Oracle Crypto 3-7

3.3.3.3 Password Based Encryption

The abstract oracle.security.crypto.core.PBE class provides methods for Password Based Encryption PBE operations. The concrete classes extending the PBE are the PKCS5PBE and PKCS12PBE classes. You can use a PBE object for four types of operations: ■ Encryption of raw data. For example: byte[] encData = pbeEnc.encryptmyPassword, data; ■ Decryption of encrypted data. For example: byte[] decData = pbeDec.decryptmyPassword, encData; ■ Wrapping of private or symmetric keys. For example: byte[] encPrivKey = pbeEnc.encryptPrivateKeymyPassword, privKey; byte[] encSymKey = pbeEnc.encryptSymmetricKeymyPassword, symKey; ■ Unwrapping of private or symmetric encrypted keys. For example: PrivateKey decPrivKey = pbeDec.decryptPrivateKeymyPassword, encPrivKey; SymmetricKey decSymKey = pbeDec.decryptSymmetricKeymyPassword, encSymKey; To create a new instance of PBE, call the static getInstance method with a PBEAlgorithmIdentifier object as a parameter. For example: PBE pbeEnc = PBE.getInstancepbeAlgID; This will create a PKCS5PBE object and initialize it with the specified PBE algorithm. The PBE can then be used to encrypt or decrypt data, wrap or unwrap keys. When using PBE objects, the AlgorithmIdentifier object may hold cryptographic parameters such as the salt or the iteration count as well as the ASN.1 Object Identifier specifying the PBE algorithm to use. To specify these parameters when creating or initializing PBEs, build a PBEAlgorithmIdentifier object with the cryptographic parameters. Example 3–9 Code Example for Creating a PBE Object PBEAlgorithmIdentifier pbeAlgID = new PBEAlgorithmIdentifierPBEAlgorithmIdentifier.pbeWithMD5AndDES_CBC, salt, 1024; pbeEnc.initializepbeAlgID; PBE pbeDec = PBE.getInstancepbeAlgID;

3.3.4 Signatures

The oracle.security.crypto.core.Signature abstract class provides methods to sign and verify signatures. The concrete classes extending the Signature class are the RSAMDSignature, DSA and the ECDSA classes. The algorithms available for signature operations are: ■ For RSA: AlgID.md2WithRSAEncryption, AlgID.md5WithRSAEncryption and AlgID.sha_1WithRSAEncryption ■ For DSA: AlgID.dsaWithSHA1 ■ For ECDSA: AlgID.ecdsaWithSHA1 3-8 Oracle Fusion Middleware Reference for Oracle Security Developer Tools To create a new instance of Signature, call the static getInstance method with an AlgorithmIdentifier and a PrivateKey or PublicKey objects as parameters. Example 3–10 shows how to create a new Signature object and initialize it with the specified algorithm. Example 3–10 Code Example for Creating a New Signature Object Signature rsaSign = Signature.getInstanceAlgID.md5WithRSAEncryption; Signature rsaVerif = Signature.getInstanceAlgID.md5WithRSAEncryption; Example 3–11 shows how to set the keys for the Signature objects and set the document to be signed or verified. Example 3–11 Code Example for Setting Signature Keys and Documents rsaSign.setPrivateKeyprivKey; rsaSign.setDocumentdata; rsaVerif.setPublicKeypubKey; rsaVerif.setDocumentdata; Example 3–12 shows how to compute the signature using the private key or to verify the signature using the public key and the signature bytes. Example 3–12 Code Example for Computing or Verifying a Signature byte[] sigBytes = rsaSign.sign; boolean verified = rsaVerif.verifysigBytes;

3.3.5 Message Digests

Oracle Crypto provides the following message digest classes: ■ The oracle.security.crypto.core.MessageDigest Class ■ The oracle.security.crypto.core.MAC Class

3.3.5.1 The oracle.security.crypto.core.MessageDigest Class

The MessageDigest abstract class provides methods to hash and digest data. The concrete classes extending the MessageDigest class are the MD2, MD4, MD5 and the SHA classes. The available algorithms for message digest operations are: AlgID.md2, AlgID.md4, AlgID.md5, AlgID.sha_1, AlgID.sha_256, AlgID.sha_384 and AlgID.sha_ 512. The basic process for creating a message digest is as follows: 1. Create a new instance of MessageDigest by calling the static getInstance method with an AlgorithmIdentifier object as a parameter. 2. Add the data to be digested. 3. Compute the hash value. Example 3–13 shows how to create an MD5 message digest object. Example 3–13 Code Example for Creating a Message Digest Create a new MD5 MessageDigest object MessageDigest md5 = Signature.getInstanceAlgID.md5; Oracle Crypto 3-9 Add the data to be digested md5.udpatedata1; md5.udpatedata2; Compute the hash value md5.computeCurrent; byte[] digestBits = md5.getDigestBits;

3.3.5.2 The oracle.security.crypto.core.MAC Class

The MAC abstract class provides methods to compute and verify a Message Authentication Code MAC. The concrete class extending the MAC is the HMAC class. The available algorithms for MAC operations are: AlgID.hmacMD5 and AlgID.hmacSHA. The basic process for creating a MAC is as follows: 1. Create a new instance of MAC by calling the static getInstance method with an AlgorithmIdentifier and a SymmetricKey object as a parameter. 2. Add the data to be digested. 3. Compute the MAC value and verify it. Example 3–14 shows how to create a new HMAC object with the HMAC-SHA1 algorithm. Example 3–14 Code Example for Creating a MAC Create an HMAC object with the HMAC-SHA1 algorithm MAC hmacSha1Compute = MAC.getInstanceAlgID.hmacSHA, hmacSha1Key; Add the data to be digested hmacSha1Compute.udpatedata; Compute the MAC value and verify byte[] macValue = hmacSha1Compute.computeMAC; boolean verified = hmacSha1Verify.verifyMACdata, macValue;

3.3.6 Key Agreement

The oracle.security.crypto.core.KeyAgreement class abstract class provides methods for public key agreement schemes such as Diffie-Hellman. The concrete classes extending the KeyAgreement class are the DHKeyAgreement and the ECDHKeyAgreement classes. The available algorithms for key agreement operations are: AlgID.dhKeyAgreement and ECDHKeyAgreement Elliptic Curve Diffie-Hellman key agreement. The basic process for key agreement is as follows: 1. Create a new instance of KeyAgreement by calling the static getInstance method with an AlgorithmIdentifier object as a parameter. 2. Set the local private key and the other party’s public key. 3. Compute the shared secret value. Example 3–15 shows how to perform key agreement. 3-10 Oracle Fusion Middleware Reference for Oracle Security Developer Tools Example 3–15 Code Example for Key Agreement Create a DH key agreement object KeyAgreement dh = KeyAgreement.getInstanceAlgID.dhKeyAgreement; Set the private key and public key dh.setPrivateKeyprivKey; dh.setPublicKeyotherPubKey; Compute the shared secret byte[] sharedSecret = dh.generateSecret;

3.3.7 Pseudo-Random Number Generators