Understanding How to Use Cryptography in Java

I will explain the Java Cryptographic Architecture (JCA) for a better understanding of how it works. The JCA is designed to simplify the creation of protocols like encryption, hashing, digital signatures, and key generation for Java developers

Now let's take a look at how the API works for this process.

Some History

When the Java Cryptographic Architecture (JCA) was first introduced in 1997 with Java 1.1 it was used as a response to the massive need for security in software and networking applications. Before the Java Cryptographic Architecture (JCA) came out, Java really only offered some basic security through the sandbox model and API limits. This means that before the release, Java was not sufficient for the strong security requirements that companies at the time had, and still have.

You also need to note that when the Java Cryptographic Architecture (JCA) was initially released, it only offered a very limited set of functions and supported a small number of algorithms. This was due to the highly restrictive U.S. Export Regulations on Cryptographic Software at the time. Over the years, these regulations were relaxed while the demand for more sophisticated security features increased dramatically – which means the JCA evolved significantly.

We do need to bring up the architecture of the Java Cryptographic Architecture (JCA) also here. It was designed to be provider-based to begin with. This means that the API for it separates the interface and the implementation. This allows for the integration of different or multiple cryptographic services – this can also be implemented by different providers. The design choice here was to enable developers to plug-in their choice of cryptographic algorithms without having to alter their software application code. The components include:

Cryptographic Service Providers: These are implementations of specific algorithms packaged as independent, installable, and configurable modules. Providers may include a wide range of cryptographic services such as algorithms for encryption, key generation, message authentication, and secure random number generation.
Factory Classes: These classes abstract the instantiation details of cryptographic services. They allow applications to use cryptographic services without binding to specific implementations.
Manager Classes: These classes manage the different providers and serve as the entry point to the JCA framework, helping to configure and access the cryptographic primitives provided by the installed providers.
Security Classes and Interfaces: These include a variety of classes and interfaces for specific cryptographic tasks, such as creating and verifying digital signatures, generating message digests, encrypting/decrypting data, etc.

Do you like what you are reading? We do recommend this next article – Understanding Heap Memory in Java Applications – to you to continue learning with us.

Salt your Hashes

One of the easiest ways that hackers can guess a password – even more easily when they also have the hash of the password – is they have a list of common password hashes. This allows them to create a lookup table so they can easily crack the hash. This is because when you go to hash something, it will be the same hash each time. The best practice is to employ the use of a secure random number generator for coming up with a random salt value for the storage of the hashed passwords.

Message Salt Hashing Code Examples

The following code example could easily be backed since we are passing the same password to get the hash then storing the hash in a database. Please note, this is not a secure method or recommended to use at all for securing hashed passwords.

String message = "S0m3th1ngY0uSh0uldN0tB3@abl3T0tGu3ss";
MessageDigest md = MessageDigest.getInstance("SHA-512");
md.update(message.getBytes());
byte[] hash = md.digest();

Our goal is to avoid this. So we are going to use salts which adds another level of randomness to the hash. Hash cracking is based on reverse lookups where you generate hashes for popular or common passwords. The more random we make our hashes, the less chances that the hash will show up in a lookup tool.

We can use the SecureRandom Java class to generate the Salt value.

byte[] salt = new byte[16];
SecureRandom sc = new SecureRandom();
sc.nextBytes(salt);
md.update(message.getBytes());
md.update(salt);
byte[] hash = md.digest();

Block Mode Code Example

When choosing a block cipher, you should strongly avoid the use of well known weak ones such as the Electronic Code Block (EBC).

//generate a key
KeyGenerator kg = KeyGenerator.hetInstance("DES");
SecretKey key = kg.generateKey();

//Create a new Cipher
Cipher c = Cipher.getInstance("DES/ECB/PKCS5Padding");
c.init(Cipher.ENCRYPT_MODE, key);

//Encrypt the huge set of data line by line
String strLine = //new Line
encLine = Base64.encodeBase64String()c.doFinal(strLine.getBytes());

Feedback Mode Code Example

There are very strong Block Ciphers such as Cipher Block Chaining (CBC) or Output Feedback (OFB). These will require an initialization Vector (IV) to begin the process of encryption of data.

//generate a key
KeyGenerator kg = KeyGenerator.hetInstance("DES");
SecretKey key = kg.generateKey();

//Create a new Cipher
Cipher c = Cipher.getInstance("DES/CBC/PKCS5Padding");
c.init(Cipher.ENCRYPT_MODE, key);

//Encrypt the huge set of data line by line
String strLine = //new Line
encLine = Base64.encodeBase64String();
c.doFinal(strLine.getBytes());

Common Cryptographic Attacks

One of the easiest ways to migrate attacks is by using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). This is also included by Java by default in the standard library. Here is an example of how to use it.

import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.SSLSocket;

public class SecureSocketExample {
    public static void main(String[] args) throws Exception {
        SSLSocketFactory ssf = (SSLSocketFactory) SSLSocketFactory.getDefault();
        SSLSocket socket = (SSLSocket) ssf.createSocket("example.com", 443);

        // The communication with the server is encrypted
        socket.startHandshake();

        // Now, you can safely send and receive data from the server
        // Example of sending/receiving logic here

        socket.close();
    }
}

Replay Attacks

One way attackers replay attack occurs when a valid data transmission is maliciously or fraudulently repeated or delayed. One of the easiest and common mitigation techniques involves the use of timestamps and nonces – which are numbers used only once – to ensure validity of messages. Allow me to provide a code example of how to migrate this attack vector.

import java.security.SecureRandom;
import java.time.Instant;

public class NonceAndTimestampExample {
    public static void main(String[] args) {
        SecureRandom random = new SecureRandom();
        byte[] nonce = new byte[16];
        random.nextBytes(nonce);

        long timestamp = Instant.now().getEpochSecond();

        System.out.println("Nonce: " + bytesToHex(nonce));
        System.out.println("Timestamp: " + timestamp);
    }

    private static String bytesToHex(byte[] bytes) {
        StringBuilder sb = new StringBuilder();
        for (byte b : bytes) {
            sb.append(String.format("%02x", b));
        }
        return sb.toString();
    }
}

Side Channel Attacks

Another popular method of attacking is the side-channel attack. It is based on information gained from the physical implementation of a cryptosystem – rather than theoretical weaknesses in the algorithms. This also includes timing information, power consumption, and electromagnetic leaks. The following code example is a way to help migrate these type of attacks.

Mitigating a side-channel attack is often easy and involves avoiding certain cryptographic implementations susceptible to these attacks. Here is an example using constant-time algorithms to compare secrets.

public class ConstantTimeComparison {
    public static boolean isEqual(byte[] a, byte[] b) {
        if (a.length != b.length) {
            return false;
        }
        int result = 0;
        for (int i = 0; i < a.length; i++) {
            result |= a[i] ^ b[i];
        }
        return result == 0;
    }

    public static void main(String[] args) {
        byte[] secret1 = "secretValueA".getBytes();
        byte[] secret2 = "secretValueB".getBytes();

        System.out.println("Comparison result: " + isEqual(secret1, secret2));
    }
}

Key Management and Secure Storage

In cryptographic systems, proper key management is paramount for ensuring the confidentiality and integrity of all data in the Java software application. As we all should know, Java provides mechanisms for generating, storing, and using cryptographic keys securely.

Java does offer various APIs for generating cryptographic keys, including symmetric and asymmetric keys. Developers can utilize classes such as KeyGenerator for symmetric keys and KeyPairGenerator for asymmetric keys.

// Generate a symmetric key
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256); // Key size
SecretKey secretKey = keyGen.generateKey();

// Generate an asymmetric key pair
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
keyPairGen.initialize(2048); // Key size
KeyPair keyPair = keyPairGen.generateKeyPair();

We should always remember that storing cryptographic keys securely is essential to prevent unauthorized access. Java provides facilities like the Java KeyStore (JKS) for securely storing keys and certificates.

KeyStore keyStore = KeyStore.getInstance("JKS");
char[] password = "password".toCharArray();
keyStore.load(new FileInputStream("keystore.jks"), password);

// Retrieve a key from the keystore
Key key = keyStore.getKey("alias", password);

Best Practices and Considerations

The last few things that people need to consider is when implementing cryptographic functionality in Java applications, several best practices and considerations should be taken into account to enhance security and mitigate vulnerabilities.

Use Strong Algorithms. Always use strong cryptographic algorithms and key sizes recommended by security standards. Avoid deprecated or weak algorithms susceptible to attacks.
Secure Random Number Generation. Utilize secure random number generators (SecureRandom) for generating cryptographic keys, salts, and initialization vectors (IVs). Secure random numbers are essential for preventing predictable outputs in cryptographic operations.
Secure Communication. When transmitting sensitive data over networks, employ secure communication protocols like SSL/TLS to encrypt data in transit and ensure its integrity.
Regular Updates and Patching. Keep cryptographic libraries and dependencies up-to-date with the latest security patches. Regularly review and update cryptographic algorithms and configurations to mitigate emerging threats.

The Conclusion

In my final words, the Java Cryptographic Architecture (JCA) provides an amazingly robust framework for implementing cryptographic functionalities in Java applications. This is by leveraging the JCA APIs and making sure to follow the best practices. From key management to secure communication, Java offers a comprehensive set of tools for building secure and highly reliable cryptographic solutions in today's increasingly crazy world of cybersecurity and cryptography.

Do you like what you're reading from the CoderOasis Technology Blog? We recommend reading our Implementing RSA in Python from Scratch series next.

The CoderOasis Community

Did you know we have a Community Forums and Discord Server? which we invite everyone to join us? Want to discuss this article with other members of our community? Want to join a laid back place to chill and discuss topics like programming, cybersecurity, web development, and Linux? Consider joining us today!