SecureRandom class. public abstract KeyPair generateKeyPair public final KeyPair genKeyPair Generate a key pair using the initialization parameters previously specified. A KeyPairGenerator object can repeatedly generate key pairs by calling one of these methods; each new call generates a new key pair. The genKeyPair method simply calls the generateKeyPair method. Using these methods, generating a pair of keys is very straightforward: KeyPairGenerator kpg = KeyPairGenerator.getInstanceDSA; kpg.initialize512; KeyPair kp = kpg.generateKeyPair ; According to the Java documentation, you are allowed to generate a key pair without initializing the generator; in this situation, a default strength and random number generator are to be used. However, this feature has not always worked: a NullPointerException is sometimes thrown from within the generateKeyPair method. Since it is possible that third−party providers may behave similarly, it is always best to initialize the key pair generator. Well show what to do with these keys in the next chapter when we discuss the topic of key management.

9.2.1.2 Generating DSA keys

The abstraction provided by the key pair generator is usually all we need to generate keys. However, sometimes the particular algorithm needs additional information to generate a key pair. When a DSA key pair is generated, default values for P, Q, and G are used; in the Sun security provider, these values are precomputed to support strength values of 512 and 1024. Precomputing these values greatly reduces the time required to calculate a DSA key. Third−party DSA providers may provide precomputed values for additional strength values. It is possible to ask the key generator to use different values for P, Q, and G if the key pair generator supports the DSAKeyPairGenerator interface java.security.interfaces.DSAKeyPairGenerator : public interface DSAKeyPairGenerator Provide a mechanism by which the DSA−specific parameters of the key pair engine can be manipulated. There are two methods in this interface: public void initializeint modlen, boolean genParams, SecureRandom random Initialize the DSA key pair generator. The modulus length is the number of bits used to calculate the parameters; this must be any multiple of 64 between 512 and 1024. If genParams is true , then the P, Q, and G parameters will be generated for this new modulus length; otherwise, a precomputed value will be used but precomputed values in the Sun security provider are available only for modlen values of 512 and 1024. If the modulus length is invalid, this method throws an InvalidParameterException . public void initializeDSAParams params, SecureRandom random Initialize the DSA key pair generator. The P, Q, and G parameters are set from the values passed in params . If the parameters are not correct, an InvalidParameterException is generated. As with the DSAKey interface, a DSA key pair generator implements the DSAKeyPairGenerator interface for two purposes: for type identification, and to allow the programmer to initialize the key pair generator with the desired algorithm−specific parameters: KeyPairGenerator kpg = KeyPairGenerator.getInstanceDSA; if kpg instanceof DSAKeyPairGenerator { DSAKeyPairGenerator dkpg = DSAKeyPairGenerator kpg; dkpg.initialize512, true, new SecureRandom ; } else kpg.initialize512; In sum, this interface allows us to use the generic key pair generator interface while providing an escape clause that allows us to perform DSA−specific operations.

9.2.2 Implementing a Key Pair Generator

If you want to implement your own key pair generator −− either using a new algorithm or, more typically, a new implementation of a standard algorithm −− you create a subclass of the KeyPairGenerator class. The KeyPairGenerator class already extends the KeyPairGeneratorSpi class; this is one case where you dont extend the SPI class directly. There are two abstract public methods of the key pair generator SPI that we must implement in our key pair generator: the initialize method and the generateKeyPair method. For this example, well generate a simple key pair that could be used for a simple rotation−based encryption scheme. In this scheme, the key serves as an offset that we add to each ASCII character −− hence, if the key is 1, an encryption based on this key converts the letter a to the letter b, and so on the addition is performed with a modulus such that z will map to a. To support this encryption, then, we need to generate a public key that is simply a number between 1 and 25; the private key is simply the negative value of the public key. We must also define a class to represent keys were implementing. [1] We can do that with this class: [1] This is true even if youre implementing an algorithm already implemented by the Sun security provider. The classes the Sun security provider uses to represent keys are not in the java package, so they are unavailable to us. So even if youre implementing DSA keys, you must still define classes that implement all the DSA interfaces we looked at earlier. package javasec.samples.ch09; import java.security.; public class XYZKey implements Key, PublicKey, PrivateKey { int rotValue; public String getAlgorithm { return XYZ; } public String getFormat { return XYZ Special Format; } public byte[] getEncoded { byte b[] = new byte[4];