Helping ordinary people create extraordinary websites!
HOME TUTORIALS SCRIPTS WEB HOSTING BLOG FORUM
Get Our Newsletter
Email:

Trusting Your E-mail with Java Security

By Theodore J. Shrader
2003-12-04


Signing messages with Java technologies

The basic security objects, which include keys and certificates, and signing algorithms that we've described are included as part of the Java Cryptography Architecture (JCA). Objects and algorithms that deal with general-purpose encryption are part of the Java Cryptography Environment (JCE). The JCA is available with all Java Runtime Environments (JREs), while the distribution of the JCE is governed by export controls. (The restrictions on distributing the JCE are changing with JCE 1.2.1.)

In the following example, we show how to use the JCA to create a public and private key pair, to sign data, as well as to verify data. The public and private key pair is created at the same time using a KeyPairGenerator. We need to specify an algorithm type, as well as a key size. Remember that the larger the key size, the greater the security, yet the slower the performance. As you will find as you examine the certificates associated with many e-business sites, a public key algorithm type of RSA and key size of 1024 represent a happy medium with today's computing resources. Next, we get a Signature object, specify the signature algorithm as SHA1withRSA, prime the algorithm with the private key, and sign the message data.

On the verification side, we get a Signature object as before, but instead we prime it with the public key and original data. Calling the verify method with the parameter of the signature bytes returns whether or not the signature is valid and thus we can determine whether or not the message data originated from the entity represented by the public key and that the contents of the message data was not altered in transit. Unlike the verification algorithm, the signature algorithm did not take the public key to sign the data. If so, the recipient would not be able to verify the signature since only the sender has the private key.

The JCA signing example shows the signing and verification steps in one program. Typically, these actions would take place in different applications, since the sender and recipient are likely not to be the same entity. Also, the recipient typically will have the signer's certificate, not the raw public key. Thus, the recipient would need to extract the public key from the certificate, such as with the following Java statement:






PublicKey publicKey = cert.getPublicKey();


Tutorial Pages:
» Java technologies give you a complete and secure solution
» Security requirements
» Failing scenarios
» Building closed systems
» Using a secret key
» Opening the message
» Public and private keys
» Signing a message
» Signing messages with Java technologies
» Using PKCS and S/MIME
» Encrypting messages
» Conclusion


First published by IBM DeveloperWorks

 | Bookmark
Related Tutorials:
» All about JAXP, Part 1
» Make Database Queries Without the Database
» Load List Values for Improved Efficiency
» 2 Ways To Implement Session Tracking
» A Simple Way to Read an XML File in Java
» Develop Aspect-Oriented Java Applications with Eclipse and AJDT