You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Ryan McKinley <ry...@gmail.com> on 2011/05/04 06:39:55 UTC
public/private key encryption?
Does shiro include utilities to encrypt text with a private key? I
have messed with java.security stuff but it is kinda ugly.
I got this working, and it may be OK it would be better if I could use
a private key to encode and a public one to decode:
BlowfishCipherService bf = new BlowfishCipherService();
byte[] key = bf.generateNewKey().getEncoded();
System.out.println( "Key:"+Base64.encodeToString(key) );
String txt = "kittens";
System.out.println( "original: "+txt );
String out = bf.encrypt(txt.getBytes(), key).toBase64();
System.out.println( "encrypted: "+out );
String xxx = new String( bf.decrypt(Base64.decode(out), key).getBytes() );
System.out.println( "out: "+xxx );
Any pointers would be great!
thanks
ryan
Re: public/private key encryption?
Posted by Les Hazlewood <lh...@apache.org>.
Just a nod to Erik's comment about asymmetric crypto used with
symmetric crypto: this is very good practice, since asymmetric crypto
is very slow.
For those unaware, this technique is exactly how TLS (formerly SSL) works.
In the connection handshake, asymmetric keys are used to securely
transmit a randomly generated symmetric key between the two parties.
The symmetric key is used to encrypt all remaining communication after
the handshake. Without this, TLS would be painfully slow.
Thanks for bringing it up Erik.
Cheers,
--
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com
On Wed, May 4, 2011 at 11:50 AM, Erik Beeson <er...@gmail.com> wrote:
> In addition to what Les said, you may want to check out jasypt and vtcrypt.
> The former is dead simple for basic password based encrypting, and the
> latter has a fairly simple wrapper around asymmetric ciphers (like you're
> asking about).
> As I understand it, when you're trying to encrypt any significant quantity
> of data with an asymmetric cipher, you generate a key for a symmetric cipher
> (like Blowfish), encrypt your data with that, then encrypt the key with your
> asymmetric cipher and include that with your data.
>
> --Erik
>
> On Tue, May 3, 2011 at 9:39 PM, Ryan McKinley <ry...@gmail.com> wrote:
>>
>> Does shiro include utilities to encrypt text with a private key? I
>> have messed with java.security stuff but it is kinda ugly.
>>
>> I got this working, and it may be OK it would be better if I could use
>> a private key to encode and a public one to decode:
>>
>>
>> BlowfishCipherService bf = new BlowfishCipherService();
>> byte[] key = bf.generateNewKey().getEncoded();
>> System.out.println( "Key:"+Base64.encodeToString(key) );
>>
>> String txt = "kittens";
>> System.out.println( "original: "+txt );
>>
>> String out = bf.encrypt(txt.getBytes(), key).toBase64();
>> System.out.println( "encrypted: "+out );
>> String xxx = new String( bf.decrypt(Base64.decode(out),
>> key).getBytes() );
>>
>> System.out.println( "out: "+xxx );
>>
>>
>> Any pointers would be great!
>>
>> thanks
>> ryan
Re: public/private key encryption?
Posted by Erik Beeson <er...@gmail.com>.
In addition to what Les said, you may want to check out
jasypt<http://www.jasypt.org/>and
vtcrypt <http://code.google.com/p/vt-middleware/wiki/vtcrypt>. The former is
dead simple for basic password based encrypting, and the latter has a fairly
simple wrapper around asymmetric ciphers (like you're asking about).
As I understand it, when you're trying to encrypt any significant quantity
of data with an asymmetric cipher, you generate a key for a symmetric cipher
(like Blowfish), encrypt your data with that, then encrypt the key with your
asymmetric cipher and include that with your data.
--Erik
On Tue, May 3, 2011 at 9:39 PM, Ryan McKinley <ry...@gmail.com> wrote:
> Does shiro include utilities to encrypt text with a private key? I
> have messed with java.security stuff but it is kinda ugly.
>
> I got this working, and it may be OK it would be better if I could use
> a private key to encode and a public one to decode:
>
>
> BlowfishCipherService bf = new BlowfishCipherService();
> byte[] key = bf.generateNewKey().getEncoded();
> System.out.println( "Key:"+Base64.encodeToString(key) );
>
> String txt = "kittens";
> System.out.println( "original: "+txt );
>
> String out = bf.encrypt(txt.getBytes(), key).toBase64();
> System.out.println( "encrypted: "+out );
> String xxx = new String( bf.decrypt(Base64.decode(out), key).getBytes()
> );
>
> System.out.println( "out: "+xxx );
>
>
> Any pointers would be great!
>
> thanks
> ryan
>
Re: public/private key encryption?
Posted by Ryan McKinley <ry...@gmail.com>.
Thanks -- this confirms my understanding, but wanted to make sure I am
not missing somethign. Searching for "shiro private key" leads to:
http://shiro-user.582556.n2.nabble.com/public-key-private-key-authetication-td4446010.html
For this app, i think a symmetric cipher that is kept secret is
sufficient. In the future, it would be awesome to have access to
asymetric ciphers with the same ease and clarity shiro brings to
everything else!
Thanks
ryan
On Wed, May 4, 2011 at 1:50 PM, Les Hazlewood <lh...@apache.org> wrote:
> Hi Ryan,
>
> Blowfish is a symmetric cipher algorithm - the same key that is used
> to encrypt must be the same as the one used to decrypt.
>
> But note that if you do not disseminate the key to anyone (i.e. it is
> always held privately in your project and not shared with anyone
> else), symmetric ciphers are still good to use - they won't suffer
> from a 'man in the middle attack' because there is never a 'man in the
> middle' that could see the key since it is not disseminated.
> Asymmetric ciphers are only really recommended if any 3rd party needs
> to perform encryption or decryption.
>
> Anyway, Shiro doesn't yet have a default implementation for RSA
> public/private key encryption as we don't need it in the framework
> directly (yet).
>
> The way to do this would be to create an AssymetricCipherService
> implementation (similar to the existing
> AbstractSymmetricCipherService) using a configured algorithm (e.g.
> RSA). I just created this issue:
>
> https://issues.apache.org/jira/browse/SHIRO-289
>
> Please watch the issue for updates.
>
> Finally, if anyone would like to help do this, it'd be much appreciated!
>
> Cheers,
>
> --
> Les Hazlewood
> Founder, Katasoft, Inc.
> Application Security Products & Professional Apache Shiro Support and Training:
> http://www.katasoft.com
>
Re: public/private key encryption?
Posted by Les Hazlewood <lh...@apache.org>.
Hi Ryan,
Blowfish is a symmetric cipher algorithm - the same key that is used
to encrypt must be the same as the one used to decrypt.
But note that if you do not disseminate the key to anyone (i.e. it is
always held privately in your project and not shared with anyone
else), symmetric ciphers are still good to use - they won't suffer
from a 'man in the middle attack' because there is never a 'man in the
middle' that could see the key since it is not disseminated.
Asymmetric ciphers are only really recommended if any 3rd party needs
to perform encryption or decryption.
Anyway, Shiro doesn't yet have a default implementation for RSA
public/private key encryption as we don't need it in the framework
directly (yet).
The way to do this would be to create an AssymetricCipherService
implementation (similar to the existing
AbstractSymmetricCipherService) using a configured algorithm (e.g.
RSA). I just created this issue:
https://issues.apache.org/jira/browse/SHIRO-289
Please watch the issue for updates.
Finally, if anyone would like to help do this, it'd be much appreciated!
Cheers,
--
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com