views:

1009

answers:

2

Is there a way to generate a 128-bit key pair suitable for encryption using Sun's keytool program? It seems that the algorithms available in http://java.sun.com/javase/6/docs/technotes/guides/security/StandardNames.html#KeyPairGenerator are either not supported or do not allow keys shorter than 512 bits.

The key pair will be used with the ff. code snippet:

Security.addProvider(new BouncyCastleProvider());

KeyStore keyStore = KeyStore.getInstance("PKCS12");

FileInputStream keyStoreSource = new FileInputStream("keystore");

try {
    keyStore.load(keyStoreSource, "password".toCharArray());
} finally {
    keyStoreSource.close();
}

String alias = (String) keyStore.aliases().nextElement();
PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, "password".toCharArray());
X509Certificate certificate = (X509Certificate) keyStore.getCertificate(alias);

CMSEnvelopedDataStreamGenerator generator = new CMSEnvelopedDataStreamGenerator();

generator.addKeyTransRecipient(certificate);

OutputStream output2 = generator.open(output, CMSEnvelopedDataGenerator.AES128_CBC, BouncyCastleProvider.PROVIDER_NAME);

try {
    IOUtils.copy(input, output2);
} finally {
    output2.close();
    output.close();
}

where output is some OutputStream where the encrypted data will be saved and input is some InputStream where the plaintext data will be read.

A: 

It would make sense that shorter than 512-bit key pairs cannot be generated. Public Key cryptography needs a longer key than symmetric key cryptography to sustain the same level of security. A 128-bit key pair is not recommended for public key cryptography.

Sani Huttunen
I was looking to generate a test cert to use with AES-128. Am I going about it the wrong way then?
Chry Cheng
Could you explain in a bit more detail what you wish to accomplish?
Sani Huttunen
Updated question with code snippet where key pair generated will be used.
Chry Cheng
+1  A: 

Certificates are used for public key cryptography and do not contain encryption keys for the symmetric block cipher AES-128. Instead, public key cryptography is used only to encrypt or negotiate the 128-bit AES key and the rest of the conversation uses AES.

The 128-bit AES key is not a certificate, it's just 128 bits from a cryptographically strong random number generator or derived from a passphrase using a hashing algorithm such as PBKDF2. How you get these bits will depend on your application. SSL/TLS must negotiate a random key, but a hard disk encryption program would derive the key from a passphrase.

joeforker
Updated question with code snippet where key pair generated will be used. Hopefully, I have cleared up any confusion. But, yeah, I'm a crypto beginner. :P
Chry Cheng