This week's book giveaway is in the Agile forum.
We're giving away four copies of Head First Agile and have Andrew Stellman & Jennifer Greene on-line!
See this thread for details.
Win a copy of Head First Agile this week in the Agile forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Asymmetric Encryption algorithm  RSS feed

 
salvin francis
Bartender
Posts: 1614
36
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I need to develop a program in java that does an asymmetric encryption based on a simple public key - private key concept.
Now here are the catches ......
1. I cannot use library Functions at all (Its environment related issue)
2. Program should use least of available util java functions

can anyone write a custom / standard algorithm (RSA,DES,etc) for me ???

Pseudo code would be good, java code would be better.
Its okay if the algoritm is lame too. i could develop it to be more secure, aamof i would really prefer a simple algo. the aim here is for a Custom encryption

Thanks in advance !


 
Nitesh Kant
Bartender
Posts: 1638
IntelliJ IDE Java MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sounds like you are giving us an assignment!

We do not do your homework. If you tell us how you are planning to approach this and what difficulties you are facing. We will be happy to help.

This question is more appropriate for Security forum. Moving to the same.

CarefullyChooseOneForum while posting.
 
salvin francis
Bartender
Posts: 1614
36
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nitesh Kant wrote:Sounds like you are giving us an assignment!

We do not do your homework. If you tell us how you are planning to approach this and what difficulties you are facing. We will be happy to help.

This question is more appropriate for Security forum. Moving to the same.

CarefullyChooseOneForum while posting.


sorry @ wrong forum topic.
its not a homework/assignment/chore/daily work

If anyone still feels this is some kinda work that i want you to do on my behalf, I am removing this topic.
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Your terminology seems a bit confused. DES is a symmetric cipher (using just a secret key), while RSA is an asymmetric cipher (using a public and a private key).

You should never -never- write your own implementation of a standard encryption algorithm. Unless you have spent years in the field you are likely to get wrong, and end up with an insecure system. Also, there's no point in reinventing the wheel. Java has RSA and DES built in.
 
salvin francis
Bartender
Posts: 1614
36
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry, I forgot those concepts.
However, I am pretty sure i need a Public key-private key pair.

your point of reinventing the wheel is correct. but the environment we are working, wont allow other java utils / libraries

from the point of making it more secure, if there is a very simple idea of implementing, I can make it secure
by a simple random generator with a One time pad.

btw there is another security system in place, but there is a single location thats prone,
hence i am not that keen in making it so secure, making it custom has its own advantages

So, this is not the backbone of my system. I have taken the initiative to make an existing system more secure

btw if you know of a simple algo, just name, i will research on it....
 
Nitesh Kant
Bartender
Posts: 1638
IntelliJ IDE Java MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
salvin francis wrote:If anyone still feels this is some kinda work that i want you to do on my behalf, I am removing this topic.


Oops, looks like i got you wrong! Sorry, if you felt bad.
 
Gabriel Vince
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
salvin francis wrote:Sorry, I forgot those concepts.
However, I am pretty sure i need a Public key-private key pair.
your point of reinventing the wheel is correct. but the environment we are working, wont allow other java utils / libraries.


Security library already IS on your disk as a part of JRE (as AWT, Swing or IO) so you do not need other libraries, just standard JRE.
Developing your own KPI may be time consuming with uncertain result (if you are not VERY good in math), but if it worth to your customer, you may try DH algorithm or something free to use.

good luck
g.



 
salvin francis
Bartender
Posts: 1614
36
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hmm, thanks @ Diffie-Hellman suggestion, I really think it will come in handy @ my app
but as i suggested, it would be better if there is a PKI concept,

Btw I need to expose something, I am using GWT.
So, Encryption would be @ client, Decryption @ server.

Hence all the fuss abt the library stuff.
So, such JRE libraries (Though they are a part of Standard Java Lib) are now OUT of QUESTION !!!

Once again, thanks @ Diffie-Hellman.
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Umm, since you mention GWT, are you saying that you want to use JavaScript for encryption? If so, I'd advise against that. If you need an encrypted connection, use HTTPS, that's what it's there for.
 
Henry Wong
author
Sheriff
Posts: 23284
125
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Once again, thanks @ Diffie-Hellman.


I am confused. How did Diffie-Hellman get into this topic? Diffie-Hellman is a key exchange technique. The purpose is to allow two parties, talking across an exposed network, to be able to reach an agreement on a key, in a way that no-one looking at the packets on the network, can figure out the same key.

This technique is generally used when symmetric encyption is used, and the two parties need a key.

Diffie-Hellman is *not* an encryption algorithm. And Diffie-Hellman generates a symmetric key.... this topic is about encryption algorithm using public/private keys (okay, so the title has been mis-named symmetric, the OP actually "pretty sure" "need" Asymetric keys).

Henry

 
salvin francis
Bartender
Posts: 1614
36
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
he was suggesting the simplest algo that i can develop on my own, Its relatively simple to exchange a secret key between two parties, and as i said, I can use One time pad to encrypt or decrypt.

However, i still feel developing a PKI concept would be better

https is fine, infact its an ultimate solution. I am still tryin to explore @ custom though
 
salvin francis
Bartender
Posts: 1614
36
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I need to change the name of this topic, I agree its misleading

"custom PKI encryption algorithm" seems to be a better option.
 
Pat Farrell
Rancher
Posts: 4686
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Assuming you really mean asymetric algorithm, aka RSA, which you seem to be talking about when you say public/private, then
what is the question?

If you want private/public keys, and not write it yourself, you have to use RSA, which is including in the JDK. But its not easy to use properly, and its easy to use improperly.

How about backing up, and rewording what you are really looking for. Be careful and explicit in the terms you use.
 
salvin francis
Bartender
Posts: 1614
36
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Changed Question (didnt edit initial post on purpose, so tht people may spot my mistake and not make the same)

I need to develop a program in java that does a encryption & decryption based on a simple public key - private key concept.
Now here are the catches ......
1. I cannot use library Functions at all (Its environment related issue)
2. Program should use least of available util java functions

can anyone HELP ME TO write a custom / standard algorithm (RSA,DES,etc) for me ???

Pseudo code would be good, java code would be better.
Its okay if the algoritm is lame too. i could develop it to be more secure, aamof i would really prefer a simple algo. the aim here is for a Custom encryption

Thanks in advance !
 
Pat Farrell
Rancher
Posts: 4686
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
salvin francis wrote:I need to develop a program in java that does a encryption & decryption based on a simple public key - private key concept.


Are you sure you can't buy a library, like BSafe?

I don't think its realistic as you have phrased it. There is one and only one public key encryption system: RSA.
There are talks about elliptic curve crypto, but that's much less accessible than RSA, the math is brutally complex.

Can you use System.exec() to call gpg or openssl?

You can conceptually use the RSA algorithm from any description, even Wikipedia, (it would be better to use Schneier's Applied Crypto)
and BigDecimal numbers and implement it.

But getting it right is very hard. You really need test vectors, ways to ensure prime numbers in your keys, etc.

My opinion is that you have an overly constrained problem space. You need to change something if you need it to be done is less than a few man years.
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm still not clear what you mean by "library function". JCE is as much part of the JRE as is the java.lang.String class - can't you use that either?

As was mentioned repeatedly above, don't start implementing this on your own - you're bound to make it less secure. You can always take the relevant classes from some other library (like BouncyCastle) and pretend that they're your own. But to me, trying to avoid JCE seems misguided.
 
salvin francis
Bartender
Posts: 1614
36
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer,
you are right, its going to be using javascript in the end.
since the gwt compiler will translate Java to javascript.
Hence I am actually exposing my key, Thus it makes sense to use a PKI concept.

as you probably know, GWT wont allow me to use any of java's Libraries such as JCE @ client side. At server side, of course, i can write
servlets to decrypt.
 
salvin francis
Bartender
Posts: 1614
36
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Pat Farrell
now thats a practical answer !!

I could research on RSA though, I may post the code here if sucessful
Thanks, I really didnt knw RSA was the Only one supporting PKI, i thought there were more algos
 
salvin francis
Bartender
Posts: 1614
36
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Quite frankly, yes, the problem space is truly constrained.
Gwt wont allow the use of java libraries, but then again i dont blame them,
after all its plain old javascript
 
Pat Farrell
Rancher
Posts: 4686
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
salvin francis wrote: its going to be using javascript in the end


Javascript is slow. this is usually OK, since it doesn't do much calculations.

RSA is a huge amount of calculations on huge numbers.

I can't see this working, especially if the user has a low end PC or netbook or iPhone.

 
Carey Evans
Ranch Hand
Posts: 225
Debian Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Pat Farrell wrote:Javascript is slow. this is usually OK, since it doesn't do much calculations.

RSA is a huge amount of calculations on huge numbers.

This hasn't stopped people trying; search Google for JavaScript RSA. I can't and won't vouch for any of these, and JavaScript is sure to expose some interesting side channel attacks.

It's just a better idea to use HTTPS.
 
Pat Farrell
Rancher
Posts: 4686
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Carey Evans wrote:It's just a better idea to use HTTPS.


Using TLS/SSL is much better than rolling your own, but I don't know if that addresses the OP's problem. TLS only addresses security in transit. If you care about security when its on the user's computer, its not enough.
 
salvin francis
Bartender
Posts: 1614
36
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I changed the initial post title
 
salvin francis
Bartender
Posts: 1614
36
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Pat Farrell wrote:
Carey Evans wrote:It's just a better idea to use HTTPS.


Using TLS/SSL is much better than rolling your own, but I don't know if that addresses the OP's problem. TLS only addresses security in transit. If you care about security when its on the user's computer, its not enough.



Yes,
This is a solution, basically in lame terms, this would safegaurd my web app against eavesdropping. Basically this is wht i wanted in the first place.
I was looking for a custom way to do it though. Usually using SSL would require my company to purchase some liscenses (if i am not wrong).
 
Pat Farrell
Rancher
Posts: 4686
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
salvin francis wrote:Usually using SSL would require my company to purchase some liscenses (if i am not wrong).


you're technically wrong.

If you use TLS/SSL, you must have a certificate. There is no license to any software.

You can make your own certificate using openssl, or you can buy one from a CA (certificate authority) for about $30/year.
The ones that the CAs sell cheaply provide zero real "authority", the ones that cost $100/year up have a tiny amount.

You get exactly the same level of security with a home made one. Exactly. And they are free.

What you get with a commercial Cert is automatic acceptance by browsers. With a home made, your users see a warning message and they have to click OK to accept your home made cert.

There is no way you can write half way decent crypto code for $100 a year.

Just use TLS/SSL


 
salvin francis
Bartender
Posts: 1614
36
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Pat Farrell wrote:You can make your own certificate using openssl


hmmm
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!