RIM Crypto API Goals
• Confidentiality (保密性)
为机密,敏感数据加密 (Encryption),解密 (Decryption)
• Integrity (完整性)
加密数据有可能被更改,比如银行存款数额,账号等,造成数据不完
整。维护数据完整性的通过Hash算法实现,比如Digest, MAC
• Authentication (鉴证)
数据的来源或用户身份也可能被更改,这时就需要认证来检测。常用
的认证方法包括: Digital Signature, Digital Certificate
RIM Crypto API Contents
• Keys
• Encoding and Decoding Keys
• Digests and MACs
• Signatures
• Encoding and Decoding Signatures
• Encrypting Data
• Decrypting Data
Keys
Crypto API中最重要也是最简单的部分就是Key。
• Public Key
公钥是公开的,用于非对称加密。公钥和私钥的不同在于私钥包含了
机密信息
• Private Key
私钥在非对称加密里包含了机密信息,必须保护
• Symmetric Key
在对称加密里使用对称密钥,它的重要性和非对称加密里的私钥相当
DES Key Example
RIM Crypto API 提供了直接的方法创建 Key
创建 DES Key:
// uses random data to create the key.
DESKey unknownKey = new DESKey();
// data contains the knownkey.
byte[] data = new byte[ 8 ];
DESKey knownKey = new DESKey( data );
CryptoSystems
Cryptosystems提供公钥加密算法,例如 RSA, DSA, ECDSA, etc。
创建RSA密钥对范例:
RSACryptoSystem rsaCryptoSystem = new RSACryptoSystem(1024);
RSAKeyPair rsaKeyPair = new RSAKeyPair( rsaCryptoSystem )
RSAPublicKey rsaPublicKey = rsaKeyPair.getRSAPublicKey();
RSAPrivateKey rsaPrivateKey = rsaKeyPair.getRSAPrivateKey();
//a public key with a known n and e will be created:
rsaCryptoSystem = new RSACryptoSystem(1024); // where n and e are byte arrays
RSAPublicKey rsaPublicKey = new RSAPublicKey( rsaCryptoSystem, e, n );
Certificates
Certificate绑定公钥和认证信息,是公钥加密认证的载体,由CA签
署(Sign)。使用者必须使用合法的密钥检验(verify)。RIM Crypto API提
供了X509, WTLS等认证格式。X509证书范例:
RSAKeyPair keyPair = new RSAKeyPair( new RSACryptoSystem() );
X509DistinguishedName name = new X509DistinguishedName( "O=ACME Corp., C=Canada" );
long keyUsage = KeyUsage.KEY_CERT_SIGN;
byte[] serialNumber = new byte[] { (byte)0x01 };
long validNotBefore = System.currentTimeMillis();
long validNotAfter = validNotBefore + 1000*60*60*24*365; // add a year of milliseconds
X509Certificate root = X509Certificate.createX509Certificate( keyPair, name, keyUsage,
serialNumber, null, validNotBefore, validNotAfter );
KeyStore trustedKeyStore = TrustedKeyStore.getInstance();
boolean trusted = CertificateUtilities.isCertificateChainTrusted( chain, trustedKeyStore )
Keystores
KeyStore为keys和Certificates在BlackBerry手机上的存储
提供了方便的途径
• RIMKeyStore
• TrustedKeyStore
Digests and MACs
Digests 和 MACs是通过Hash算法把数据浓缩成一小段数据或一个唯一的标识,接收到的数据会以相同的方式HASH,相同结果表明数据没有被更改,是为数据的完整性服务。
RIM Crypto API 提供 SHA-1, SHA-2-256, SHA-2-384, SHA-2-512,等Hash算法。范例如下:
// Instantiate SHA1
SHA1Digest digest160 = new SHA1Digest
byte[] data = new byte[128];
RandomSource.getBytes( data );
digest160.update( data );
digest160.update( data, 10, 15 );
// Now get the digest.
byte[] digestValue = digest160.getDigest();
Message Authentication Codes (MACs)
MACs 是带有key的Hash算法, 目的与Digest相同。RIM Crypto API 支持
的MACs包括: CBC MAC, HMAC, Null MAC. HMAC范例如下:
byte[] keyData = new byte[ 20 ];
RandomSource.getBytes( keyData );
// Create the key
HMACKey key = new HMACKey( keyData );
// Create the SHA digest
SHA1Digest digest = new SHA1Digest();
// Create SHA digest with key
HMAC hMac = new HMAC( key, digest );
// The HMAC can be updated much like a digest
hMac.update( data );
hMac.update( data, 10, 15 );
// Now get the MAC value.
byte[] macValue = hMac.getMAC();
Signatures
Signatures 用于检验数据源/数据用户身份,采用公钥和私钥的方式。
私钥证明只有唯一的数据源签署了这份数据。RIM Crypto API 提供了
SignatureSigner, SignatureEncoder, SignatureVerifier来支持签名.
• SignatureSigner
捆绑数据和私钥产生一个数字签名
• SignatureEncoder
加密数字签名并存入byte数组
• SignatureVerifier
用公钥验证数字签名
DSA Signature Signer Example
// Create key pair
DSACryptoSystem cryptoSystem = new DSACryptoSystem();
DSAKeyPair keyPair = new DSAKeyPair( cryptoSystem );
DSAPrivateKey privateKey = keyPair.getDSAPrivateKey();
// The message to be signed
String message = new String("Jeans are on sale");
// Create the signer itself.
SignatureSigner signer = new DSASignatureSigner( privateKey );
signer.update( message.getBytes() );
// Create an X509 signature.
EncodedSignature signature = SignatureEncoder.encode( signer, "X509" );
// Get the data of the signature.
byte[] signatureData = signature.getEncodedSignature();
String encodingAlgorithm = signature.getEncodingAlgorithm(); // "X509"
DSA Signature Verifier Example
// Retrieve public key.
DSAPublicKey publicKey = keyPair.getDSAPublicKey();
// Decode the signature.
DecodedSignature decodedSignature = SignatureDecoder.decode( signatureData, "X509" );
// Get signature verifier.
SignatureVerifier verifier = decodedSignature.getVerifier(publicKey);
// Enter message to be verified.
verifier.update( message.getBytes() );
// Verify the signature.
boolean verified = verifier.verify();
Encrypting/Decrypting Data
• Engines
Engines提供了对加密算法的直接访问。把一段数据转变成byte数组,
Engine可以直接将byte数据转变为加密数据,比如AES, DES加密引擎
• Encryptors and Decryptors
以stream的读写方式进行加密解密
• Encryption with Block Ciphers
对于某种加密方法,提供加密模式选择,例如:
- ECB-Electronic Code Book
- CBC-Cipher Block Chaining
- CFB-Cipher Feedback
- OFB-Output Feedback
DESEncryptorEngine Example
// Input
byte[] input = { (byte)'T', (byte)'e', (byte)'s', (byte)'t', (byte)'i', (byte)'n', (byte)'g', (byte)'!' };
// Output
byte[] output = new byte[ 8 ];
byte[] keyData = { (byte)0x01, (byte)0x23, (byte)0x45, (byte)0x67, (byte)0x89, (byte)0x01, (byte)0x23, (byte)0x45 };
// Create a new DES key with the given data.
DESKey key = new DESKey( keyData );
// Create engine.
DESEncryptorEngine engine = new DESEncryptorEngine( key );
// Encrypt the input with offset of zero.
engine.encrypt( input, 0, output, 0);
DESDecryptorEngine Example
// Input
byte[] input = { (byte)0x77, (byte)0xFB, (byte)0xF4, (byte)0x94, (byte)0xE9, (byte)0x70, (byte)0xDD, (byte)0x0B };
// Output
byte[] output = new byte[ 8 ];
// Key Data from encryption
byte[] keyData = { (byte)0x01, (byte)0x23, (byte)0x45, (byte)0x67, (byte)0x89, (byte)0x01, (byte)0x23, (byte)0x45 };
// Create a new DES key with the given data.
DESKey key = new DESKey( keyData );
// Create engine.
DESDecryptorEngine engine = new DESDecryptorEngine( key );
// Decrypt the input with offset of zero.
engine.decrypt( input, 0, output, 0);