Encryption / Decryption
I noticed that The JANOS runtime library for applications did not support a means of data encryption and decryption. It isn’t a problem to expose a cipher algorithm for use by applications. I have added the Security.rc4cipher()
method for this purpose. I know that RC4 has been rumored to have been broken. For our purposes it remains plenty secure.
Here’s a test program. This requires JANOS v1.6.3-rc4 or later.
package jtest;
import com.integpg.system.Security;
public class Main {
public static void main(String[] args) throws Exception {
// source text and cipher key
String text = "Best thing since sliced bread.";
byte[] key = "Piece of cake".getBytes();
// encrypt
byte[] coded = Security.rc4cipher(text.getBytes(), text.length(), key);
// encrypted content
for (int n = 0; n < coded.length; n++) {
System.out.printf(" %02x", coded[n] & 0xff);
if (n % 16 == 15 || n == coded.length - 1)
System.out.println("");
}
// decrypt
byte[] result = Security.rc4cipher(coded, coded.length, key);
// received message
String msg = new String(result);
System.out.println(msg);
}
}
This program outputs the following when run.
bruce_dev /> jtest ae 87 ae 84 bc 3e c2 b6 92 0f 25 c0 30 42 03 ef 96 39 c5 cd b3 99 6f aa 36 ba c8 58 5b fd Best thing since sliced bread. bruce_dev />
To be honest I have not confirmed that the encoded string is in fact RC4. But JANOS uses the underlying cipher in many places and it has proven to be accurate there.
Remember PGP? I think that stood for (or stands for) Pretty Good Privacy. This basically was an simple approach to encrypting data for transfer through the email system. It used the RSA Private/Public Key technology. Well JANOS does RSA as part of my SSL/TLSv1.2 implementation. Why shouldn’t I expose that for use by applications. You may need to securely pass information.
Hypothetically the JNIOR could be monitoring doors and conveyors collecting numbers that might be directly related to sales or something that you might consider to be proprietary and quite sensitive. Each day you would like to forward the results to an email account. While the email transfer from the JNIOR is done over a secure connection the data is not stored at the other end in any encrypted format. Nor are you sure that the data is then transferred over any remaining connections securely.
The solution is to encrypt the data at the source and later decrypt. Well you can do that now with RC4 provided that you keep the key private. The same key is used to encrypt and then at the other location to decrypt. It is a risk.
Here the RSA key pair comes to the rescue. So I have exposed it in JANOS v1.6.3. Basically you can encrypt using a public key data which can only be decrypted by the corresponding private key some time later.
So you can use OpenSSL to generate an RSA key pair. Use a 1024-bit key as anything larger will tax the JNIOR a little too much. From that you can export the RSA Public Key in PEM format. It will look like this.
-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEwEHsRkk592MEFyZXvvfsDkaF u169uXwKugo2J7JMh8fkruiKe7B2tbuA143JSYeI0o4mpqWwd06CbjDG2gVEMgbf 5SK7quMdflJ5mW7t3ZPQZdMdryttPq3C4pzTfuH6/MGMzaNdobXSOQ7+SkH7goRd sUYx6flLXn1KnQjPCQIDAQAB -----END PUBLIC KEY-----
I will show you how you can use this PEM formatted Public Key to encrypt data for transfer. Later you can use the corresponding Private Key that you have kept secret and sequestered to access the data.
The following program uses new extensions to the com.integpg.system.Security
class.
Here we are demonstrating encryption using our internal Public Key and then successful decryption using the internal Private Key.
package jtest;
import com.integpg.system.Debug;
import com.integpg.system.Security;
public class Main {
public static void main(String[] args) throws Exception {
String msg = "The quick brown fox jumped over the lazy dog.";
System.out.println(msg);
byte[] data = Security.encrypt(msg.getBytes(), msg.length(), Security.PUBKEY);
System.out.println("encrypted: ");
Debug.dump(data);
byte[] result = Security.decrypt(data, data.length, Security.PRIVKEY);
System.out.println("decrypted: ");
Debug.dump(result);
}
}
bruce_dev /> jtest The quick brown fox jumped over the lazy dog. encrypted: 17 66 0a 66 d8 aa 67 7c-a6 41 81 69 b1 c9 d2 82 .f.f..g| .A.i.... ab a6 9d ef fd 31 7b 67-2a 3a 23 82 05 55 3d dd .....1{g *:#..U=. 8a 33 36 2d 5c 61 ae 25-39 b6 40 28 5f 1f de d2 .36-\a.% 9.@(_... 77 b4 47 9d 53 6c ee 7a-4b e2 29 8c e0 79 06 9f w.G.Sl.z K.)..y.. 30 3c 2e 6e d0 41 cf 40-a2 2b e5 bd 03 dd d4 b4 0<.n.A.@ .+...... a2 b4 d1 8b 33 31 f1 2e-84 e0 8d 01 b0 4d 7b 54 ....31.. .....M{T 65 61 56 44 ee f4 45 fb-4a 39 96 c1 c9 0e 2a 2a eaVD..E. J9....** 3d 2b a6 71 a8 89 91 c0-cf 80 0b 3d e3 dc dc 8e =+.q.... ...=.... decrypted: 54 68 65 20 71 75 69 63-6b 20 62 72 6f 77 6e 20 The.quic k.brown. 66 6f 78 20 6a 75 6d 70-65 64 20 6f 76 65 72 20 fox.jump ed.over. 74 68 65 20 6c 61 7a 79-20 64 6f 67 2e the.lazy .dog. bruce_dev />
By the way the dump()
method in the com.integpg.system.Debug
is also new. I got tired of coding a dump so it will be available now.
I will show you how to use an external Public Key for encryption next.
To show you how to encrypt using a supplied Public Key I will extract the internal public key and apply it as you would one obtained from a file let’s say. The following program uses a method in the class that supplies the Public Key.
package jtest;
import com.integpg.system.Debug;
import com.integpg.system.Security;
public class Main {
public static void main(String[] args) throws Exception {
// Let's see the Public Key
byte[] pubkey = Security.pubkey();
System.out.println(new String(pubkey));
String msg = "The quick brown fox jumped over the lazy dog.";
System.out.println(msg);
byte[] data = Security.encrypt(msg.getBytes(), msg.length(), pubkey, 0);
System.out.println("encrypted: ");
Debug.dump(data);
byte[] result = Security.decrypt(data, data.length, Security.PRIVKEY);
System.out.println("decrypted: ");
Debug.dump(result);
}
}
bruce_dev /> jtest -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEwEHsRkk592MEFyZXvvfsDkaF u169uXwKugo2J7JMh8fkruiKe7B2tbuA143JSYeI0o4mpqWwd06CbjDG2gVEMgbf 5SK7quMdflJ5mW7t3ZPQZdMdryttPq3C4pzTfuH6/MGMzaNdobXSOQ7+SkH7goRd sUYx6flLXn1KnQjPCQIDAQAB -----END PUBLIC KEY----- The quick brown fox jumped over the lazy dog. encrypted: a8 35 44 4a 15 4e 1f fe-b4 30 c3 e6 51 38 90 be .5DJ.N.. .0..Q8.. e4 4f 7c 5d fb e6 38 16-63 f1 93 ba a5 3f 24 00 .O|]..8. c....?$. eb 46 5d 27 25 f1 5a b1-bf 0e 46 f9 5b 1b e9 13 .F]'%.Z. ..F.[... ac 6c 77 db bd 1e 22 be-b5 32 6b 5c cc 0b 46 d7 .lw...". .2k\..F. 3f 1b 30 4c 61 03 eb 2f-dd 84 54 d5 35 86 32 56 ?.0La../ ..T.5.2V 16 56 7c 41 a3 ef 2f 70-2d 67 3f a5 97 fb 60 c2 .V|A../p -g?...`. df 61 5f 5a 76 90 56 db-21 66 6f f3 00 af aa a8 .a_Zv.V. !fo..... 71 a2 a1 2e 31 7d 82 ab-34 e2 cc 3b 52 64 32 09 q...1}.. 4..;Rd2. decrypted: 54 68 65 20 71 75 69 63-6b 20 62 72 6f 77 6e 20 The.quic k.brown. 66 6f 78 20 6a 75 6d 70-65 64 20 6f 76 65 72 20 fox.jump ed.over. 74 68 65 20 6c 61 7a 79-20 64 6f 67 2e the.lazy .dog. bruce_dev />
You can export the JNIOR’s Public Key now using the CERTMGR command.
bruce_dev /> help certmgr CERTMGR -V Verify installed keys and certificate -C [file] Regenerate Certificate [Install file] -S file Verify signature on certificate -K file Install RSA Key Pair -D [file] Decode and dump certificate [file] -E file Export certificate to file -P file Export public key to file -B Export in binary -G [len] Generate key pair [bit length] -R Restore default credentials SSL Certificate Management. bruce_dev />
Here I will export the public key to a file. I’ll show you what is in the file and I’ll use CERTMGR to dump the encoded ASN.1 format for the key.
bruce_dev /> certmgr -p mykey.pub bruce_dev /> cat mykey.pub -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEwEHsRkk592MEFyZXvvfsDkaF u169uXwKugo2J7JMh8fkruiKe7B2tbuA143JSYeI0o4mpqWwd06CbjDG2gVEMgbf 5SK7quMdflJ5mW7t3ZPQZdMdryttPq3C4pzTfuH6/MGMzaNdobXSOQ7+SkH7goRd sUYx6flLXn1KnQjPCQIDAQAB -----END PUBLIC KEY----- bruce_dev /> certmgr -d mykey.pub 0000 30 81 9F SEQUENCE { (159 bytes) 0003 30 0D | SEQUENCE { (13 bytes) 0005 06 09 | | OBJECT IDENTIFIER 1.2.840.113549.1.1.1 0010 05 00 | | NULL | } 0012 03 81 8D | BITSTRING[140] Encapsulates { 0000 30 81 89 | | SEQUENCE { (137 bytes) 0003 02 81 81 | | | INTEGER | | | C4C041EC464939F76304172657BEF7EC0E4685BB5EBDB97C | | | 0ABA0A3627B24C87C7E4AEE88A7BB076B5BB80D78DC94987 | | | 88D28E26A6A5B0774E826E30C6DA05443206DFE522BBAAE3 | | | 1D7E5279996EEDDD93D065D31DAF2B6D3EADC2E29CD37EE1 | | | FAFCC18CCDA35DA1B5D2390EFE4A41FB82845DB14631E9F9 | | | 4B5E7D4A9D08CF09 0087 02 03 | | | INTEGER 010001 | | } | } } bruce_dev />
You might see now that you can take mykey.pub
and send it to another JNIOR that can load it as the pubkey for encryption as demonstrated.
NO. THERE IS NO WAY TO EXPORT THE JNIOR’S PRIVATE KEY.
And, the encryption and decryption does not support use of a private key PEM format.
Why limit key size to 1024-bits on the JNIOR?
A 1024-bit Private Key operation (encrypting a single block of 128 bytes) on the JNIOR take about 3.4 seconds. The same operation using a 2048-bit key takes almost 26 seconds. That will cause browsers to timeout when trying to use HTTPS among other things.
A 2048-bit key can be installed on the JNIOR. You need a 2048-bit key pair which you can generated with OpenSSL.
OpenSSL> genpkey -out private.pem -des3 -algorithm rsa rsa_keygen_bits:2048 .................++++++ ....................++++++ Enter PEM pass phrase: Verifying - Enter PEM pass phrase: OpenSSL> genpkey -out private.pem -des3 -algorithm rsa -pkeyopt rsa_keygen_bits: 2048 ................................................................................ ..............................................................................++ + ................................+++ Enter PEM pass phrase: Verifying - Enter PEM pass phrase: OpenSSL>
Move the resulting private.pem file onto the JNIOR and run the CERTMGR -K command to load it.
bruce_dev /> certmgr -k private.pem Passphrase: ***** keys installed bruce_dev />
Now let’s validate that it works.
bruce_dev /> certmgr -v 2048-bit key pair verifies private key operation requires about 25.7 seconds certificate verifies certificate not valid with current keys bruce_dev />
Oh, and we can update the certificate. That would likely happen automatically at some point but we can force it.
bruce_dev /> certmgr -c certificate updated bruce_dev /> certmgr -v 2048-bit key pair verifies private key operation requires about 25.7 seconds certificate verifies bruce_dev />
Let’s run the program mentioned earlier to see if it succeeds.
bruce_dev /> jtest -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArvnTH4JvTzzVW76iFOKf akQ2EqbXVhEEoDZ0d1x2Q/8R8jvwZAdvvlcV63ixvTBSR+xInCfVAsjQDzeOVQq/ kKsQm7VNeqTHAZ4TobKYpcG2N3n4PGQRhT1H0bwqfopEWg/iqauCejKX6ivInZC6 kPD1rkCbr6HRSgnKKNbnmIL37nrx3XlhkrHeOV1/jEBGTFm1KIpNmVkaN83PuZSk Xj2RJ9TGTdVwtrSNVe+VnQ4s+66BlPZrXBfi4P8lSyNd4J0eIVujfXor3Kxz2TAD zmgyMylyJuHO/Ss/3PdGwnXIx7fbNKEK4OnMwRdz0DtvSMcJE6NhBiimD/Jm2F0H awIDAQAB -----END PUBLIC KEY----- The quick brown fox jumped over the lazy dog. encrypted: 41 2b 02 92 30 d5 50 7c-92 b6 95 eb 8c 8d f4 76 A+..0.P| .......v f1 22 0a c5 63 48 f7 1b-af 85 47 4e 1d b2 0d bc ."..cH.. ..GN.... 5b 6a f9 6d c7 1a c5 90-69 f9 28 4c 93 e1 8c 2e [j.m.... i.(L.... 3f 5b 95 26 9d c4 ae 15-15 84 74 1e c4 a5 21 29 ?[.&.... ..t...!) e2 e0 c8 f7 f0 3e 99 aa-ed a9 36 ab 18 4f f8 ca .....>.. ..6..O.. cc 23 b3 57 d2 5c d6 6f-fa 83 2b 44 82 a5 ab ef .#.W.\.o ..+D.... c7 44 98 14 6d 8e 58 a2-05 b9 e0 9c 87 fc 52 22 .D..m.X. ......R" ee 46 38 2e 32 4e 4d c1-92 cd fc 3d 80 1c 81 19 .F8.2NM. ...=.... 1b 95 56 93 ff 4a 06 e0-9e c2 30 0c 83 ee 01 08 ..V..J.. ..0..... 8f 98 d7 f3 50 b5 2b 80-0c 9b 23 8b 45 df 56 85 ....P.+. ..#.E.V. 60 06 30 e3 35 a1 3c 82-19 57 b6 7e cf a2 02 e4 `.0.5.<. .W.~.... 55 3f b4 3c a8 39 77 79-0f f0 d6 aa da 1d b4 73 U?.<.9wy .......s 7e ef 13 54 a8 d7 b0 a1-d2 67 0a 66 08 b9 81 13 ~..T.... .g.f.... 11 17 c2 d4 be 98 b5 fe-50 34 49 ab da cf 75 d7 ........ P4I...u. c1 b5 18 4e 32 27 2f e4-81 35 51 4a 62 42 6e a1 ...N2'/. .5QJbBn. 47 67 e5 e4 c4 2c 70 c2-9b ea d8 09 5a 52 fd cb Gg...,p. ....ZR.. decrypted: 54 68 65 20 71 75 69 63-6b 20 62 72 6f 77 6e 20 The.quic k.brown. 66 6f 78 20 6a 75 6d 70-65 64 20 6f 76 65 72 20 fox.jump ed.over. 74 68 65 20 6c 61 7a 79-20 64 6f 67 2e the.lazy .dog. bruce_dev />
If you are *REAL* patient the 2048-bit key works with SSL/TLS.
This took a couple of minutes to come up and the browser did once tell me that the site was taking too long to respond. This was with Chrome.
The bottom line is that a 1024-bit key is really secure enough for controller device like the JNIOR.