

		Cipher ecipher = Cipher.getInstance("DESede");
		Cipher dcipher = Cipher.getInstance("DESede");
		ecipher.init(Cipher.PRIVATE_KEY, kp.getPrivate());
		dcipher.init(Cipher.PRIVATE_KEY, kp.getPrivate());

		FileOutputStream out = new FileOutputStream("encrypted.txt");
		FileInputStream in = new FileInputStream("clear.txt");

		CipherOutputStream cos = new CipherOutputStream(out, ecipher);
		byte[] buffer = new byte[2048];
		int bytesRead = 0;
		while ((bytesRead = in.read(buffer)) != -1) {
			cos.write(buffer, 0, bytesRead);
		}
		cos.close();
		in.close();

		out = new FileOutputStream("decrypted.txt");
		in = new FileInputStream("encrypted.txt");

		CipherInputStream cis = new CipherInputStream(in, dcipher);
		buffer = new byte[2048];
		bytesRead = 0;
		while ((bytesRead = in.read(buffer)) != -1) {
			out.write(buffer, 0, bytesRead);
		}
		cis.close();
		out.close();
	}


Thanks,
Ben

On Apr 21, 2008, at 5:43 PM, Bruno Harbulot wrote:

Hi Ben,

Ben Spink wrote:
A client is wanting to use SSL certificates to encrypt files on disk. When needed, use the cert to decrypt he file.
Presumably, you mean X.509 certificates. You can encipher data using the public key of the certificate (Certificate.getPublicKey()). You obviously won't be able to decipher it without having the private key (which isn't part of the certificate).

Is this possible? To me it doesn't make sense. I can do this using other methods like DES or PGP via java, but I can't think of any way of using the cert in this process or using SSL.
This is not strictly related to SSL, but you can get the remote certificate using SSL, and then extract the public key and use something like PGP. How to get it may depend on how you set up the client or the server. For example, if it's a bespoke server, you may be able to get remote certificate from SSLSession.getPeerCertificateChain(); if it's a Servlet or a Restlet, there are request attributes from which you can get the certificate.

I thought of wrapping a sslsocket and catching the encrypted data before it was decrypted, but this seems like it wouldn't work as I wouldn't expect the data to be decryptable.
This doesn't seem to make much sense...


Could you describe your scenario more precisely? When you said "use SSL certificates", did you mean "X.509 certificates + private key stored in a PKCS#12 file"? Is it all done locally? If so, this doesn't have much to do with SSL, but something like BouncyCastle could help you build are PGPSecretKey from a pair of X.509 certificate and private key, which could help you use the OpenPGP API of BouncyCastle (I've done something like that and it works). This could allow you to encipher and decipher locally.
If it's not local, I think the only case that makes sense would be to have the remote peer use the public key of your local certificate (which it would have obtained during the establishment of the SSL session) to encipher data, which you would only be able to decipher at a later time using your private key (locally). This is in fact a variant of the previous case, since you would use the public key to encipher anyway.


Best wishes,

Bruno.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden

This email sent to email@hidden





_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden

This email sent to email@hidden


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.