Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL encrypting to file

I understand that the method this customer is wanting to do is not truly secure. I have even tried to convince them of other methods to use.

Can anyone give me a code snippet for just the following? (encrypt a local file using the certificate obtained from a keystore)

Provided I have a keystore that contains the private/public key for the certificate, and provided I have the password to open the keystore and the password to get the private key.

How can I then use that, to do 3DES on a piece of data? Be it a string, or better yet a file.

That is the part I just don't seem to get. I can get the keys out of the keystore, but I don't understand how they can be used for the 3DES.

This is what I was attempting in my below snippet, in many different ways, but I just didn't get that part of how to get a 3DES cipher from the key.

I don't quite get what I would do to encrypt the session id (password?), with the PKI. I know how I could then use that to encrypt the data symetrically...but what session id (password?) would I pick? Would the user have to enter one? So they enter a password of "test"...I use this to encrypt the data to disk. I store this "test" password encrypted (somehow?) using the private key from the cert in some safe place. I use the public key to decrypt the encrypted password so that I can then use the password to encrypt/ decrypt the file data on disk. That scenario sound right, and makes sense...except for that I am now just using a password to encrypt the data and the PKI is only being used to secure the password.

Thanks,
Ben

On Apr 22, 2008, at 12:23 AM, Jason Proctor wrote:

i'm jumping into the middle of this thread, and i hope i have the scenario straight here...

your description & code seem to confuse public-key encryption and symmetric-key encryption. usually, public key encryption (aka PKI) is not used to crypt content directly, as the maths is very CPU intensive. usually the content is crypted using a symmetric "session" key, and this key is then crypted for transit using PKI. (this is how PKI apps such as SSL conventionally work.)

in the code, your method getPrivateKey() seems to return a KeyPair rather than a private key, but i'll assume that's a typo or the method changed purpose at some point. in any case, if that routine does return a PKI keypair or private key, it's unlikely to be a DESede key as your next lines assume. DES is a symmetric algorithm. PKI key algorithms are usually RSA, DSA, or El-Gamal, etc.

your code also assumes that encrypt & decrypt use the same key, which is definitely not true of PKI. if you were doing everything with the PKI keys in the keystore, you'd have to get the public key and use that to encrypt, then the corresponding private key to decrypt -- or vice versa, naturally.

my product is built on JCE-based PKI, i can provide further help if necessary.

hope this helps
j



The requirements on this task are vague, but I will try and fill in as much as I understand it.

They want me to "use SSL Certificates to encrypt data files on the disk, and use SSL certificates to decrypt the data files when needed."

This is something I have never done before, nor have I found any references searching google on how to do this. With your additional tips, I may be able to get the right hits on google now.

It will be X509 certificates. The same cert they would be using from a keystore for handling HTTPS and a SSLSocket. The key will be retrieved from a webservice call.

They do not want to do PGP (I suggested it), and I would prefer to use the built in Java JCE and not use bouncy or cryptix.

This is the example code I have come up with...but it doesn't work.

public void testCert(String KEYSTORE, String keystorepass, String keypass) throws Exception
{
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream(KEYSTORE), keystorepass.toCharArray());
KeyPair kp = getPrivateKey(keystore, "mykey", keypass.toCharArray ());

		Cipher ecipher = Cipher.getInstance("DESede");
		Cipher dcipher = Cipher.getInstance("DESede");
		ecipher.init(Cipher.PRIVATE_KEY, kp.getPrivate());
		dcipher.init(Cipher.PRIVATE_KEY, kp.getPrivate());

		FileOutputStream out = new FileOutputStream("encrypted.txt");
		FileInputStream in = new FileInputStream("clear.txt");

		CipherOutputStream cos = new CipherOutputStream(out, ecipher);
		byte[] buffer = new byte[2048];
		int bytesRead = 0;
		while ((bytesRead = in.read(buffer)) != -1) {
			cos.write(buffer, 0, bytesRead);
		}
		cos.close();
		in.close();

		out = new FileOutputStream("decrypted.txt");
		in = new FileInputStream("encrypted.txt");

		CipherInputStream cis = new CipherInputStream(in, dcipher);
		buffer = new byte[2048];
		bytesRead = 0;
		while ((bytesRead = in.read(buffer)) != -1) {
			out.write(buffer, 0, bytesRead);
		}
		cis.close();
		out.close();
	}

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden

This email sent to email@hidden
References: 
 >SSL encrypting to file (From: Ben Spink <email@hidden>)
 >Re: SSL encrypting to file (From: Bruno Harbulot <email@hidden>)
 >Re: SSL encrypting to file (From: Ben Spink <email@hidden>)
 >Re: SSL encrypting to file (From: Jason Proctor <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.