One Article Review
| Source |  Veracode |
|---|---|
| Identifiant | 2103301 |
| Date de publication | 2020-11-16 15:40:54 (vue: 2020-12-15 21:05:42) |
| Titre | Java Crypto Catchup |
| Texte |  In 2017, we started a blog series talking about how to securely implement a crypto-system in java. How to Get Started Using Java Cryptography Securely touches upon the basics of Java crypto, followed by posts around various crypto primitives Cryptographically Secure Pseudo-Random Number Generator (CSPRNG), Encryption/Decryption, and Message Digests. We also released a Java Crypto Module for easier dockerization of injectable modules exposing Crypto services via an API.
The last time we spoke about this, we were in Java 8 world. In just 3.5 years we have 7 new Java versions released! Let's revive this series by first catching up on the latest and greatest happenings in the wider cryptographic community and how that maps to newer Java versions in this post. In the following posts, we will be talking about how to securely write some of the more commonly used cryptographic schemes.
Special thanks to my awesome coworkers Jess Garrett and Andrew Shelton for contributing important sections in this post.
TL;DR
Generic to entire Java Cryptography Architecture (JCA)
Looking at what we discussed in How to Get Started Using Java Cryptography Securely post, the central theme of Java Cryptography Architecture (JCA)[11]ツ?defining abstract engine classes for different cryptographic services and having independent implementations thru different providers hasn't changed.
Highlighting the most notable changes in JCA:
1. Probably the best enhancement for lazy people like me would be that we no longer need to include the Unlimited strength jurisdiction file. Unlimited strength in algorithms (for example using 256 key sizes for symmetric algorithms) comes out of the box. It is enabled by default in theツ?java.security file, with property crypto.policy=unlimited.
2. The security configuration file (java.security) will now be found under theツ?$JAVA_HOME/Contents/Home/conf/security/ folder.
3. Third party provider jar files are now treated as libraries rather than extensions. Thus, like any other library jar files, provider jar files will be placed on $CLASSPATH, and not as extensions under $JAVA_HOME/Contents/Home/jre/lib/ext folder.
Secure Random
As we discussed in theツ?CSPRNG post, Java already provides algorithms (*PRNG) to safely generate a CSPRNG. To add support for the NIST specified[13] algorithms, Java provides a new algorithm named DRBG.
Why Should You Use DRBG?
The primary reason to use DRBG is that it is government standardized. Also, the DRBG algorithm specification provides more granular configurations of how the underlying algorithm should work. It still sources entropy from the underlying operating system, in case you were wondering.
HowTo: Design and Code It
Some of the extra algorithm-specific configurations and our recommendations are:
DRBG mechanism: Underlying mechanism being used should be either Hash or HMAC. Defaults to Hash_SHA256, which is perfectly safe. |
| Envoyé | Oui |
| Condensat | $classpath $java *prng 128 186 2017 2020 256 273: 329: 800 8180392: 90a about abstract accordingly across add adding addition additionally adopting adoption advances aes aes/gcm/nopadding aes/gcm/pkcs5padding against agreement algorithm algorithms all already also always amount andrew another any api apis appear application applications approved architectural architecture are are: around array ask asymmetric attacks authenticated authentication authenticator available avoid awesome back: backup based basically basics be: been being best between big bill bit bits block blocks blog blogs: bluetooth box briefly broken browsers buchanan building but byte bytes can case catching catchup central chacha chacha20 chacha20ツ chachakey chachaspec changed changes chooseツ chosen chrome cipher ciphers class classes classic clean cloudflare cobbled code comes commonly communication community complete complexities compromised computing configuration configurations configure configured consistent construction continue contributing conversation cost counterparts coworkers crypto cryptoanalysis cryptographic cryptographically cryptography csprng curve curves data decades dedicated defacto default defaults defining definition deprecating derive des design despite detail devices different difficult diffie digests digital discuss discussed discussing dockerization documentation: documentations: documented does don drbg drbgparameter drbgparameters drbgsecurerandom drbgツ due each eager easier ecc ecdh ecies ecmqv edward either elliptic embrace embracing enable enabled encourage encrypt encrypting encryption encryption/decryption encryptions engine enhanced enhancement enhancements enough entire entropy equipped etc even event example examples except exception excited exciting experiment exposing extensions extra facilities fall family faster file file/disk files firefox first focused focusing folder followed following forward found fragile from fully functions future garrett gcm generate generated generatekey generating generator generic get getbytes getinstance going gold google government granular great greatest handle happenings hardcoded hardware has hash hashing hasn have having hellman help here highlighting hmac home/contents/home/conf/security/ home/contents/home/jre/lib/ext how however howto: hybrid imagine impact impacted implement implementations implemented important include increased independent industry init initialization initialized initially injectable insecure instantiation integrated internal internally internet involved iot its ivparameterspec jar java jca jca: jdk jep jess join jurisdiction just keep key keygenerator keys large last later latest lazy leap learn length let libraries library like limitation located long longer look looking lose lower luckily made major make makes management many maps matured may mean mechanism mechanism: mechanisms meet message messagedigest might mode modern module modules more most moving mqv named names naming need needs new newer next nextbytes nice nist nopadding not notable notes nothing now nuanced number numbers numerous object offers one online only operating operation oracle oracle/java other ourselves ourツ out outputs over padding parameters party past people perfectly perhaps periodically personalization placed plan platter plays point policy=unlimited poly poly1305 popularity possible post posts prediction preparing primary prime primitives probably prof promising proofing property proposed protocols provide provided provider providers provides providing pseudo public questions random rarely rather rc2 reason recommendation recommendations recommended refer refer: references release released releases relevant replacement required reseed reseeding reseeding: reseedツ resistance resistance: revive right role rsa run safe safeguard safely scheme schemes schemes: secrandom secretkey sections secure secured securely securerandom security see seed seeding self series seriously served services setup several sha2 sha256 sha3 shelton shinier should signature signatures signing s |
| Tags | |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.