byte secret[] = ka.generateSecret ; Step 6: Alice converts a secret key SecretKeyFactory skf = SecretKeyFactory.getInstanceDES; DESKeySpec desSpec = new DESKeySpecsecret; SecretKey key = skf.generateSecretdesSpec; Step 7: Alice encrypts data with the key and sends the encrypted data to Bob Cipher c = Cipher.getInstanceDESECBPKCS5Padding; c.initCipher.ENCRYPT_MODE, key; ciphertext = c.doFinal Stand and unfold yourself.getBytes ; notify ; } catch Exception e { e.printStackTrace ; } } public synchronized void doBob { try { Step 3: Bob uses the parameters supplied by Alice to generate a key pair and sends the public key while alice == null { wait ; } KeyPairGenerator kpg = KeyPairGenerator.getInstanceDH; DHParameterSpec dhSpec = new DHParameterSpec aliceP, aliceG, aliceL; kpg.initializedhSpec; KeyPair kp = kpg.generateKeyPair ; bob = kp.getPublic.getEncoded ; notify ; Step 5 part 1: Bob uses his private key to perform the first phase of the protocol KeyAgreement ka = KeyAgreement.getInstanceDH; ka.initkp.getPrivate ; Step 5 part 2: Bob uses Alices public key to perform the second phase of the protocol. KeyFactory kf = KeyFactory.getInstanceDH; X509EncodedKeySpec x509Spec = new X509EncodedKeySpecalice; PublicKey pk = kf.generatePublicx509Spec; ka.doPhasepk, true; Step 5 part 3: Bob generates the secret key byte secret[] = ka.generateSecret ; Step 6: Bob generates a DES key SecretKeyFactory skf = SecretKeyFactory.getInstanceDES; DESKeySpec desSpec = new DESKeySpecsecret; SecretKey key = skf.generateSecretdesSpec; Step 8: Bob receives the encrypted text and decrypts it Cipher c = Cipher.getInstanceDESECBPKCS5Padding; c.initCipher.DECRYPT_MODE, key; while ciphertext == null { wait ; } byte plaintext[] = c.doFinalciphertext; System.out.printlnBob got the string + new Stringplaintext; } catch Exception e { e.printStackTrace ; } } public static void mainString args[] { DHAgreement test = new DHAgreement ; new Threadtest.start ; Starts Alice new Threadtest.start ; Starts Bob } } Note that this example uses the Cipher class; see Chapter 13 for more details about that class. In typical usage, of course, Bob and Alice would be executing code in different classes, probably on different machines. Weve shown the code here using two threads in a shared object so that you can run the example more easily although beware: generating a Diffie−Hellman key is an expensive operation, especially for a size of 1024; a size of 512 will be better for testing. Our second reason for showing the example like this is to make explicit the points at which the protocol must be synchronized: Alice must wait for certain information from Bob, Bob must wait for certain information from Alice, and both must perform the operations in the order specified. Once the secret key has been created, however, they may send and receive encrypted data at will. Otherwise, despite its length, this example merely uses a lot of the techniques weve been talking about in the past two chapters. Keys are generated, they are transmitted in neutral encoded format, they are reformed by their recipient, and both sides can continue. The KeyAgreement class is an engine class, and you can create your own implementations of it by subclassing the KeyAgreementSpi class javax.crypto.KeyAgreementSpi . Remember that this is a JCE engine class, so you must perform the appropriate steps in the constructor of your engine to verify the JCE installation.

10.6 Comparison with Previous Releases

The fluidity of key management is evident in the progress of Java itself. Key management with the 1.1 API is very different from key management in Java 2. Further complicating this picture is the fact that no Java−enabled browser except the Java 2 Plug−In uses the technique for key management that comes with the JRE. Each requires keys to be kept in a different key database, and each uses a different technique to store and retrieve keys from that application−specific database. As a developer, that means you must adopt different key management features depending on your target platform. If your target platform is Java 2 applications and Java 2 applets run through the Java Plug−in, then you can use this key management facility. If you must support applets run in Internet Explorer or versions of Netscape Navigator before Netscape 6, then you must use Microsoft− or Netscape−specific key management techniques. And if youre targeting Java 1.1 applications, you must use Java 1.1 facilities. There are no keystores in Java 1.1. If you must implement a key management system under Java 1.1, youll need to use the IdentityScope class. The IdentityScope class has been deprecated in Java 2. Java 1.1 comes with a key management system that is based upon the javakey utility. javakey has several limitations; in particular, it stores public and private keys in the same, unprotected location often called an identity database. This allows anyone with access to the javakey database to determine all the keys that were stored in the file. Since access is required to obtain your own private key to generate your own digital