AES 256 bit encryption

[mujahedsyed <ms...@gmail.com>]

Hi All,

I am trying to upgrade the existing sample application that I have been
creating since past few weeks to work with AES 256 bit algorithm instead of
AES 128.

Following this link on creating aes 256 keys http://www.ensor.cc/#setup I
have create a key using keytool as: 
keytool -genseckey -keystore aes-keystore.jck -storetype jceks -storepass mystorepass -keyalg AES -keysize 256 -alias jceksaes -keypass mykeypass  

do someone know if the keystore that is available here
https://github.com/coheigea/testcases/blob/master/apache/santuario/santuario-xml-encryption/src/test/resources/servicestore.jks
was created using the same command (shown above).

I am asking this because when I do following in my code keystore returns
null:


I would really appreciate the guidance here, please let me know if you can
point to some guide?

So, in summary I have three questions:
1. does anyone know if servicestore.jks was created using the same command I
have used?
2. why is defaultCert returing null for me? I think I have created my
certificate incorrectly. I tried to debug this but the method source code
"engineGetCertificate" in java.security.KeyStore.keyStoreSpi is not
available.
3. I have been googling all day to find out if there is any link available
that can help me create a aes 256 bit key but i failed

Your help really appreciated,
Thanks.
Regards,
Mujahed



--
View this message in context: http://apache-xml-project.6118.n7.nabble.com/AES-256-bit-encryption-tp41373.html
Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.

Re: AES 256 bit encryption

["Cantor, Scott" <ca...@osu.edu>]

On 8/15/14, 4:39 AM, "mujahedsyed" <ms...@gmail.com> wrote:

>So, just for my learning purpose would you be kind to let me know how is
>that possible that a keystore created with algorithm RSA was able to
>encrypt/decrypt using AES 256 algorithm.

Encryption with assymmetric keys is done by generating a one-time AES key
and encrypting it under the recipient's public key. You don't need an RSA
keystore at all to encrypt, you need it to decrypt.

-- Scott

Re: AES 256 bit encryption

[mujahedsyed <ms...@gmail.com>]

Hi Marc,

Excellent advise, thank you very much! much appreciated!

I was able to create a keystore using -genkeypair option and successfully
execute it. The algorithm I used while creation was RSA because I found that
AES wasn't supported by keytool 
http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/jdk8-b132/src/share/classes/sun/security/tools/keytool/Main.java#l1556
only DSA, RSA and EC were supported.

Anyways, I went ahead and created and changed required alias and passwords
in the property file to see it will work and I was surprised to see it
working that because in my encryption with stax method i had used
http://www.w3.org/2001/04/xmlenc#aes256-cbc 

So, just for my learning purpose would you be kind to let me know how is
that possible that a keystore created with algorithm RSA was able to
encrypt/decrypt using AES 256 algorithm. 

I thought I will read it online but the guide is so big and as always i am
in some tight deadlines I came across some book will try to read it over the
weekend...

once again, thank you very much.
Regards,
Mujahed



--
View this message in context: http://apache-xml-project.6118.n7.nabble.com/AES-256-bit-encryption-tp41373p41379.html
Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.

Re: AES 256 bit encryption

[Marc Giger <gi...@apache.org>]

Hi Mujahed,

On Thu, 14 Aug 2014 08:48:04 -0700 (PDT)
mujahedsyed <ms...@gmail.com> wrote:

> Hi All,
> 
> I am trying to upgrade the existing sample application that I have
> been creating since past few weeks to work with AES 256 bit algorithm
> instead of AES 128.
> 
> Following this link on creating aes 256 keys
> http://www.ensor.cc/#setup I have create a key using keytool as: 
> keytool -genseckey -keystore aes-keystore.jck -storetype jceks -storepass mystorepass -keyalg AES -keysize 256 -alias jceksaes -keypass mykeypass  
> 
> do someone know if the keystore that is available here
> https://github.com/coheigea/testcases/blob/master/apache/santuario/santuario-xml-encryption/src/test/resources/servicestore.jks
> was created using the same command (shown above).
> 
> I am asking this because when I do following in my code keystore
> returns null:
> 
> 
> I would really appreciate the guidance here, please let me know if
> you can point to some guide?
> 
> So, in summary I have three questions:
> 1. does anyone know if servicestore.jks was created using the same
> command I have used?

Most probably not since you are creating a symmetric key but the
sample project uses hybrid encryption and has therefore ony
asymmetric-keys stored in the jks.

> 2. why is defaultCert returing null for me? I think I have created my
> certificate incorrectly. I tried to debug this but the method source
> code "engineGetCertificate" in java.security.KeyStore.keyStoreSpi is
> not available.

Which defaultCert? Independent of that since you created a symmetric key
there is no cert. See 1. above

> 3. I have been googling all day to find out if there is any link
> available that can help me create a aes 256 bit key but i failed

If your goal is to create a symmetric key your command above seems to
be fine. But if you want to extend the sample project, which I think is
your goal, so that it encrypts the document with AES256 you simply have
to change the algo-uri in the code to
"http://www.w3.org/2001/04/xmlenc#aes256-cbc". That's it.
And if you want to create a new keystore to replace the provided one
in the sample project (of course you shouldn't use the provided one in
your projects, therefore this is the right thing todo) use "keytool
-genkeypair ..."
This will generate a Keypair incl. certificate (asymmetric keys used to
encrypt the session-key (the symmetric aes-key generated as defined
by the algo-uri).


Marc


> 
> Your help really appreciated,
> Thanks.
> Regards,
> Mujahed
> 
> 
> 
> --
> View this message in context:
> http://apache-xml-project.6118.n7.nabble.com/AES-256-bit-encryption-tp41373.html
> Sent from the Apache XML - Security - Dev mailing list archive at
> Nabble.com.