Newbie question about java security API

[Sergio]

Hello,
first of all forgive my ignorance about the subject and the likely
silliness of my questions.

I'd like to use the java security API to provide data integrity
features to a database (Oracle).
Basically, I want to store in a table a calculated checksum of the
content of the record's fields of another table whose data needs to be
protected.
I guess the procedure should be implemented like:
1) Build a string from the content of the data fields
2) Hash the string
3) Encrypt the hash
4) Store the result (i.e. the checksum) in the table containing the
signed records

To verify data integrity:
5) Go trough steps 1..3 and compare the results with the content of
table with signed records.

This process needs to be implemented on the client application side
since requires interaction with the user.

I thought I could use a private/public key model and I saw the
examples in the Java Security API docs.
Here are the questions:

A) KeyPairGenerator.getInstance(String digest_algorithm): what factor
should I look at to choose from the available digest algorithms: DSA
and RSA?

B) In the following piece of code:

SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
byte rand_bytes[] = new byte[20];
random.nextBytes(rand_bytes);

is the content of "rand_bytes" always the same for every newly created
SecureRandom object?
I mean:
create a SecureRandom object and get "XBDC5debc3" in rand_bytes.
Discard the object and create a new one: get again "XBDC5debc3" in
rand_bytes?
(BTW, this is what I get making some tests)


C) If the answer to above is yes, will the key pair generated by:

keyGen.initialize(1024, secure_random);
KeyPair pair = keyGen.generateKeyPair();

be always the same?

D) If the answer to above is yes, could I use the this "constant" key
pair to both generate the checksum for protected records and verify
the data integrity in any different moment and database transaction?
The point is: can I avoid storing the key pair in the database after
their first created if I always get the same values when
generateKeyPair is invoked?

E) And (final one, thanks for reaching here) if the answer to the
above is yes: how obfuscated can the key pair generation be made to
avoid anyone creating key pairs identical to mine and re-create the
checksum protecting my data after changing them?


Sorry for not being crystal-like and thanks a lot in advance for any
help.

Sergio

 

[marques de sade]

Hello,
first of all forgive my ignorance about the subject and the likely
silliness of my questions.

I'd like to use the java security API to provide data integrity
features to a database (Oracle).
Basically, I want to store in a table a calculated checksum of the
content of the record's fields of another table whose data needs to be
protected.
I guess the procedure should be implemented like:
1) Build a string from the content of the data fields
2) Hash the string
3) Encrypt the hash
4) Store the result (i.e. the checksum) in the table containing the
signed records

To verify data integrity:
5) Go trough steps 1..3 and compare the results with the content of
table with signed records.

This process needs to be implemented on the client application side
since requires interaction with the user.

I thought I could use a private/public key model and I saw the
examples in the Java Security API docs.
Here are the questions:

A) KeyPairGenerator.getInstance(String digest_algorithm): what factor
should I look at to choose from the available digest algorithms: DSA
and RSA?

B) In the following piece of code:

SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
byte rand_bytes[] = new byte[20];
random.nextBytes(rand_bytes);

is the content of "rand_bytes" always the same for every newly created
SecureRandom object?
I mean:
create a SecureRandom object and get "XBDC5debc3" in rand_bytes.
Discard the object and create a new one: get again "XBDC5debc3" in
rand_bytes?
(BTW, this is what I get making some tests)

if that's what you get when you test it, then that's what it is...

C) If the answer to above is yes, will the key pair generated by:

keyGen.initialize(1024, secure_random);
KeyPair pair = keyGen.generateKeyPair();

be always the same?

test it and find out...

D) If the answer to above is yes, could I use the this "constant" key
pair to both generate the checksum for protected records and verify
the data integrity in any different moment and database transaction?
The point is: can I avoid storing the key pair in the database after
their first created if I always get the same values when
generateKeyPair is invoked?

that sounds right...

E) And (final one, thanks for reaching here) if the answer to the
above is yes: how obfuscated can the key pair generation be made to
avoid anyone creating key pairs identical to mine and re-create the
checksum protecting my data after changing them?

you can put a lock on a door but it doesn't stop someone from knocking down the whole door hinges
and all... there's no such thing as 100% security... ask microsoft...

Sorry for not being crystal-like and thanks a lot in advance for any
help.

Sergio

don't mention it...

--

octinomos (http://www.nyx.net/~dlongori/strck.htm)

Hypothesis: Arafat's policy is to foment and sponsor suicide terrorism
in order to stage a political theater - a morality play - where the
Palestinians are presented as desperate and the Israelis as callously
oppressive or worse. --Francisco Gil-White (http://tenc.net/)

 

[Sergio]

if that's what you get when you test it, then that's what it is...

test it and find out...

Thank you soooo much for your help jesus!
But either you want to cheat me or you didn't get the points (I'm
somewhat inclined for the first chance...).

The "repeatability" of generated keys will bias my project
implementations since it means I can avoid storing the keys somewhere.
I simply invoke the generator and I can sign and verify signature of
my records.

Instead of "testing and finding out" I'm interested to know if this a
side effect or this is exactly how the java security API is expected
to work.
BTW, does this mean that the PRNG is re-seeded from the same value at
every object creation?

you can put a lock on a door but it doesn't stop someone from

knocking down the >whole door hinges

and all... there's no such thing as 100% security... ask

microsoft..

Ok, ok...
I reformulate, your honor:
if simply using the piece of code derived from the Java Security API
docs I always get the same keys, then anyone will. That means that
anyone can re-create the checksums protecting my data. Even you
could, jesus.
So I guess I must pass parameters to the key generator (i.e. p,q and
g) casually choosen and "obfuscated" in my code.
Is it feasible to reverse engineer a java class to get such
information , I mean the p,q and g values I chose?

Thanks again
P.S.: you should mind your quoting style...

Bye
Sergio

 

[marques de sade]

The "repeatability" of generated keys will bias my project
implementations since it means I can avoid storing the keys somewhere.
I simply invoke the generator and I can sign and verify signature of
my records.

to tell you the truth, i have no idea what you're talking about.
i was just bored and since no one else was replying, i figured what the hell.
you might get better replies at comp.lang.java.security.

Instead of "testing and finding out" I'm interested to know if this a
side effect or this is exactly how the java security API is expected
to work.

why don't you look it up in the API reference...

P.S.: you should mind your quoting style...

what do you mean... what's wrong with my quoting style...

--

octinomos (http://www.nyx.net/~dlongori/strck.htm)

Hypothesis: Arafat's policy is to foment and sponsor suicide terrorism
in order to stage a political theater - a morality play - where the
Palestinians are presented as desperate and the Israelis as callously
oppressive or worse. --Francisco Gil-White (http://tenc.net/)