Working with Symmetric Ciphers
We now have a strong understanding of how the JCA/JCE provide the necessary infrastructure to support cryptographic operations in Java. With this information in hand, we are ready to build our knowledge base and begin to explore the world of symmetric ciphers. The first code example in this book (SimpleExample from Chapter 1) demonstrated a symmetric cipher in use. At the end of this chapter, you will be reading and writing code similar to that example.
A Symmetric Cipher is depicted in Figure 2.1. The symmetric cipher is an engine that transforms plaintext into ciphertext through the use of a secret key. Plaintext is a message in its native form; you and I could simply look at it and read it. Ciphertext is the result of the encryption operation, and it should appear as an incomprehensible flow of bytes. The secret key is the critical piece in the system; if the secret key is compromised, then so is the message hidden in the ciphertext. The secret key used to generate the ciphertext is the same secret key used to decipher and return the original plaintext. More specifically, the sender and receiver both use the same secret key.
Often people interchange the words cipher and code, but there is a fundamental difference. A code creates a substitute for an entire word or phrase; for example, from this point forward Billy will be known as "Fortune Cookie." This is substantially different than a cipher that will operate against (for example) one byte at a time, yielding an incomprehensible sequence of bytes completely different from the original.
The goal of a cipher is to protect the information by making the ciphertext either too expensive to decrypt (e.g., having to purchase 10,000 super computers and develop software to coordinate a brute force attack in parallel) or so outdated by the time the ciphertext is cracked the information is worthless or a statement of the obvious. To protect the information, it is imperative that a strong secret key be fed into the symmetric cipher. People make terrible choices when it comes to generating secret keys. With few exceptions,
most of us would have a hard time remembering a large 20, 30, or 40 character random password. Overall, we have a tendency to pick secret keys (often referred to as passwords) that are short and easy to remember, secret god dev scott dba admin All of these are terrible examples of common passwords used in production systems.
Symmetric ciphers play an important role in cryptography today. Symmetric ciphers are fast and capable of performing encryption operations even when the input data is very large. Some symmetric cipher algorithms lend themselves to parallel encryption operations that can take full advantage of multiple CPUs.
Symmetric ciphers and nearly every other aspect of cryptography require reliable random number generation capabilities. A collection of random numbers is then used as the secret key. Random here means pure random data, like measuring the vibration of the earth or sampling weather related data. The random numbers generated by something like the Solitaire card game on your PC is not suitable for use in cryptography because patterns often form. Perhaps you've seen the cards dealt out in similar patterns. A pattern is not random; it is reproducible, and thus a very poor source for generating a random secret key. Reproducible is bad because it increases the odds that someone else might reproduce the same sequence and use it to decipher sensitive data. Before we take a close look at symmetric cipher operations via the JCE, we're going to review the random number generation capabilities denned by the JCA.