SATSA-CRYPTO includes facilities to encrypt and decrypt messages using symmetric and asymmetric ciphers. In the vein of JCE the set of supported ciphers is not defined in the API but it is up to the platform to provide them using the concept of a Cryptographic Service Provider (CSP). However, unlike JCE, SATSA-CRYPTO doesn't support multiple CSPs; it uses only one as defined by the implementation. Therefore, it is relevant to check the platform's documentation and verify the set of supported algorithms and their operation modes.
The core class of SATSA-CRYPTO used for encryption and decryption is javax.crypto.Cipher.
This class contains a representation of a cipher that uses a specific algorithm
and operation mode. It includes methods to initialize and operate the cipher.
To obtain an instance of Cipher the getInstance method
has to be called passing a transformation string. This value indicates the
algorithm being used and optionally the feedback mode and padding scheme.
For example:
cipher = Cipher.getInstance("DES");cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
In the first case we are requesting a Cipher that
implements the Data Encryption Standard (DES) algorithm and in the second
line we want a Cipher that uses the Advanced Encryption
Standard (AES) algorithm using the Electronic Code Book (ECB) method and the
PKCS5 padding scheme. As already mentioned, it is important to get to know
the algorithms and operations modes available in the target device or emulator.
For instance, an SDK might support the following encryption algorithms:
Symmetric Encryption:
Algorithms: DES, 3DES/DESede, AES
Modes: ECB, CBC
Padding Schemes: No padding, PKCS5 padding
Asymmetric Encryption:
Algorithm: RSA
To properly encrypt or decrypt a text, it is necessary to supply an
appropriate key. Keys may come from, for example, user input in the form of
a password or it could be loaded from secure storage like a SIM card. Keys
are typically stored as a byte array and they need to be converted to a Key object
that is usable for a specific Cipher. For example the SecretKeySpec class
can be used to build a key from a byte array used for symmetric encryption
algorithms that need no parameters like DES or AES in ECB mode.
The SecretKeySpec class contains keys that can
be represented as a byte array and have no key parameters associated with
them, for example, DES or Triple DES keys. This Key object
is passed to the Cipher to prepare it using the init method.
This method also takes a parameter to decide whether the Cipher is
in encryption or decryption mode:
Key key = new SecretKeySpec(keyBits, 0, keyBits.length, "AES");cipher.init(Cipher.ENCRYPT_MODE, key);
With the Cipher initialized you can proceed to
feed data using the update and doFinal methods.
Both methods take as parameters an input and output byte array and operate
on them on encryption or decryption mode as follows:
cipher.doFinal(plaintext, 0, plaintext.length, cipherText, 0);Asymmetric encryption algorithms are also supported in SATSA-CRYPTO,
which includes facilities to decrypt and authenticate messages previously
encrypted using an asymmetric encryption algorithm. However, private keys
cannot be generated in the code and there is no generatePrivate method
in the SATSA-CRYPTO edition of the java.security.KeyFactory class
even though J2SE has one. Likewise, the APIs offer no direct handling of private
keys, but instead signatures and credentials are requested from safe storage
with the SATSA-PKI API.