Creating a Shell Java Encryption Class
The first step is to create a shell class to handle the encryption. For lack of imagination I'll call this class "Encryption." You need to import the Java Security API package, which implements many different types of encryption. In this example, you'll use public/private key encryption and create two private variables to store our public and private keys. Here's the code for the Encryption class.
Generating a Key Pair
public class Encryption
private PublicKey publicKey = null;
private PrivateKey privateKey = null;
With the shell class in place you can get right down to implementation. Next, you need to generate a key pair. The key pair lets you create signatures with your private key and verify them with your public key. It is perfectly secure to share the public key with third parties to verify the signatures. Sharing your public key with partners or other applications is one common way to share authentication information. If you are going to share your public key with third parties, they need to be able to ensure or "trust" that your public key is valid, but because this example is only concerned with internal
use of the public key, I won't address trust in this article. You will need to create only a single key pair for all of the example's encryption needs. While the public key can be shared, the private key needs to be secured. The JDK contains a program to manage your keys securely named keyring
. For simplicity however, this example just stores the keys in the CF application server file system, under the assumption that only authorized people can access them.
You need a method to generate the keys. I'll call this method generateKeys
. The generateKeys
method needs to create a key pair generator instance. To do that, you must tell it which encryption algorithm to usethe example uses DSA for simplicity. Optionally, you can also specify a security provider. For simplicity, the example doesn't specify a provider; instead, it lets the key pair generator pick the provider based on the security properties setup of the Java Runtime Environment (JRE). The following line instantiates a new key pair generator.
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DSA");
The preceding code sets the keyGen
variable to a new KeyPairGenerator instance using the Digital Signature Algorithm (DSA). The next step is to initialize the key pair generator. The initialize method takes two parameters: bit length, and an instance of a random object. The bit length has a major effect on the strength of the encryption. Shorter bit lengths are less secure while longer bit lengths can lead to performance problems. The example uses a 1024-bit key, which should be sufficiently secure but is short enough to avoid major performance problems. Again, for simplicity, the example uses the default secure random objectfor DSA that's the Secure Hash Algorithm (SHA1). After initializing the key pair generator you can call the generateKeyPair
method to create a KeyPair instance.
keyGen.initialize(1024, new SecureRandom());
KeyPair pair = keyGen.generateKeyPair();
this.privateKey = pair.getPrivate();
this.publicKey = pair.getPublic();
The preceding code initializes the key pair generator, generates a new key pair, and calls the getPrivate
methods to set the two private variables. Now that you have a key pair you're ready to create and verify signatures. However, because you don't want to generate a new key pair each time you create or verify signatures you need some way of persisting the keys. The easiest solution is to write the keys to the file system. Luckily, the National Institute of Standards and Technology (NIST) has defined standards on how to store public and private keys. These standards are known as Private-key Information Syntax Standard
(PKCS8) for private keys and X.509
for public keys.