-
Notifications
You must be signed in to change notification settings - Fork 1
/
specifications.html
876 lines (777 loc) · 35.1 KB
/
specifications.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
<html>
<head>
<title>Bouncy Castle Crypto Package</title>
</head>
<body bgcolor="#ffffff" text="#000000#">
<center>
<h1>Bouncy Castle Crypto Package</h1>
<font size=1>
<pre>
</pre>
</font>
</center>
<h2>1.0 Introduction</h2>
The Bouncy Castle Crypto package is a Java implementation of
cryptographic algorithms. The package is organised so that it
contains a light-weight API suitable for use in any environment
(including the newly released J2ME) with the additional infrastructure
to conform the algorithms to the JCE framework.
<p>
Except where otherwise stated, this software is distributed under a license
based on the MIT X
Consortium license. To view the license, see <a href="./LICENSE.html">here</a>.
The OpenPGP library also includes a modified BZIP2 library which
is licensed under the <a href="http://www.apache.org/licenses/">Apache Software License, Version 2.0</a>.
<p>
If you have the full package you will have six jar files, bcprov*.jar
which contains the BC provider, jce-*.jar which contains
the JCE provider, clean room API, and bcmail*.jar which contains the
mail API.
<p>
Note: if you are using JDK 1.0, you will just find a class hierarchy in
the classes directory.
<p>
To view examples, look at the test programs in the packages:
<ul>
<li><b>org.bouncycastle.crypto.test</b>
<li><b>org.bouncycastle.jce.provider.test</b>
</ul>
<p>
To verify the packages, run the following Java programs with the
appropriate classpath:
<ul>
<li><b>java org.bouncycastle.crypto.test.RegressionTest</b>
<li><b>java org.bouncycastle.jce.provider.test.RegressionTest</b>
</ul>
<h2>2.0 Patents</h2>
<p>
Some of the algorithms in the Bouncy Castle APIs are patented in some
places. It is upon the user of the library to be aware of what the
legal situation is in their own situation, however we have been asked
to specifically mention the patent below, in the following terms, at
the request of the patent holder. Algorithms that appear here are only
distributed in the -ext- versions of the provider.
<p>
The IDEA encryption algorithm is patented in the USA, Japan, and Europe
including at least Austria, France, Germany, Italy, Netherlands, Spain, Sweden,
Switzerland and the United Kingdom. Non-commercial use is free, however
any commercial products that make use of IDEA are liable for royalties.
Please see
<a href="http://www.mediacrypt.com">www.mediacrypt.com</a> for
further details.
<h2>3.0 Specifications</h2>
<ul>
<li> clean room implementation of the JCE API
<li> light-weight cryptographic API consisting of support for
<ul>
<li>BlockCipher
<li>BufferedBlockCipher
<li>AsymmetricBlockCipher
<li>BufferedAsymmetricBlockCipher
<li>StreamCipher
<li>BufferedStreamCipher
<li>KeyAgreement
<li>IESCipher
<li>Digest
<li>Mac
<li>PBE
<li>Signers
</ul>
<li> JCE compatible framework for a Bouncy Castle provider
</ul>
<h2>4.0 Light-weight API</h2>
<p>
This API has been specifically developed for those circumstances
where the rich API and integration requirements of the JCE are
not required.
<p>
However as a result, the light-weight API requires more effort
and understanding on the part of a developer to initialise and
utilise the algorithms.
<h3>4.1 Example</h3>
<p>To utilise the light-weight API in a program, the fundamentals
are as follows;
<pre>
<code>
/*
* This will use a supplied key, and encrypt the data
* This is the equivalent of DES/CBC/PKCS5Padding
*/
BlockCipher engine = new DESEngine();
BufferedBlockCipher cipher = new PaddedBlockCipher(new CBCCipher(engine));
byte[] key = keyString.getBytes();
byte[] input = inputString.getBytes();
cipher.init(true, new KeyParameter(key));
byte[] cipherText = new byte[cipher.getOutputSize(input.length)];
int outputLen = cipher.processBytes(input, 0, input.length, cipherText, 0);
try
{
cipher.doFinal(cipherText, outputLen);
}
catch (CryptoException ce)
{
System.err.println(ce);
System.exit(1);
}
</code>
</pre>
<h3>4.2 Algorithms</h3>
<p>The light-weight API has built in support for the following:
<h4>Symmetric (Block)</h4>
<p>
The base interface is <b>BlockCipher</b> and has the following
implementations which match the modes the block cipher can
be operated in.
<p>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>Constructor</th><th>Notes</th></tr>
<tr><td><b>BufferedBlockCipher</b></td><td>BlockCipher</td><td> </td></tr>
<tr><td><b>CBCBlockCipher</b></td><td>BlockCipher</td><td> </td></tr>
<tr><td><b>CFBBlockCipher</b></td><td>BlockCipher, block size (in bits)</td><td> </td></tr>
<tr><td><b>CCMBlockCipher</b></td><td>BlockCipher</td><td>Packet mode - requires all data up front.</td></tr>
<tr><td><b>GCMBlockCipher</b></td><td>BlockCipher</td><td>Packet mode - NIST SP 800-38D.</td></tr>
<tr><td><b>EAXBlockCipher</b></td><td>BlockCipher</td><td> </td></tr>
<tr><td><b>OFBBlockCipher</b></td><td>BlockCipher, block size (in bits)</td><td> </td></tr>
<tr><td><b>SICBlockCipher</b></td><td>BlockCipher, block size (in bits)</td><td>Also known as CTR mode</td></tr>
<tr><td><b>OpenPGPCFBBlockCipher</b></td><td>BlockCipher</td><td> </td></tr>
<tr><td><b>GOFBBlockCipher</b></td><td>BlockCipher</td><td>GOST OFB mode</td></tr>
</table>
<p>
<b>BufferedBlockCipher</b> has a further sub-classes
<p>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>Constructor</th><th>Notes</th></tr>
<tr><td><b>PaddedBufferedBlockCipher</b></td><td>BlockCipher</td><td>a buffered block cipher that can use padding - default PKCS5/7 padding</td></tr>
<tr><td><b>CTSBlockCipher</b></td><td>BlockCipher</td><td>Cipher Text Stealing</td></tr>
</table>
<p>The following paddings can be used with the PaddedBufferedBlockCipher.
<p>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>Description</th></tr>
<tr><td>PKCS7Padding</td><td>PKCS7/PKCS5 padding</td></tr>
<tr><td>ISO10126d2Padding</td><td>ISO 10126-2 padding</td></tr>
<tr><td>X932Padding</td><td>X9.23 padding</td></tr>
<tr><td>ISO7816d4Padding</td><td>ISO 7816-4 padding (ISO 9797-1 scheme 2)</td></tr>
<tr><td>ZeroBytePadding</td><td>Pad with Zeros (not recommended)</td></tr>
</table>
<p>The following cipher engines are implemented that can be
used with the above modes.
<p>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>KeySizes (in bits) </th><th>Block Size</th><th>Notes</th></tr>
<tr><td><b>AESEngine</b></td><td>0 .. 256 </td><td>128 bit</td><td> </td></tr>
<tr><td><b>AESWrapEngine</b></td><td>0 .. 256 </td><td>128 bit</td><td>Implements FIPS AES key wrapping</td></tr>
<tr><td><b>BlowfishEngine</b></td><td>0 .. 448 </b></td><td>64 bit</td><td> </td></tr>
<tr><td><b>CamelliaEngine</b></td><td>128, 192, 256</td><td>128 bit</td><td> </td></tr>
<tr><td><b>CamelliaWrapEngine</b></td><td>128, 192, 256</td><td>128 bit</td><td> </td></tr>
<tr><td><b>CAST5Engine</b></td><td>0 .. 128 </b></td><td>64 bit</td><td> </td></tr>
<tr><td><b>CAST6Engine</b></td><td>0 .. 256 </b></td><td>128 bit</td><td> </td></tr>
<tr><td><b>DESEngine</b></td><td>64</td><td>64 bit</td><td> </td></tr>
<tr><td><b>DESedeEngine</b></td><td>128, 192</td><td>64 bit</td><td> </td></tr>
<tr><td><b>DESedeWrapEngine</b></td><td>128, 192</td><td>64 bit</td><td>Implements Draft IETF DESede key wrapping</td></tr>
<tr><td><b>GOST28147Engine</b></td><td>256</td><td>64 bit</td><td>Has a range of S-boxes</td></tr>
<tr><td><b>IDEAEngine</b></td><td>128</td><td>64 bit</td><td> </td></tr>
<tr><td><b>NoekeonEngine</b></td><td>128</td><td>128 bit</td><td> </td></tr>
<tr><td><b>RC2Engine</b></td><td>0 .. 1024 </td><td>64 bit</td><td> </td></tr>
<tr><td><b>RC532Engine</b></td><td>0 .. 128 </td><td>64 bit</td><td>Uses a 32 bit word</td></tr>
<tr><td><b>RC564Engine</b></td><td>0 .. 128 </td><td>128 bit</td><td>Uses a 64 bit word</td></tr>
<tr><td><b>RC6Engine</b></td><td>0 .. 256 </td><td>128 bit</td><td> </td></tr>
<tr><td><b>RijndaelEngine</b></td><td>0 .. 256 </td><td>128 bit, 160 bit, 192 bit, 224 bit, 256 bit</td><td> </td></tr>
<tr><td><b>SEEDEngine</b></td><td>128</td><td>128 bit</td><td> </td></tr>
<tr><td><b>SEEDWrapEngine</b></td><td>128</td><td>128 bit</td><td> </td></tr>
<tr><td><b>SerpentEngine</b></td><td>128, 192, 256 </td><td>128 bit</td><td> </td></tr>
<tr><td><b>SkipjackEngine</b></td><td>0 .. 128 </td><td>64 bit</td><td> </td></tr>
<tr><td><b>TEAEngine</b></td><td>128</td><td>64 bit</td><td> </td></tr>
<tr><td><b>TwofishEngine</b></td><td>128, 192, 256 </td><td>128 bit</td><td> </td></tr>
<tr><td><b>XTEAEngine</b></td><td>128</td><td>64 bit</td><td> </td></tr>
</table>
<h4>Symmetric (Stream)</h4>
<p>
The base interface is <b>StreamCipher</b> and has the following
implementations which match the modes the stream cipher can
be operated in.
<p>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>Constructor</th><th>Notes</th></tr>
<tr><td><b>BlockStreamCipher</b></td><td>BlockCipher</td><td> </td></tr>
</table>
<p>The following cipher engines are implemented that can be
used with the above modes.
<p>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>KeySizes (in bits) </th><th>Notes</th></tr>
<tr><td><b>RC4Engine</b></td><td>40 .. 2048</td><td> </td></tr>
<tr><td><b>HC128Engine</b></td><td>128</td><td> </td></tr>
<tr><td><b>HC256Engine</b></td><td>256</td><td> </td></tr>
<tr><td><b>Salsa20Engine</b></td><td>128/256</td><td> </td></tr>
<tr><td><b>ISAACEngine</b></td><td>32 .. 8192</td><td> </td></tr>
<tr><td><b>VMPCEngine</b></td><td>8 .. 6144</td><td> </td></tr>
<tr><td><b>Grainv1Engine</b></td><td>80</td><td>64 bit IV</td></tr>
<tr><td><b>Grain128Engine</b></td><td>128</td><td>96 bit IV</td></tr>
</table>
<h4>Block Asymmetric</h4>
<p>
The base interface is <b>AsymmetricBlockCipher</b> and has the following
implementations which match the modes the cipher can be operated in.
<p>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>Constructor</th><th>Notes</th></tr>
<tr><td><b>BufferedAsymmetricBlockCipher</b></td><td>AsymmetricBlockCipher</td><td> </td></tr>
<tr><td><b>OAEPEncoding</b></td><td>AsymmetricBlockCipher</td><td> </td></tr>
<tr><td><b>PKCS1Encoding</b></td><td>AsymmetricBlockCipher</td><td> </td></tr>
<tr><td><b>ISO9796d1Encoding</b></td><td>AsymmetricBlockCipher</td><td>ISO9796-1</td></tr>
</table>
<p>The following cipher engines are implemented that can be
used with the above modes.
<p>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>KeySizes (in bits)</th><th>Notes</th></tr>
<tr><td><b>RSAEngine</b></td><td>any multiple of 8 large enough for the encoding.</td><td> </td></tr>
<tr><td><b>ElGamalEngine</b></td><td>any multiple of 8 large enough for the encoding.</td><td> </td></tr>
<tr><td><b>NTRUEngine</b></td><td>any multiple of 8 large enough for the encoding.</td><td> </td></tr>
</table>
<h4>Digest</h4>
<p>
The base interface is <b>Digest</b> and has the following
implementations
<p>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>Output (in bits)</th><th>Notes</th></tr>
<tr><td><b>MD2Digest</b></td><td>128</td><td> </td></tr>
<tr><td><b>MD4Digest</b></td><td>128</td><td> </td></tr>
<tr><td><b>MD5Digest</b></td><td>128</td><td> </td></tr>
<tr><td><b>RipeMD128Digest</b></td><td>128</td><td>basic RipeMD</td></tr>
<tr><td><b>RipeMD160Digest</b></td><td>160</td><td>enhanced version of RipeMD</td></tr>
<tr><td><b>RipeMD256Digest</b></td><td>256</td><td>expanded version of RipeMD128</td></tr>
<tr><td><b>RipeMD320Digest</b></td><td>320</td><td>expanded version of RipeMD160</td></tr>
<tr><td><b>SHA1Digest</b></td><td>160</td><td> </td></tr>
<tr><td><b>SHA224Digest</b></td><td>224</td><td>FIPS 180-2</td></tr>
<tr><td><b>SHA256Digest</b></td><td>256</td><td>FIPS 180-2</td></tr>
<tr><td><b>SHA384Digest</b></td><td>384</td><td>FIPS 180-2</td></tr>
<tr><td><b>SHA512Digest</b></td><td>512</td><td>FIPS 180-2</td></tr>
<tr><td><b>SHA3Digest</b></td><td>224, 256, 288, 384, 512</td><td></td></tr>
<tr><td><b>TigerDigest</b></td><td>192</td><td>The Tiger Digest.</td></tr>
<tr><td><b>GOST3411Digest</b></td><td>256</td><td>The GOST-3411 Digest.</td></tr>
<tr><td><b>WhirlpoolDigest</b></td><td>512</td><td>The Whirlpool Digest.</td></tr>
</table>
<h4>MAC</h4>
<p>
The base interface is <b>Mac</b> and has the following
implementations
<p>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>Output (in bits)</th><th>Notes</th></tr>
<tr><td><b>CBCBlockCipherMac</b></td><td>blocksize/2 unless specified</td><td> </td></tr>
<tr><td><b>CFBBlockCipherMac</b></td><td>blocksize/2, in CFB 8 mode, unless specified</td><td> </td></tr>
<tr><td><b>CMac</b></td><td>24 to 128 bits</td><td>Usable with block ciphers, NIST SP 800-38B.</td></tr>
<tr><td><b>GMac</b></td><td>96 to 128 bits</td><td>Usable with GCM mode ciphers, defined for AES, NIST SP 800-38D.</td></tr>
<tr><td><b>GOST28147Mac</b></td><td>32 bits</td><td> </td></tr>
<tr><td><b>ISO9797Alg3Mac</b></td><td>multiple of 8 bits up to underlying cipher size.</td><td> </td></tr>
<tr><td><b>HMac</b></td><td>digest length</td><td> </td></tr>
<tr><td><b>SipHash</b></td><td>64 bits</td><td> </td></tr>
<tr><td><b>VMPCMac</b></td><td>160 bits</td><td> </td></tr>
</table>
<h4>PBE</h4>
<p>
The base class is <b>PBEParametersGenerator</b> and has the following
sub-classes
</p>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>Constructor</th><th>Notes</th></tr>
<tr><td><b>PKCS5S1ParametersGenerator</b></td><td>Digest</td><td> </td></tr>
<tr><td><b>PKCS5S2ParametersGenerator</b></td><td> </td><td>Uses SHA1/Hmac as defined</td></tr>
<tr><td><b>PKCS12ParametersGenerator</b></td><td>Digest</td><td> </td></tr>
<tr><td><b>OpenSSLPBEParametersGenerator</b></td><td> </td><td>Uses MD5 as defined</td></tr>
</table>
<h4>IESCipher</h4>
<p>
The IES cipher is based on the one described in IEEE P1363a (draft 10), for
use with either traditional Diffie-Hellman or Elliptic Curve Diffie-Hellman.
</p>
<b>Note:</b> At the moment this is still a draft, don't use it for anything
that may be subject to long term storage, the key values produced may well
change as the draft is finalised.
</p>
<h4>Commitments</h4>
<p>
The base class is <b>Committer</b> and has the following
sub-classes
</p>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th>><th>Notes</th></tr>
<tr><td><b>HashCommitter</b></td><td>Hash commitment algorithm described in Usenix RPC MixNet Paper (2002)</td></tr>
</table>
<h4>Key Agreement</h4>
<p>
Two versions of Diffie-Hellman key agreement are supported, the basic
version, and one for use with long term public keys. Two versions of
key agreement using Elliptic Curve cryptography are also supported,
standard Diffie-Hellman key agreement and standard key agreement with
co-factors.
</p>
<p>
The agreement APIs are in the <b>org.bouncycastle.crypto.agreement</b> package.
Classes for generating Diffie-Hellman parameters can be found in the
<b>org.bouncycastle.crypto.params</b> and <b>org.bouncycastle.crypto.generators</b> packages.
</p>
<h4>Key Encapsulation Mechanisms</h4>
<p>
The base class is <b>KeyEncapsulation</b> and has the following
sub-classes
</p>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th>><th>Notes</th></tr>
<tr><td><b>RSAKeyEncapsulation</b></td><td>RSA-KEM from ISO 18033-2</td></tr>
<tr><td><b>PKCS5S2ParametersGenerator</b></td><td>ECIES-KEM from ISO 18033-2</td></tr>
</table>
<h4>Signers</h4>
<p>
DSA, ECDSA, ISO-9796-2, GOST-3410-94, GOST-3410-2001, DSTU-4145-2002, and RSA-PSS are supported by the <b>org.bouncycastle.crypto.signers</b>
package. Note: as these are light weight classes, if you need to use SHA1 or GOST-3411
(as defined in the relevant standards) you'll also need to make use of the appropriate
digest class in conjunction with these.
Classes for generating DSA and ECDSA parameters can be found in the
<b>org.bouncycastle.crypto.params</b> and <b>org.bouncycastle.crypto.generators</b> packages.
<p>
<h3>4.4 Elliptic Curve Transforms.</h3>
<p>
The org.bouncycastle.crypto.ec package contains implementations for a variety of EC cryptographic transforms such as EC ElGamal.
</p>
<h3>4.4 TLS/DTLS</h3>
<p>
The org.bouncycastle.crypto.tls package contains implementations for TLS 1.1 and DTLS 1.0.
</p>
<h3>4.5 Deterministic Random Bit Generators (DRBG) and SecureRandom wrappers</h3>
<p>
The org.bouncycastle.crypto.prng package contains implementations for a variety of bit generators including those
from SP 800-90A, as well as builders for SecureRandom objects based around them.
</p>
<h3>4.6 ASN.1 package</h3>
<p>The light-weight API has direct interfaces into a package capable of
reading and writing DER-encoded ASN.1 objects and for the generation
of X.509 V3 certificate objects and PKCS12 files. BER InputStream and
OutputStream classes are provided as well.
<h2>5.0 Bouncy Castle Provider</h2>
<p>The Bouncy Castle provider is a JCE compliant provider that
is a wrapper built on top of the light-weight API.</p>
<p>
The advantage for writing application code that uses the
provider interface to cryptographic algorithms is that the
actual provider used can be selected at run time. This
is extremely valuable for applications that may wish to
make use of a provider that has underlying hardware for
cryptographic computation, or where an application may have
been developed in an environment with cryptographic export
controls.
</p>
<h3>5.1 Example</h3>
<p>To utilise the JCE provider in a program, the fundamentals
are as follows;
<pre>
<code>
/*
* This will generate a random key, and encrypt the data
*/
Key key;
KeyGenerator keyGen;
Cipher encrypt;
Security.addProvider(new BouncyCastleProvider());
try
{
// "BC" is the name of the BouncyCastle provider
keyGen = KeyGenerator.getInstance("DES", "BC");
keyGen.init(new SecureRandom());
key = keyGen.generateKey();
encrypt = Cipher.getInstance("DES/CBC/PKCS5Padding", "BC");
}
catch (Exception e)
{
System.err.println(e);
System.exit(1);
}
encrypt.init(Cipher.ENCRYPT_MODE, key);
bOut = new ByteArrayOutputStream();
cOut = new CipherOutputStream(bOut, encrypt);
cOut.write("plaintext".getBytes());
cOut.close();
// bOut now contains the cipher text
</code>
</pre>
<p>
The provider can also be configured as part of your environment via static registration
by adding an entry to the java.security properties file (found in $JAVA_HOME/jre/lib/security/java.security, where $JAVA_HOME is the location of your JDK/JRE distribution). You'll find detailed
instructions in the file but basically it comes down to adding a line:
<pre>
<code>
security.provider.<n>=org.bouncycastle.jce.provider.BouncyCastleProvider
</code>
</pre>
<p>Where <n> is the preference you want the provider at (1 being the most prefered).
<p>Where you put the jar is up to mostly up to you, although with jdk1.3 and
jdk1.4 the best (and in some cases only) place to have it is in $JAVA_HOME/jre/lib/ext. Note: under Windows there will normally be a JRE and a JDK install of Java if you think you have installed it correctly and it still doesn't work chances are you have added the provider to the installation not being used.
<p>
<b>Note</b>: with JDK 1.4 and later you will need to have installed the unrestricted policy
files to take full advantage of the provider. If you do not install the policy files you are likely
to get something like the following:
<b>
<pre>
java.lang.SecurityException: Unsupported keysize or algorithm parameters
at javax.crypto.Cipher.init(DashoA6275)
</pre>
</b>
The policy files can be found at the same place you downloaded the JDK.
<p>
<h3>5.2 Algorithms</h3>
<h4>Symmetric (Block)</h4>
<p>Modes:
<ul>
<li>ECB
<li>CBC
<li>OFB(n)
<li>CFB(n)
<li>SIC (also known as CTR)
<li>OpenPGPCFB
<li>CTS (equivalent to CBC/WithCTS)
<li>GOFB
<li>CCM
<li>EAX
</ul>
<p>
Where <i>(n)</i> is a multiple of 8 that gives the blocksize in bits,
eg, OFB8. Note that OFB and CFB mode can be used with plain text that
is not an exact multiple of the block size if NoPadding has been specified.
<p>
Padding Schemes:
<ul>
<li>No padding
<li>PKCS5/7
<li>ISO10126/ISO10126-2
<li>ISO7816-4/ISO9797-1
<li>X9.23/X923
<li>TBC
<li>ZeroByte
<li>withCTS (if used with ECB mode)
</ul>
<p>
When placed together this gives a specification for an algorithm
as;
<ul>
<li>DES/CBC/X9.23Padding
<li>DES/OFB8/NoPadding
<li>IDEA/CBC/ISO10126Padding
<li>IDEA/CBC/ISO7816-4Padding
<li>SKIPJACK/ECB/PKCS7Padding
<li>DES/ECB/WithCTS
</ul>
<p>
Note: default key sizes are in bold.
<p>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>KeySizes (in bits) </th><th>Block Size</th><th>Notes</th></tr>
<tr><td>AES</td><td>0 .. 256 <b>(192)</b></td><td>128 bit</td><td> </td></tr>
<tr><td>AESWrap</td><td>0 .. 256 <b>(192)</b></td><td>128 bit</td><td>A FIPS AES key wrapper</td></tr>
<tr><td>Blowfish</td><td>0 .. 448 <b>(448)</b></td><td>64 bit</td><td> </td></tr>
<tr><td>Camellia</td><td>128, 192, 256</td><td>128 bit</td><td> </td></tr>
<tr><td>CamelliaWrap</td><td>128, 192, 256</td><td>128 bit</td><td> </td></tr>
<tr><td>CAST5</td><td>0 .. 128<b>(128)</b></td><td>64 bit</td><td> </td></tr>
<tr><td>CAST6</td><td>0 .. 256<b>(256)</b></td><td>128 bit</td><td> </td></tr>
<tr><td>DES</td><td>64</td><td>64 bit</td><td> </td></tr>
<tr><td>DESede</td><td>128, 192</td><td>64 bit</td><td> </td></tr>
<tr><td>DESedeWrap</td><td>128, 192</td><td>128 bit</td><td>A Draft IETF DESede key wrapper</td></tr>
<tr><td>GOST28147</td><td>256</td><td>64 bit</td><td> </td></tr>
<tr><td>IDEA</td><td>128 <b>(128)</b></td><td>64 bit</td><td>Only included in extended provider jar.</td></tr>
<tr><td>Noekeon</td><td>128<b>(128)</b></td><td>128 bit</td><td> </td></tr>
<tr><td>RC2</td><td>0 .. 1024 <b>(128)</b></td><td>64 bit</td><td> </td></tr>
<tr><td>RC5</td><td>0 .. 128 <b>(128)</b></td><td>64 bit</td><td>Uses a 32 bit word</td></tr>
<tr><td>RC5-64</td><td>0 .. 256 <b>(256)</b></td><td>128 bit</td><td>Uses a 64 bit word</td></tr>
<tr><td>RC6</td><td>0 .. 256 <b>(128)</b></td><td>128 bit</td><td> </td></tr>
<tr><td>Rijndael</td><td>0 .. 256 <b>(192)</b></td><td>128 bit</td><td> </td></tr>
<tr><td>SEED</td><td>128<b>(128)</b></td><td>128 bit</td><td> </td></tr>
<tr><td>SEEDWrap</td><td>128<b>(128)</b></td><td>128 bit</td><td> </td></tr>
<tr><td>Serpent</td><td>128, 192, 256 <b>(256)</b></td><td>128 bit</td><td> </td></tr>
<tr><td>Skipjack</td><td>0 .. 128 <b>(128)</b></td><td>64 bit</td><td> </td></tr>
<tr><td>TEA</td><td>128 <b>(128)</b></td><td>64 bit</td><td> </td></tr>
<tr><td>Twofish</td><td>128, 192, 256 <b>(256)</b></td><td>128 bit</td><td> </td></tr>
<tr><td>XTEA</td><td>128 <b>(128)</b></td><td>64 bit</td><td> </td></tr>
</table>
<h4>Symmetric (Stream)</h4>
<p>
Note: default key sizes are in bold.
<p>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>KeySizes (in bits)</th><th>Notes</th></tr>
<tr><td>RC4</td><td>40 .. 2048 bits <b>(128)</b></td><td> </td></tr>
<tr><td>HC128</td><td>(128)</td><td> </td></tr>
<tr><td>HC256</td><td>(256)</td><td> </td></tr>
<tr><td>Salsa20</td><td>128/256<b>(128)</b></td><td> </td></tr>
<tr><td>VMPC</td><td>128/6144<b>(128)</b></td><td> </td></tr>
<tr><td>Grainv1</b></td><td>80</td><td>64 bit IV</td></tr>
<tr><td>Grain128</b></td><td>128</td><td>96 bit IV</td></tr>
</table>
<h4>Block Asymmetric</h4>
<p>Encoding:
<ul>
<li>OAEP - Optimal Asymmetric Encryption Padding
<li>PCKS1 - PKCS v1.5 Padding
<li>ISO9796-1 - ISO9796-1 edition 1 Padding
</ul>
<p>Note: except as indicated in PKCS 1v2 we recommend you use OAEP, as
mandated in X9.44.
<p>
When placed together with RSA this gives a specification for an algorithm
as;
<ul>
<li>RSA/NONE/NoPadding
<li>RSA/NONE/PKCS1Padding
<li>RSA/NONE/OAEPWithMD5AndMGF1Padding
<li>RSA/NONE/OAEPWithSHA1AndMGF1Padding
<li>RSA/NONE/OAEPWithSHA224AndMGF1Padding
<li>RSA/NONE/OAEPWithSHA256AndMGF1Padding
<li>RSA/NONE/OAEPWithSHA384AndMGF1Padding
<li>RSA/NONE/OAEPWithSHA512AndMGF1Padding
<li>RSA/NONE/ISO9796-1Padding
</ul>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>KeySizes (in bits)</th><th>Notes</th></tr>
<tr><td>RSA</td><td>any multiple of 8 bits large enough for the encryption<b>(2048)</b></td><td> </td></tr>
<tr><td>ElGamal</td><td>any multiple of 8 bits large enough for the encryption<b>(1024)</b></td><td> </td></tr>
</table>
<h4>Key Agreement</h4>
<p>
Diffie-Hellman key agreement is supported using the "DH", "ECDH", and
"ECDHC" (ECDH with cofactors) key agreement instances.
<p>
Note: with basic "DH" only the basic algorithm fits in with the JCE API, if
you're using long-term public keys you may want to look at the light-weight
API.
<p>
<h4>ECIES</h4>
<p>
An implementation of ECIES (stream mode) as described in IEEE P 1363a.
<p>
<b>Note:</b> At the moment this is still a draft, don't use it for anything
that may be subject to long term storage, the key values produced may well
change as the draft is finalised.
<p>
<h4>Digest</h4>
<p>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>Output (in bits)</th><th>Notes</th></tr>
<tr><td>GOST3411</td><td>256</td><td> </td></tr>
<tr><td>MD2</td><td>128</td><td> </td></tr>
<tr><td>MD4</td><td>128</td><td> </td></tr>
<tr><td>MD5</td><td>128</td><td> </td></tr>
<tr><td>RipeMD128</td><td>128</td><td>basic RipeMD</td></tr>
<tr><td>RipeMD160</td><td>160</td><td>enhanced version of RipeMD</td></tr>
<tr><td>RipeMD256Digest</td><td>256</td><td>expanded version of RipeMD128</td></tr>
<tr><td>RipeMD320Digest</td><td>320</td><td>expanded version of RipeMD160</td></tr>
<tr><td>SHA1</td><td>160</td><td> </td></tr>
<tr><td>SHA-224</td><td>224</td><td>FIPS 180-2</td></tr>
<tr><td>SHA-256</td><td>256</td><td>FIPS 180-2</td></tr>
<tr><td>SHA-384</td><td>384</td><td>FIPS 180-2</td></tr>
<tr><td>SHA-512</td><td>512</td><td>FIPS 180-2</td></tr>
<tr><td>SHA3-224</td><td>224</td><td> </td></tr>
<tr><td>SHA3-256</td><td>256</td><td> </td></tr>
<tr><td>SHA3-384</td><td>384</td><td> </td></tr>
<tr><td>SHA3-512</td><td>512</td><td> </td></tr>
<tr><td>Tiger</td><td>192</td><td> </td></tr>
<tr><td>Whirlpool</td><td>512</td><td> </td></tr>
</table>
<h4>MAC</h4>
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>Output (in bits)</th><th>Notes</th></tr>
<tr><td>Any MAC based on a block cipher, CBC (the default) and CFB modes.</td><td>half the cipher's block size (usually 32 bits)</td><td> </td></tr>
<tr><td>VMPC-MAC</td><td>128</td><td> </td></tr>
<tr><td>HMac-MD2</td><td>128</td><td> </td></tr>
<tr><td>HMac-MD4</td><td>128</td><td> </td></tr>
<tr><td>HMac-MD5</td><td>128</td><td> </td></tr>
<tr><td>HMac-RipeMD128</td><td>128</td><td> </td></tr>
<tr><td>HMac-RipeMD160</td><td>160</td><td> </td></tr>
<tr><td>HMac-SHA1</td><td>160</td><td> </td></tr>
<tr><td>HMac-SHA224</td><td>224</td><td> </td></tr>
<tr><td>HMac-SHA256</td><td>256</td><td> </td></tr>
<tr><td>HMac-SHA384</td><td>384</td><td> </td></tr>
<tr><td>HMac-SHA512</td><td>512</td><td> </td></tr>
<tr><td>HMac-Tiger</td><td>192</td><td> </td></tr>
</table>
<p>Examples:
<ul>
<li>DESMac
<li>DESMac/CFB8
<li>DESedeMac
<li>DESedeMac/CFB8
<li>DESedeMac64
<li>SKIPJACKMac
<li>SKIPJACKMac/CFB8
<li>IDEAMac
<li>IDEAMac/CFB8
<li>RC2Mac
<li>RC2Mac/CFB8
<li>RC5Mac
<li>RC5Mac/CFB8
<li>ISO9797ALG3Mac
</ul>
<h4>Signature Algorithms</h4>
<p>Schemes:
<ul>
<li>DSTU4145</li>
<li>GOST3411withGOST3410 (GOST3411withGOST3410-94)
<li>GOST3411withECGOST3410 (GOST3411withGOST3410-2001)
<li>MD2withRSA
<li>MD5withRSA
<li>SHA1withRSA
<li>RIPEMD128withRSA
<li>RIPEMD160withRSA
<li>RIPEMD160withECDSA
<li>RIPEMD256withRSA
<li>SHA1withDSA
<li>NONEwithDSA
<li>SHA1withECDSA
<li>NONEwithECDSA
<li>SHA224withECDSA
<li>SHA256withECDSA
<li>SHA384withECDSA
<li>SHA512withECDSA
<li>SHA1withECNR
<li>SHA224withECNR
<li>SHA256withECNR
<li>SHA384withECNR
<li>SHA512withECNR
<li>SHA224withRSA
<li>SHA256withRSA
<li>SHA384withRSA
<li>SHA512withRSA
<li>SHA1withRSAandMGF1
<li>SHA256withRSAandMGF1
<li>SHA384withRSAandMGF1
<li>SHA512withRSAandMGF1
</ul>
<h4>PBE</h4>
<p>Schemes:
<ul>
<li>PKCS5S1, any Digest, any symmetric Cipher, ASCII
<li>PKCS5S2, SHA1/HMac, any symmetric Cipher, ASCII, UTF8
<li>PKCS12, any Digest, any symmetric Cipher, Unicode
</ul>
<p>
Defined in Bouncy Castle JCE Provider
<table cellpadding=5 cellspacing=0 border=1 width=80%>
<tr><th>Name</th><th>Key Generation Scheme</th><th>Key Length (in bits)</th><th>Char to Byte conversion</th></tr>
<tr><td>PBEWithMD2AndDES</td><td>PKCS5 Scheme 1</td><td>64</td><td>8 bit chars</td></tr>
<tr><td>PBEWithMD2AndRC2</td><td>PKCS5 Scheme 1</td><td>128</td><td>8 bit chars</td></tr>
<tr><td>PBEWithMD5AndDES</td><td>PKCS5 Scheme 1</td><td>64</td><td>8 bit chars</td></tr>
<tr><td>PBEWithMD5AndRC2</td><td>PKCS5 Scheme 1</td><td>128</td><td>8 bit chars</td></tr>
<tr><td>PBEWithSHA1AndDES</td><td>PKCS5 Scheme 1</td><td>64</td><td>8 bit chars</td></tr>
<tr><td>PBEWithSHA1AndRC2</td><td>PKCS5 Scheme 1</td><td>128</td><td>8 bit chars</td></tr>
<tr><td>PBKDF2WithHmacSHA1</td><td>PKCS5 Scheme 2</td><td>variable</td><td>UTF-8 chars</td></tr>
<tr><td>PBKDF2WithHmacSHA1AndUTF8</td><td>PKCS5 Scheme 2</td><td>variable</td><td>UTF-8 chars</td></tr>
<tr><td>PBKDF2WithHmacSHA1And8bit</td><td>PKCS5 Scheme 2</td><td>variable</td><td>8 bit chars</td></tr>
<tr><td>PBEWithSHAAnd2-KeyTripleDES-CBC</td><td>PKCS12</td><td>128</td><td>16 bit chars</td></tr>
<tr><td>PBEWithSHAAnd3-KeyTripleDES-CBC</td><td>PKCS12</td><td>192</td><td>16 bit chars</td></tr>
<tr><td>PBEWithSHAAnd128BitRC2-CBC</td><td>PKCS12</td><td>128</td><td>16 bit chars</td></tr>
<tr><td>PBEWithSHAAnd40BitRC2-CBC</td><td>PKCS12</td><td>40</td><td>16 bit chars</td></tr>
<tr><td>PBEWithSHAAnd128BitRC4</td><td>PKCS12</td><td>128</td><td>16 bit chars</td></tr>
<tr><td>PBEWithSHAAnd40BitRC4</td><td>PKCS12</td><td>40</td><td>16 bit chars</td></tr>
<tr><td>PBEWithSHAAndTwofish-CBC</td><td>PKCS12</td><td>256</td><td>16 bit chars</td></tr>
<tr><td>PBEWithSHAAndIDEA-CBC</td><td>PKCS12</td><td>128</td><td>16 bit chars</td></tr>
</table>
<h3>5.3 Certificates</h3>
<p>
The Bouncy Castle provider will read X.509 certficates (v2 or v3) as per the examples in
the java.security.cert.CertificateFactory class. They can be provided either
in the normal PEM encoded format, or as DER binaries.
<p>
The CertificateFactory will also read X.509 CRLs (v2) from either PEM or DER encodings.
<p>
In addition to the classes in the org.bouncycastle.asn1.x509 package for certificate, CRLs, and OCSP, CRMF, and CMP message
generation a more JCE "friendly" class is provided in the package org.bouncycastle.cert. The JCE "friendly" classes found in the jcajce
subpackages support RSA, DSA, GOST, DTSU, and EC-DSA.
<p>
<h3>5.4 Keystore</h3>
<p>
The Bouncy Castle package has three implementation of a keystore.
<p>
The first "BKS" is a keystore that will work with the keytool in the same
fashion as the Sun "JKS" keystore. The keystore is resistent to tampering
but not inspection.
<p>
The second, <b>Keystore.BouncyCastle</b>, or <b>Keystore.UBER</b> will only work with the keytool
if the password is provided on the command line, as the entire keystore
is encrypted
with a PBE based on SHA1 and Twofish. <b>PBEWithSHAAndTwofish-CBC</b>.
This makes the entire keystore resistant to tampering and inspection,
and forces verification.
The Sun JDK provided keytool will attempt to load a keystore even if no
password is given,
this is impossible for this version. (One might wonder about going to all
this trouble and then having the password on the command line! New keytool
anyone?).
<p>
In the first case, the keys are encrypted with 3-Key-TripleDES.
<p>
The third is a PKCS12 compatible keystore. PKCS12 provides a slightly
different situation from the regular key store, the keystore password is
currently the only password used for storing keys. Otherwise it supports
all the functionality required for it to be used with the keytool. In some
situations other libraries always expect to be dealing with Sun certificates,
if this is the case use PKCS12-DEF, and the certificates produced by the
key store will be made using the default provider. In the default case PKCS12 uses 3DES for key protection and 40 bit RC2 for protecting the certificates. It is also possible to use 3DES for both by using PKCS12-3DES-3DES or PKCS12-DEF-3DES-3DES as the KeyStore type.
<p>
There is an example program that produces PKCS12 files suitable for
loading into browsers. It is in the package
org.bouncycastle.jce.examples.
<p>
<p>
<h3>5.5 Additional support classes for Elliptic Curve.</h3>
<p>
There are no classes for supporting EC in the JDK prior to JDK 1.5. If you are using
an earlier JDK you can find classes for using EC in the following
packages:
<ul>
<li>org.bouncycastle.jce.spec</li>
<li>org.bouncycastle.jce.interfaces</li>
<li>org.bouncycastle.jce</li>
</ul>
<h3>6.0 BouncyCastle S/MIME</h3>
To be able to fully compile and utilise the BouncyCastle S/MIME
package (including the test classes) you need the jar files for
the following APIs.
<ul>
<li>Junit - <a href="http://www.junit.org">http://www.junit.org</a></li>
<li>JavaMail - <a href="http://java.sun.com/products/javamail/index.html">http://java.sun.com/products/javamail/index.html</a></li>
<li>The Java Activation Framework - <a href="http://java.sun.com/products/javabeans/glasgow/jaf.html">http://java.sun.com/products/javabeans/glasgow/jaf.html</a></li>
</ul>
<h3>6.1 Setting up BouncyCastle S/MIME in JavaMail</h3>
The BouncyCastle S/MIME handlers may be set in JavaMail two ways.
<ul>
<li> STATICALLY<br>
Add the following entries to the mailcap file:
<pre>
application/pkcs7-signature;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.pkcs7_signature
application/pkcs7-mime;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.pkcs7_mime
application/x-pkcs7-signature;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.x_pkcs7_signature
application/x-pkcs7-mime;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.x_pkcs7_mime
multipart/signed;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.multipart_signed
</pre>
</li>
<li> DYNAMICALLY<br>
The following code will add the BouncyCastle S/MIME handlers dynamically:
<pre>
import javax.activation.MailcapCommandMap;
import javax.activation.CommandMap;
public static void setDefaultMailcap()
{
MailcapCommandMap _mailcap =
(MailcapCommandMap)CommandMap.getDefaultCommandMap();
_mailcap.addMailcap("application/pkcs7-signature;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.pkcs7_signature");
_mailcap.addMailcap("application/pkcs7-mime;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.pkcs7_mime");
_mailcap.addMailcap("application/x-pkcs7-signature;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.x_pkcs7_signature");
_mailcap.addMailcap("application/x-pkcs7-mime;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.x_pkcs7_mime");
_mailcap.addMailcap("multipart/signed;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.multipart_signed");
CommandMap.setDefaultCommandMap(_mailcap);
}
</pre>
</li>
</ul>
</body>
</html>