Thursday, September 15, 2016

How-To Diffie-Hellman key exchange in Java

Public key exchange is an interesting topic in the field of cryptography nowadays. Many sites and web services offer Perfect Forward Secrecy, protecting their users against future compromise of long-term keys. This protection is possible thanks to algorithms such as Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH).

Implementing these techniques in your Java application is not the most straightforward thing to do. Luckily, the library that I used in my past article How-To encrypt a file in Java has convenient classes that greatly simplify the job. A shared secret can therefore be exchanged using Diffie-Hellman in just a few lines of code:
// Tip: You don't need to regenerate p; Use a fixed value in your application
int bits = 2048;
BigInteger p = BigInteger.probablePrime(bits, new SecureRandom());
BigInteger g = new BigInteger("2");

// Create two peers
KeyAgreementPeer peerA = new DHPeer(p, g);
KeyAgreementPeer peerB = new DHPeer(p, g);

// Exchange public keys and compute shared secret
byte[] sharedSecretA = peerA.computeSharedSecret(peerB.getPublicKey());
byte[] sharedSecretB = peerB.computeSharedSecret(peerA.getPublicKey());

Note: The p and g values here are not necessarily representative for production use. Use precomputed primes in order to be safe. A good starting point would be https://tools.ietf.org/html/rfc3526.

Performing a public key exchange using the Elliptic Curve Diffie-Hellman (ECDH) algorithm is done slightly different:
String algorithm = "brainpoolp512r1";

// Create two peers
KeyAgreementPeer peerA = new ECDHPeer(algorithm);
KeyAgreementPeer peerB = new ECDHPeer(algorithm);
 
// Exchange public keys and compute shared secret
byte[] sharedSecretA = peerA.computeSharedSecret(peerB.getPublicKey());
byte[] sharedSecretB = peerB.computeSharedSecret(peerA.getPublicKey());
The ECDH peer class requires Bouncy Castle in order to work. Luckily this is already an import in the Encryptor4j project's build.gradle file.

Find out which elliptic curves are supported by Bouncy Castle here.

Sunday, September 11, 2016

How-To serialize and deserialize Java objects to and from XML

Serialization is a powerful feature included in the Java framework. It allows for transporting and storing objects with great ease and flexibility. One drawback however is that the objects are serialized into a binary format and thus are hard to read or alter. That's where XML serialization comes in.

There are many XML serialization libraries available but many do not support popular Java classes out-of-the-box. One exception however, is XMLSerializer4j. It can serialize collections and most frequently used classes without requiring you to write your own serialization logic.

Serializing any object to an XML file is easy:
XMLSerializer xmlSerializer = new XMLSerializer();
xmlSerializer.serialize(myObject, "MySerializedObject.xml");

Deserialize the XML back to an object like this:
XMLSerializer xmlSerializer = new XMLSerializer("MySerializedObject.xml");
Object myObject = xmlSerializer.deserialize();

By default the output will be stripped of unnecessary whitespace and line-breaks to save space. If however a human readable output is desired with line-breaks and indentation do this:
xmlSerializer.setTransformer(XMLSerializer.HUMAN_READABLE_TRANSFORMER);

Check out the documentation at the project's webpage for further explanation.

Thursday, September 8, 2016

How-To encrypt a file in Java

Encrypting files in Java is easy! Typically it would require loads of boilerplate that only increases the chance of doing something wrong, thus breaking security. Luckily there are safe and sound libraries that can help us perform the task at hand with relative ease.

One of these is Encryptor4j. Download and include it in your project before the next step.

Encrypting a file would be as simple as this:
// We use a password based key here.
// Other options are available too: check the documentation
File srcFile = new File("original.zip");
File destFile = new File("original.zip.encrypted");
String password = "mysupersecretpassword";
FileEncryptor fe = new FileEncryptor(password);
fe.encrypt(srcFile, destFile);
By default, this would encrypt the file using AES with 128-bit keys using CTR mode. If however Unlimited Strength Jurisdiction Policy files are installed it would be encrypted with the maximum key length of 256-bits.

The key is generated from the password using 65536 salted hashing iterations. If you need to regenerate the key from the password in another language check out the KeyFactory implementation used internally by the FileEncryptor class.

Decrypting the file is easy too (it's almost identical to encrypting):
File srcFile = new File("original.zip.encrypted");
File destFile = new File("decrypted.zip");
String password = "mysupersecretpassword";
FileEncryptor fe = new FileEncryptor(password);
fe.decrypt(srcFile, destFile);
This about sums it up. Why reinvent the wheel if an existing library can choose the right block mode, key length and generates and prepends IVs transparently for your convenience.