Java Cryptography Research Articles

Time to separate from StackOverflow and match with ChatGPT for encryption

Cryptography is known as a challenging topic for developers. We studied StackOverflow posts to identify the problems that developers encounter when using Java Cryptography Architecture (JCA) for symmetric encryption. We investigated security risks that are disseminated in these posts, and we examined whether ChatGPT helps avoid cryptography issues. We found that developers frequently struggle with key and IV generations, as well as padding. Security is a top concern among developers, but security issues are pervasive in code snippets. ChatGPT can effectively aid developers when they engage with it properly. Nevertheless, it does not substitute human expertise, and developers should remain alert.

CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs

Various studies have empirically shown that the majority of Java and Android applications misuse cryptographic libraries, causing devastating breaches of data security. It is crucial to detect such misuses early in the development process. To detect cryptography misuses, one must <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">define</i> secure uses first, a process mastered primarily by cryptography experts but not by developers. In this paper, we present <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">CrySL</small> , a specification language for bridging the cognitive gap between cryptography experts and developers. <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">CrySL</small> enables cryptography experts to specify the secure usage of the cryptographic libraries they provide. We have implemented a compiler that translates such <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">CrySL</small> specification into a context-sensitive and flow-sensitive demand-driven static analysis. The analysis then helps developers by automatically checking a given Java or Android app for compliance with the <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">CrySL</small> -encoded rules. We have designed an extensive <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">CrySL</small> rule set for the Java Cryptography Architecture (JCA), and empirically evaluated it by analyzing 10,000 current Android apps and all 204,788 current Java software artefacts on Maven Central. Our results show that misuse of cryptographic APIs is still widespread, with 95 percent of apps and 63 percent of Maven artefacts containing at least one misuse. Our easily extensible <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">CrySL</small> rule set covers more violations than previous special-purpose tools that contain hard-coded rules, while still offering a more precise analysis.

Preventing Counterfeit Products using Cryptography, QR Code and Webservice

Counterfeit production is a threat for every genuine business causing damage to their brand image and stealing their revenues. The aim of this paper is topresenta novel method to prevent counterfeit products using cryptography, QR code and webservice. The method requires that every original product manufacturer obtain a cryptographic key pair, securely store their private key and publish their public key on their website as a QR code. The product manufacturer needs to print a unique item code on their product packs and provide inside the pack a QR code encoding the ciphertext generated by encrypting the item code with their private key. For product verification by buyers, the manufacture is required to provide a QR code scanning app for download on their website, Google Play Store or iPhone App Store. The scanning app should have additional cryptographic functionality to decrypt ciphertext of the item code encoded in the QR code. The manufacturer also needs to launch a simple webservice on his hosting server to accept requests from the mobile app and verify the item code and buyer’s name in its database. Technicalimplementation and the verification process are described in detail through figures and flowchart. The method can be implemented even by small manufacturers with nominal cost by obtaining a key pair and creating a scanning app and webservices. We have also tested the method with an actual software code written for cryptographic operations using the Java cryptography Extension and QR code operations using Google Zxing libraries.

PREVENTING COUNTERFEIT PRODUCTS USING CRYPTOGRAPHY, QR CODE AND WEBSERVICE

Counterfeit production is a threat for every genuine business causing damage to their brand image and stealing their revenues. The aim of this paper is topresenta novel method to prevent counterfeit products using cryptography, QR code and webservice. The method requires that every original product manufacturer obtain a cryptographic key pair, securely store their private key and publish their public key on their website as a QR code. The product manufacturer needs to print a unique item code on their product packs and provide inside the pack a QR code encoding the ciphertext generated by encrypting the item code with their private key. For product verification by buyers, the manufacture is required to provide a QR code scanning app for download on their website, Google Play Store or iPhone App Store. The scanning app should have additional cryptographic functionality to decrypt ciphertext of the item code encoded in the QR code.The manufacturer also needs to launch a simple webservice on his hosting server to accept requests from the mobile app and verify the item code and buyer’s name in its database. Technicalimplementation and the verification process are described in detail through figures and flowchart. The method can be implemented even by small manufacturers with nominal cost by obtaining a key pair and creating a scanning app and webservices. We have also tested the method with an actual software code written for cryptographic operations using the Java Cryptography Extension and QR code operations using Google Zxing libraries.

Security Tools for Internet of Things: A Review

In today’s communications, the main challenging facet is Security of LTE systems in terms of various areas such as mutual authentication, key management, forward and backward secrecy, use of efficient security tools, etc. For proper key management, the generation and distribution of random keys is of main concern which can be done with the help of dynamic security tools. In this paper, main features of security tools like, Docker, Java Cryptography Architecture (JCA), Token-based authentication have been reviewed. Docker provides containerized environment based on application virtualization and also lighter than virtual machines. To define cryptographic concepts and algorithms, JCA cites design patterns and an extensible framework for Java platform. Token-based authentication method or system is used to provide secure user access to server using a token, like smart cards.

An Empirical Study to Compare the Performance of some Symmetric and Asymmetric Ciphers

In this paper we present empirical results obtained from Java implementation of Elliptic curve Cryptosystem (ECC) as an asymmetric block cipher algorithm and a set of symmetric block cipher algorithms namely Triple-Data Encryption Standard (T-DES), Advanced Encryption Standard (AES), and Blowfish. Performance evaluation based on CPU execution time is presented under WinXP and Linux. We used in our implementation Java programming language, Java Cryptography Architecture (JCA) and Java Cryptography Extension (JCE). The evaluation of the performance of these algorithms is done for secret key generation and encryption and decryption operations. Results indicated that ECC outperforms the other encryption/decryption algorithms considered in this study regarding the security strength, speed, and key size of ECC. Also, ECC’s performance advantage increases as security needs increases for newly emerging applications.

Comparison of performance of Web services, WS-Security, RMI, and RMI–SSL

This article analyses two most commonly used distributed models in Java: Web services and RMI (Remote Method Invocation). The paper focuses on regular (unsecured) as well as on secured variants, WS-Security and RMI–SSL. The most important functional differences are identified and the performance on two operating systems (Windows and Linux) is compared. Sources of performance differences related to the architecture and implementation are identified. The overheads related to the usage of security and the influences of JCE (Java Cryptography Extension) security providers on the performance of secured remote invocations are identified. Finally, the impact of distributed models on design and implementation of distributed applications is identified and guidelines for improving distributed application performance in design and implementation stage are provided. The paper contributes to the understanding of functional and performance related differences between Web services and RMI and their secure variants, WS-Security and RMI–SSL.

The Claim Tool Kit for ad hoc recognition of peer entities

In ubiquitous/pervasive computing environments, it is envisaged that computing elements—entities—will start interacting in an ad hoc fashion. The peer-to-peer (p2p) paradigm is appealing for such types of interaction especially with JXTA, which supports the development of reusable p2p building blocks, which facilitate implementation on any smart device. However, the inability to rely on a centralised authentication infrastructure, the openness of the environment and the absence of an administrator (it is assumed to be too expensive to have a skilled administrator at hand due to the large number of peers) challenge the use of legacy authentication mechanisms. Supporting spontaneous interactions among previously unknown entities requires dynamic enrolment of strangers and unknown entities. Entity recognition (ER) is a process that is carried out each time an interaction happens between entities in order to dynamically recognise previously met entities. In this paper, we present the Claim Tool Kit (CTK), a Java-based implementation of ER: entities exchange messages, called Claims, and rely on their associated clues to evaluate the level of confidence in recognition. The CTK employs advanced features available with Java, such as JXTA and Java Cryptography and Security Architectures. We show that the CTK needs performance results on these features in order to increase the level of auto-configuration of the CTK. We describe how to obtain performance assessment for some of these new features. Finally, we explain how the CTK can be instrumented to take into account performance assessment. By analysing the evaluation results, the applicability of these advanced Java-based technologies for peer entity recognition is assessed.

Secure Network Management Within an Open-Source Mobile Agent Framework

Mobile agents (MAs) have been proposed for decentralized network management. This paper explains how Aglets, a Java open-source MA framework, not a proprietary system, can be used for security-enhanced network management, complementing the security of the Simple Network Management Protocol (SNMP) version 3. The solution prototyped is a hybrid environment where network management applications use MAs that interact locally with SNMP agents via the SNMP protocol. The implemented class libraries extend the security infrastructure of Aglets, by incorporating cryptographic functions through the Java Cryptography Extension. The extension enables data fields to be encrypted, while code is to be digitally signed. Legacy SNMPv1 and v2 enabled devices, with elementary security, can also be upgraded through this approach, which can effectively avoid a range of attacks. Consideration has been given to auxiliary functionality such as responding to SNMP traps, key distribution, logging, and secure clock synchronization.

Evaluation of possibilities of java cryptography architecture and java mail libraries usage to encrypt e-mail messages

The following paper presents the possibilities of applying Java language to encrypt e-mail messages. The introduction includes a short outline about symmetric and asymmetric cryptography and how to build a safe electronic letter is discussed later. Finally, we would like to consider the possibility of implementing the discussed Java model of the safe message creation.

Performance study of some symmetric block cipher algorithms under Linux operating system

In this research work, implementation of three symmetric, block encryption algorithms namely: DES, Triple-DES and Blowfish under Linux platform is presented. A comparison is performed between these algorithms based on the CPU execution time. The performance of the three algorithms is evaluated in terms of the processing time required in the kernel and user space for generating the secret key, encryption and decryption operations. The powerful portable programming language Java and JCA (Java Cryptography Architecture) is used to implement the encryption algorithms. Results show that the Blowfish algorithm is the fastest, followed by the DES algorithm then the Triple-DES algorithm. From the results obtained, we propose to either embed a security module within the processor or to dedicate a special server to be responsible of providing cryptographic services for highly secured environments.

Inside Java&amp;#153 Platform Security: Architecture API Design and Implementation

Inside Java&amp;#153 Platform Security: Architecture API Design and Implementation

Java Cryptography

Java Cryptography

Review: Java Cryptography

Review: Java Cryptography