Java Cryptography

---

---

ORIGINAL DRAFT

It’s difficult to talk about cryptography without covering security issues, but O’Reily’s decided to separate these two in a pair of books to give each one the more extensive coverage they deserve. Java Cryptography, by Jonathan Knudsen, delivers the goods on cryptography, a complicated topic but well explored in this book’s 300 plus pages. In fact, if you’re dealing with a product that includes cryptographic solutions, this book is an absolute must. The author cleverly avoids the political issues by stating a few relevant facts and moving on to explain the technology. You won’t get bogged down in the legal quagmire here.

The Java API addresses cryptography by providing the JCE (Java Cryptography Extensions). These are are set of classes that fall into the javax.crypto package and provide encryption capabilities that extend the basic security base available in Java. Cryptography runs a wide spectrum, from simple XOR or Base64 encoding to public key encryption and X.509 certificates for authentication. This book covers virtually everything to do with cryptography.

The first few chapters cover the basics, with Chapter 2 covering the fundamental concepts: confidentiality, integrity, authentication, random number generation (which has to be much less predictable than traditional pseudo-random algorithms for cryptography) and basic cryptographic algorithms. Chapter 3 explains the architecture of the JCE. Subsequent chapters dig deeper into each of the important concepts. Chapter’s 4 to 6 cover random numbers, key management and authentication. Having laid the groundwork for the real topic at hand, Chapter 7 hits encryption head on, covering stream and block cyphers, algorithms and how to encrypt and decrypt your data.

Chapter 8 covers code signing with a focus on singing applets. The coverage is critical to getting out of the sandbox, with the user’s permission, when running under browsers on the Internet. Anybody’s who’s done this knows that the answers are sprayed around the Internet and rarely addressed in a single place. Java Cryptography consolidates this information into a single chapter, which covers the Java standard, demonstrated with the HotJava browser, along with the more important Netscape and Microsoft variations. This chapter covers certificates and the singing process better than almost any other source I’ve seen.

Chapters 10 and 11 develop sample applications, SafeTalk and CipherMail. These help flesh out the major issues and provide a walk through that explains a number of issues and helps the reader understand what’s really involved when you start working with these kinds of applications. The final chapter (12) covers some of the things that relate to cryptography but less directly - things like byte code obfuscation, file and network security and application design issues. The appendices show you how to use the BigInteger class for handling keys, build a Base64 encoder/decoder, handle JAR files, use the JavaKey utility and provides a quick reference to the java.security and javax.crypto packages.

I can’t really recommend this book too highly for developers who need to understand cryptography. The topic matter is broad and difficult to make sense of in isolation, mostly because so may issues - like keys, certificates, encryption, authentication and other concepts - are so interrelated. Java Cryptography cuts through the fog and presents the reader with a logical progression and explanation of all the important issues surrounding this sometimes confusing technological realm.