RSA public key & transient

It is possible to initialize the session DES key as transient object:
sessionKey = (DESKey)KeyBuilder.buildKey(
KeyBuilder.TYPE_DES_TRANSIENT_DESELECT,
KeyBuilder.LENGTH_DES3_2KEY,
false);I need to initialize the RSApublic key as transient object as well. Let's assume that we are having enough space in RAM.
Sincerely,
Žagar Jelena

I did not understand you completely. I am having this code fragement.
Applet class variable:
public RandomData randomData;
public RSAPublicKey key;
Applet constructor:
randomData = RandomData.getInstance(RandomData.ALG_SECURE_RANDOM);
cipher = Cipher.getInstance(Cipher.ALG_RSA_PKCS1, false);
key = (RSAPublicKey) KeyBuilder.buildKey(KeyBuilder.TYPE_RSA_PUBLIC,
CIAKey.RSA_KEY_LENGTH_2048, false);
Applet method:
public void method() {
// DH class contains Diffie-Helman parameters: p, q and g.
short exponentLength = (short) (dh.q.length - 2);
randomData.generateData(buffer, (byte) 0, exponentLength);
buffer[exponentLength - 1] |= 0x01; // Exponent must be odd - set LSB
((RSAPublicKey) key).setExponent(buffer, (short) 0, exponentLength);
((RSAPublicKey) key).setModulus(dh.p, (short) 0, (short) dh.p.length);
cipher.init((RSAPublicKey) key, Cipher.MODE_ENCRYPT);
}The code lines that bothers me are the next lines:
((RSAPublicKey) key).setExponent(buffer, (short) 0, exponentLength);
((RSAPublicKey) key).setModulus(dh.p, (short) 0, (short)Key is the applet instance variable that is located inside the EEPROM. These two methods setExponent and setModulus updates key object and therefore they are updating the ROM. I am in feer that I will stress the EEPROM.

Similar Messages

Can't read load RSA public key with JDK 1.4.2_08?

We have been using Bouncy Castle's provider to provide RSA encryption and decryption of a login name and password for several years ... with JDKs in the 1.4.2 series up through 1.4.2_07.
Recently, however, Sun released JDK 1.4.2_08, and suddenly any of our Java Web Start client applications are unable to successfully load the public key that we use to encrypt their login name and password before shipping it to the server for authentication with the 1.4.2_08 JRE. But, if we revert back to 1.4.2_07, everything works again.
This public key itself has been in use for several years and the same code to read the public key has been in use for a long time ... including multiple versions of the BouncyCastle provider and all versions of the JDK up through 1.4.2_07. But suddenly things appear to break with JDK 1.4.2_08.
This smells like a problem with JDK 1.4.2_08 so I thought that I'd check on this forum to see if any other Bouncy Castle users have experienced this problem. Is there anything further that I can do to check this out? Has any Bouncy Castle user successfully loaded a RSA public key from a byte stream with JDK 1.4.2_08? Or have people using other providers seen any problems reading similar public keys with JDK 1.4.2_08?
The code that is failing on the client side is:
try {
   encKey = new byte[this.publicKeyInputStream.available()];
   this.publicKeyInputStream.read(encKey);
   spec = new X509EncodedKeySpec(encKey);
   keyFactory = KeyFactory.getInstance("RSA", "org.bouncycastle.jce.provide.BouncyCastleProvider");
   myPublicKey = keyFactory.generatePublic(spec);
   return myPublicKey;
catch (Exception e) {
   e.printStackTrace();
}The stack trace that I'm getting includes ...
java.security.spec.InvalidKeySpecException: java.lang.IllegalArgumentException: invalid info structure in RSA public key
   at org.bouncycastle.jce.provider.JDKKeyFactory$RSA.engineGeneratePublic(JDKKeyFactory.java:330)
   at java.security.KeyFactory.generatePublic(Unknown Source)
   at org.opencoral.util.Encryption.loadPublicKey(SourceFile:450)
   at org.opencoral.util.Encryption.<init>(SourceFile:119)
   at org.opencoral.main.Coral.<init>(SourceFile:338)
   at org.opencoral.main.Coral.main(SourceFile:1919)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
   at java.lang.reflect.Method.invoke(Unknown Source)
   at com.sun.javaws.Launcher.executeApplication(Unknown Source)
   at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
   at com.sun.javaws.Launcher.continueLaunch(Unknown Source)
   at com.sun.javaws.Launcher.handleApplicationDesc(Unknown Source)
   at com.sun.javaws.Launcher.handleLaunchFile(Unknown Source)
   at com.sun.javaws.Launcher.run(Unknown Source)
   at java.lang.Thread.run(Unknown Source)While it clearly indicates that it thinks that there is an "invalid info structure in RSA public key", I believe that nothing has changed in the structure of our key ... and this same key still works properly if I revert to JDK 1.4.2_07.
Any thoughts or insights?
Thanks,
John Shott

I'm facing the same Exception here,
With JDK 1.5 (SUNJce) i'm getting --
Exception in thread "main" java.security.spec.InvalidKeySpecException: java.secu
rity.InvalidKeyException: Invalid RSA public key
at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(Unknown Source)
With BouncyCastle i'm getting --
Exception in thread "main" java.security.spec.InvalidKeySpecException: java.lang
.IllegalArgumentException: invalid info structure in RSA public key
at org.bouncycastle.jce.provider.JDKKeyFactory$RSA.engineGeneratePublic(
JDKKeyFactory.java:345)
Any Solution?

Invalid Key Exception: Unsupported key type: Sun RSA public key, 1024 bits

I am trying to retrieve certificates from Microsoft Keystore and extract its keys using SunMSCAPI in jdk 1.6. It gives me an invalid key exception, when I am trying to wrap the Symmetric key (which was previously used to perform AES encryption on data), using RSA algorithm.
Code snippet:
           // RSA 1024 bits Asymmetric encryption of Symmetric AES key
            // List the certificates from Microsoft KeyStore using SunMSCAPI.
                  System.out.println("List of certificates found in Microsoft Personal Keystore:");
                   KeyStore ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
                   ks.load(null, null) ;
                   Enumeration en = ks.aliases() ;
                   PublicKey RSAPubKey = null;
                   Key RSAPrivKey = null;
                   int i = 0;
                   while (en.hasMoreElements()) {
                        String aliasKey = (String)en.nextElement() ;
                        X509Certificate c = (X509Certificate) ks.getCertificate(aliasKey) ;
                        String sss = ks.getCertificateAlias(c);
                        if(sss.equals("C5151997"))
                        System.out.println("---> alias : " + sss) ;
                        i= i + 1;
                        String str = c.toString();
                        System.out.println(" Certificate details : " + str ) ;
                      RSAPubKey = c.getPublicKey();
                        RSAPrivKey = ks.getKey(aliasKey, null); //"mypassword".toCharArray()
                        Certificate[] chain = ks.getCertificateChain(aliasKey);
                   System.out.println("No of certificates found from Personal MS Keystore: " + i);
            // Encrypt the generated Symmetric AES Key using RSA cipher
                    Cipher rsaCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", ks.getProvider().getName());
                   rsaCipher.init(Cipher.WRAP_MODE, RSAPubKey);
                   byte[] encryptedSymmKey = rsaCipher.wrap(aeskey);
                   System.out.println("Encrypted Symmetric Key :" + new String(encryptedSymmKey));
                   System.out.println("Encrypted Symmetric Key Length in Bytes: " + encryptedSymmKey.length);
                   // RSA Decryption of Encrypted Symmetric AES key
                   rsaCipher.init(Cipher.UNWRAP_MODE, RSAPrivKey);
                   Key decryptedKey = rsaCipher.unwrap(encryptedSymmKey, "AES", Cipher.SECRET_KEY);Output:
List of certificates found in Microsoft Personal Keystore:
---> alias : C5151997
Certificate details : [
Version: V3
Subject: CN=C5151997, O=SAP-AG, C=DE
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 171871587533146191561538456391418351861663300588728159334223437391061141885590024223283480319626015611710315581642512941578588886825766256507714725820048129123720143461110410353346492039350478625370269565346566901446816729164309038944197418238814947654954590754593726047828813400082450341775203029183105860831
public exponent: 65537
Validity: [From: Mon Jan 24 18:17:49 IST 2011,
               To: Wed Jan 23 18:17:49 IST 2013]
Issuer: CN=SSO_CA, O=SAP-AG, C=DE
SerialNumber: [    4d12c509 00000005 eb85]
Certificate Extensions: 6
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 07 E5 83 A1 B2 B7 DF 6B 4B 67 9C 1D 42 C9 0D F4 .......kKg..B...
0010: 35 76 D3 F7 5v..
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: E4 C4 2C 93 20 AF DA 4C F2 53 68 4A C0 E7 EC 30 ..,. ..L.ShJ...0
0010: 8C 0C 3B 9A ..;.
[3]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 30 30 2E 06 26 2B 06 01 04 01 82 37 15 08 82 .00..&+.....7...
0010: D1 E1 73 84 E4 FE 0B 84 FD 8B 15 83 E5 90 1B 83 ..s.............
0020: E6 A1 43 81 62 84 B1 DA 50 9E D3 14 02 01 64 02 ..C.b...P.....d.
0030: 01 1B ..
[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
RFC822Name: [email protected]
[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
[6]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
Algorithm: [SHA1withRSA]
Signature:
0000: B3 C5 92 66 8D D7 ED 6D 51 12 63 CC F4 52 18 B9 ...f...mQ.c..R..
0010: B8 A6 78 F7 ED 7D 78 18 DA 71 09 C9 AE C8 49 23 ..x...x..q....I#
0020: F5 32 2F 0F D1 C0 4C 08 2B 6D 3C 11 B9 5F 5B B5 .2/...L.+m<.._[.
0030: 05 D9 CA E6 F9 0A 94 14 E7 C6 7A DB 63 FE E5 EC ..........z.c...
0040: 48 94 8C 0D 77 92 59 DE 34 6E 77 1A 24 FE E3 C1 H...w.Y.4nw.$...
0050: D8 0B 52 6A 7E 22 13 71 D7 F8 AF D1 17 C8 64 4F ..Rj.".q......dO
0060: 83 EA 2D 6A CA 7F C3 84 37 15 FE 99 73 1D 7C D1 ..-j....7...s...
0070: 6D B4 99 09 62 B9 0F 18 33 4C C6 66 7A 9F C0 DB m...b...3L.fz...
No of certificates found from Personal MS Keystore: 1
Exception in thread "main" java.security.InvalidKeyException: Unsupported key type: Sun RSA public key, 1024 bits
modulus: 171871587533146191561538456391418351861663300588728159334223437391061141885590024223283480319626015611710315581642512941578588886825766256507714725820048129123720143461110410353346492039350478625370269565346566901446816729164309038944197418238814947654954590754593726047828813400082450341775203029183105860831
public exponent: 65537
     at sun.security.mscapi.RSACipher.init(RSACipher.java:176)
     at sun.security.mscapi.RSACipher.engineInit(RSACipher.java:129)
     at javax.crypto.Cipher.init(DashoA13*..)
     at javax.crypto.Cipher.init(DashoA13*..)
     at com.sap.srm.crpto.client.applet.CryptoClass.main(CryptoClass.java:102)
Edited by: sabre150 on 18-Jul-2011 03:47
Added [ code] tags to make code readable.

A bit of research indicates that the classes of the keys obtained by
                      RSAPubKey = c.getPublicKey();
                           RSAPrivKey = ks.getKey(aliasKey, null); //"mypassword".toCharArray()are sun.security.rsa.RSAPublicKeyImpl and sun.security.*mscapi*.RSAPrivateKey . It seems that for Cipher objects from the SunMSCAPI provider cannot accept RSA public keys of class sun.security.rsa.RSAPublicKeyImpl and that the SunMSCAPI will only accept RSA private keys of class sun.security.mscapi.RSAPrivateKey.
This came up under different guise a couple of years ago. It makes sense since encrypting/wrapping with a public key does not represent a security problem (there is nothing secret in any of the encryption operations) when done outside of MSCAPI so one can use any provider that has the capability BUT the decryption/unwrapping must be done with the SunMSCAPI provider which delegates it to the MSCAPI.
My working test code based on your code implementing this approach is :
        // RSA 1024 bits Asymmetric encryption of Symmetric AES key
        // List the certificates from Microsoft KeyStore using SunMSCAPI.
        System.out.println("List of certificates found in Microsoft Personal Keystore:");
        KeyStore ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
        ks.load(null, null);
        Enumeration en = ks.aliases();
        PublicKey RSAPubKey = null;
        Key RSAPrivKey = null;
        int i = 0;
        while (en.hasMoreElements())
            String aliasKey = (String) en.nextElement();
            X509Certificate c = (X509Certificate) ks.getCertificate(aliasKey);
            String sss = ks.getCertificateAlias(c);
            if (sss.equals("rsa_key")) // The alias for my key - make sure you change it back to your alias
                System.out.println("---> alias : " + sss);
                i = i + 1;
                String str = c.toString();
                System.out.println(" Certificate details : " + str);
                RSAPubKey = c.getPublicKey();
         System.out.println(RSAPubKey.getClass().getName());
               RSAPrivKey = ks.getKey(aliasKey, null); //"mypassword".toCharArray()
        System.out.println(RSAPrivKey.getClass().getName());
                Certificate[] chain = ks.getCertificateChain(aliasKey);
        System.out.println(ks.getProvider().getName());
        System.out.println("No of certificates found from Personal MS Keystore: " + i);
        Cipher rsaCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");//, ks.getProvider().getName());       !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
            rsaCipher.init(Cipher.WRAP_MODE, RSAPubKey);
        byte[] keyBytes =
            1, 2, 3, 4, 5, 6, 7, 8, 2, 3, 4, 5, 6, 7, 8, 9
        SecretKey aeskey = new SecretKeySpec(keyBytes, "AES");
        byte[] encryptedSymmKey = rsaCipher.wrap(aeskey);
        System.out.println("Encrypted Symmetric Key :" + Arrays.toString(encryptedSymmKey));
        System.out.println("Encrypted Symmetric Key Length in Bytes: " + encryptedSymmKey.length);
        // RSA Decryption of Encrypted Symmetric AES key
        Cipher unwrapRsaCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", ks.getProvider().getName());       //!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
        unwrapRsaCipher.init(Cipher.UNWRAP_MODE, RSAPrivKey);
        Key decryptedKey = unwrapRsaCipher.unwrap(encryptedSymmKey, "AES", Cipher.SECRET_KEY);
        System.out.println("Decrypted Symmetric Key :" + Arrays.toString(decryptedKey.getEncoded())); // Matches the 'keyBytes' above

ASA 8.4+ RSA Public Key for SSH user authentication

I have seen in the configuration guide and a separate post in the support community that RSA Public Key authentication is support for SSH sessions in 8.4 and after. I have tried implementing this on both an 8.4 ASA and a 9.1 ASA and I get the same error on both. I have tried specifying SSH version 2 to see if that is the issue but I still get the error. Is there a step I am missing?
Here is the output of the configuration commands:
ciscoasa(config)#username test nopassword privilege 15
ciscoasa(config)#username test attributes
ciscoasa(config-username)# ssh authentication publickey
                             ^
ERROR: % Invalid Hostname
The links referenced above:
https://supportforums.cisco.com/thread/2150480
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_aaa.html#wp1053558
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/aaa_servers.html#wp1176050
Thanks!

That would be great if the resolution was that simple. I am using a public key I generated using the putty key generator. Below is the key I would use if I got that far. However I get an error on the "ssh authentication publickey" attribute so I never get the chance to enter a public key. What code version and hardware version are you running that this worked on?
AAAAB3NzaC1yc2EAAAABJQAAAIEA2h00RCKBbpbrTWSe/3TYAvRpkJz7tLwQDCf9
4fDJUWUGrmxXHeomuBhNGZh7tyfFjRL2CKY6nWmFyKN/eDm0PF4IWhhCArzOPVDu
q7Nu2y/pD8wWH8dH4a3zRpkLSekNJtH6lzuqmY0zqz9TnZlpS6g4LI1a+lOGSmhU
/HySw9s=
ciscoasa(config)#username test nopassword privilege 15
ciscoasa(config)#username test attributes
ciscoasa(config-username)#ssh ?
configure mode commands/options:
Hostname or A.B.C.D The IP address of the host and/or network authorized to
                       login to the system
X:X:X:X::X/<0-128>   IPv6 address/prefix authorized to login to the system
scopy                Secure Copy mode
timeout              Configure ssh idle timeout
version              Specify protocol version to be supported
exec mode commands/options:
disconnect Specify SSH session id to be disconnected after this keyword
ciscoasa(config-username)# ssh
ciscoasa(config-username)# sh ver | in Ver
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(1)52
ciscoasa(config-username)#

Java Card RSA public key problem

Hello,
     I have a problem when I try to set the modulus part of a RSA public Key. There is always an error 6F 00.
The code is very simple :
private void saisie_modulus(APDU apdu)
          byte apduBuffer[] = apdu.getBuffer();
          if (!pin.isValidated ())
               ISOException.throwIt(ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
          byte byteRead = (byte)(apdu.setIncomingAndReceive());
          rsa_PublicKey2.setModulus(apduBuffer, (short)ISO7816.OFFSET_CDATA, (short)byteRead);
          return;
What is really strange is that when I replace
rsa_PublicKey2.setModulus(apduBuffer, (short)ISO7816.OFFSET_CDATA, (short)byteRead);
with rsa_PublicKey.setModulus(rsaPublicKey, (short)6, (short)128); that works. (rsaPublicKey is an array containing the key and it's taken from the sample CryptoTest that comes with Axalto software)
I tried to enter on the apdu the exact same modulus value of the public key of the sample CryptoTestand it doesn't work
I tried another examples that I tested elseware and it doesn't work either
the rest setKey composents work (same functions but with
rsa_PublicKey2.setExponent(apduBuffer, (short)ISO7816.OFFSET_CDATA, (short)byteRead);
rsa_PublicKey2.setP(apduBuffer, (short)ISO7816.OFFSET_CDATA, (short)byteRead);
rsa_PublicKey2.setQ(apduBuffer, (short)ISO7816.OFFSET_CDATA, (short)byteRead);
rsa_PublicKey2.setPQ(apduBuffer, (short)ISO7816.OFFSET_CDATA, (short)byteRead);
rsa_PublicKey2.setDP1(apduBuffer, (short)ISO7816.OFFSET_CDATA, (short)byteRead);
rsa_PublicKey2.setDQ1(apduBuffer, (short)ISO7816.OFFSET_CDATA, (short)byteRead);
in the place of
rsa_PublicKey2.setModulus(apduBuffer, (short)ISO7816.OFFSET_CDATA, (short)byteRead); )
Do you have any ideas? Is this possible to have a bug in the card? I use a Cyberflex 64k V2
Thank you in advance

Yes, I did enter the key by hand (as I did with the Exponent, P, Q , PQ, DP1 et DQ1 and it worked).
And I did enter by hand the EXACT same key (128 bytes) of the array rsaPublicKey to test.
I repeat that when I type
rsa_PublicKey.setModulus(rsaPublicKey, (short)6, (short)128);
that works
but when I enter manually (by hand) the EXACT same key (128 bytes beginning from byte 6) it doesn't work
I even generated a key in the card and I exported its modulus (128 bytes). I entered by hand the exact same modulus (copy - paste to be precise) that was exported and the card did not accept it.
This problem only happen with the modulus I repeat
Any ideas?
I begin to suspect a technical problem. I don't

Encrypting with an RSA Public Key

Hi everyone. I'm trying to encrypt some characters with an already generated RSA public key. Can anybody help with a SUN provider sample script?
Thanx

First of all RSA cipher is not suitable for encription of data more then one block (about 80 bytes for the OAEP mode), so it is paractically only good for the secret key wrapping (like Blowfish or DES) and second thing is that SUN JCE provider doesn't include RSA cipher implementation.

Can I put RSA Public Key into the ISD in the JCOP?

Dear All,
Can I put RSA Public Key into the ISD in the JCOP? the command I put into the card as follows:
cm> /terminal "winscard:4|FT SCR2000 0"
--Opening terminal
/atrresetCard with timeout: 0 (ms)
--Waiting for card...
ATR=3B 69 00 FF 4A 43 4F 50 34 31 56 32 32 ;i..JCOP41V22
ATR: T=0, N=-1, Hist="JCOP41V22"
/card -a a000000003000000 -c com.ibm.jc.CardManagerresetCard with timeout: 0 (ms)
--Waiting for card...
ATR=3B 69 00 FF 4A 43 4F 50 34 31 56 32 32 ;i..JCOP41V22
ATR: T=0, N=-1, Hist="JCOP41V22"
=> 00 A4 04 00 08 A0 00 00 00 03 00 00 00 00 ..............
(86244 usec)
<= 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 o..............e
01 FF 90 00 ....
Status: No Error
cm> set-key 255/1/DES-ECB/404142434445464748494a4b4c4d4e4f 255/2/DES-ECB/404142434445464748494a4b4c4d4e4f 255/3/DES-ECB/404142434445464748494a4b4c4d4e4f
cm> init-update 255
=> 80 50 00 00 08 51 39 AE 8E 0C 8B D9 50 00 .P...Q9.....P.
(132953 usec)
<= 00 00 63 06 00 26 29 91 06 75 FF 02 00 84 FC 69 ..c..&)..u.....i
60 80 B4 9C 9C 03 DB 99 9E F8 F4 67 90 00 `..........g..
Status: No Error
cm> ext-auth plain
=> 84 82 00 00 10 E6 A4 12 36 FD 7E 57 D0 2B 9D 5F ........6.~W.+._
65 30 D8 1B 00 e0...
(89378 usec)
<= 90 00 ..
Status: No Error
cm> put-key --mode add 115/1/RSA-PUB/0301000180ad97a22fe7cb29accc3a0b68844f0cb11d057ed8c80c5a4db856138030c419d0a27556902a939152ce79376b1cd0955ce4303bf7560c95230714c583ff8a8f12f1cf23d867e469773d15f0e708332651110cb615c8d373e86d57b5ffe7ff44bcc7690a4d68cbe07743b19879ac5beaeef6e1af133a1fd37b86a5339960b36e53
=> 80 D8 00 01 88 73 A1 80 AD 97 A2 2F E7 CB 29 AC .....s...../..).
CC 3A 0B 68 84 4F 0C B1 1D 05 7E D8 C8 0C 5A 4D .:.h.O....~...ZM
B8 56 13 80 30 C4 19 D0 A2 75 56 90 2A 93 91 52 .V..0....uV.*..R
CE 79 37 6B 1C D0 95 5C E4 30 3B F7 56 0C 95 23 .y7k...\.0;.V..#
07 14 C5 83 FF 8A 8F 12 F1 CF 23 D8 67 E4 69 77 ..........#.g.iw
3D 15 F0 E7 08 33 26 51 11 0C B6 15 C8 D3 73 E8 =....3&Q......s.
6D 57 B5 FF E7 FF 44 BC C7 69 0A 4D 68 CB E0 77 mW....D..i.Mh..w
43 B1 98 79 AC 5B EA EE F6 E1 AF 13 3A 1F D3 7B C..y.[......:..{
86 A5 33 99 60 B3 6E 53 A0 03 01 00 01 00 ..3.`.nS......
(281664 usec)
<= 6A 86 j.
Status: Incorrect parameters (P1,P2)
jcshell: Error code: 6a86 (Incorrect parameters (P1,P2))
jcshell: Wrong response APDU: 6A86
Why the card return error code ? I think the P1 P2 is correct, according to the GP2.1.1?
Thank you!

It also can't input the RSA Public Key to the card, as follows:
cm> /terminal "winscard:4|FT SCR2000 0"
--Opening terminal
/atrresetCard with timeout: 0 (ms)
--Waiting for card...
ATR=3B E9 00 00 81 31 FE 45 4A 43 4F 50 34 31 56 32 ;....1.EJCOP41V2
32 A7 2.
ATR: T=1, N=0, IFSC=254, BWI=4/CWI=5, Hist="JCOP41V22"
/card -a a000000003000000 -c com.ibm.jc.CardManagerresetCard with timeout: 0 (ms)
--Waiting for card...
ATR=3B E9 00 00 81 31 FE 45 4A 43 4F 50 34 31 56 32 ;....1.EJCOP41V2
32 A7 2.
ATR: T=1, N=0, IFSC=254, BWI=4/CWI=5, Hist="JCOP41V22"
=> 00 A4 04 00 08 A0 00 00 00 03 00 00 00 00 ..............
(86180 usec)
<= 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 o..............e
01 FF 90 00 ....
Status: No Error
cm> set-key 255/1/DES-ECB/404142434445464748494a4b4c4d4e4f 255/2/DES-ECB/404142434445464748494a4b4c4d4e4f 255/3/DES-ECB/404142434445464748494a4b4c4d4e4f
cm> init-update 255
=> 80 50 00 00 08 80 29 78 6F 21 1B 34 89 00 .P....)xo!.4..
(129908 usec)
<= 00 00 63 06 00 26 29 91 06 75 FF 02 00 00 93 73 ..c..&)..u.....s
3A B8 2C 0F D2 4C 06 E2 50 66 7F D8 90 00 :.,..L..Pf....
Status: No Error
cm> ext-auth plain
=> 84 82 00 00 10 3E 88 4D 33 FD 7D A5 56 B6 90 84 .....>.M3.}.V...
78 94 BD B3 7A x...z
(97237 usec)
<= 90 00 ..
Status: No Error
cm> card-info
=> 80 F2 80 00 02 4F 00 00 .....O..
(60917 usec)
<= 08 A0 00 00 00 03 00 00 00 01 9E 90 00 .............
Status: No Error
=> 80 F2 40 00 02 4F 00 00 [email protected]..
(41315 usec)
<= 6A 88 j.
Status: Reference data not found
=> 80 F2 10 00 02 4F 00 00 .....O..
(73177 usec)
<= 07 A0 00 00 00 03 53 50 01 00 01 08 A0 00 00 00 ......SP........
03 53 50 41 90 00 .SPA..
Status: No Error
Card Manager AID : A000000003000000
Card Manager state : OP_READY
Load File : LOADED (--------) A0000000035350 (Security Domain)
Module : A000000003535041
cm> install -b -s -i A000000003535041 A0000000035350 A000000003535041
=> 80 E6 0C 00 20 07 A0 00 00 00 03 53 50 08 A0 00 .... ......SP...
00 00 03 53 50 41 08 A0 00 00 00 03 53 50 41 01 ...SPA......SPA.
C0 02 C9 00 00 00 ......
(227436 usec)
<= 90 00 ..
Status: No Error
cm> ls
=> 80 F2 80 00 02 4F 00 00 .....O..
(61204 usec)
<= 08 A0 00 00 00 03 00 00 00 01 9E 90 00 .............
Status: No Error
=> 80 F2 40 00 02 4F 00 00 [email protected]..
(66302 usec)
<= 08 A0 00 00 00 03 53 50 41 07 C0 90 00 ......SPA....
Status: No Error
=> 80 F2 10 00 02 4F 00 00 .....O..
(72365 usec)
<= 07 A0 00 00 00 03 53 50 01 00 01 08 A0 00 00 00 ......SP........
03 53 50 41 90 00 .SPA..
Status: No Error
Card Manager AID : A000000003000000
Card Manager state : OP_READY
Sec. Domain: SELECTABLE (SV------) A000000003535041
Load File : LOADED (--------) A0000000035350 (Security Domain)
Module : A000000003535041
cm> select A000000003535041
=> 00 A4 04 00 08 A0 00 00 00 03 00 00 00 00 ..............
(84625 usec)
<= 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 o..............e
01 FF 90 00 ....
Status: No Error
cm> /card -a a000000003000000 -c com.ibm.jc.CardManager
resetCard with timeout: 0 (ms)
--Waiting for card...
ATR=3B E9 00 00 81 31 FE 45 4A 43 4F 50 34 31 56 32 ;....1.EJCOP41V2
32 A7 2.
ATR: T=1, N=0, IFSC=254, BWI=4/CWI=5, Hist="JCOP41V22"
=> 00 A4 04 00 08 A0 00 00 00 03 00 00 00 00 ..............
(83836 usec)
<= 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 o..............e
01 FF 90 00 ....
Status: No Error
cm> set-key 255/1/DES-ECB/404142434445464748494a4b4c4d4e4f 255/2/DES-ECB/404142434445464748494a4b4c4d4e4f 255/3/DES-ECB/404142434445464748494a4b4c4d4e4f
cm> init-update 255
=> 80 50 00 00 08 FA 3B 98 E7 B4 60 A8 CC 00 .P....;...`...
(128562 usec)
<= 00 00 63 06 00 26 29 91 06 75 FF 02 00 01 26 F7 ..c..&)..u....&.
25 4D B0 B9 D2 1D 18 99 F1 1F E8 25 90 00 %M.........%..
Status: No Error
cm> ext-auth plain
=> 84 82 00 00 10 C9 5D 27 4B C4 54 AC E5 D3 3C 8B ......]'K.T...<.
5F 2D B5 6B 87 _-.k.
(97825 usec)
<= 90 00 ..
Status: No Error
cm> set-key 1/1/DES-ECB/505152535455565758595a5b5c5d5e5f 1/2/DES-ECB/505152535455565758595a5b5c5d5e5f 1/3/DES-ECB/505152535455565758595a5b5c5d5e5f
cm> put-keyset 1
=> 80 D8 00 81 43 01 80 10 B3 6A 9E 82 2D 9E 8E 06 ....C....j..-...
8F B9 52 EA CA 63 FA 6B 03 A4 B7 D6 80 10 B3 6A ..R..c.k.......j
9E 82 2D 9E 8E 06 8F B9 52 EA CA 63 FA 6B 03 A4 ..-.....R..c.k..
B7 D6 80 10 B3 6A 9E 82 2D 9E 8E 06 8F B9 52 EA .....j..-.....R.
CA 63 FA 6B 03 A4 B7 D6 00 .c.k.....
(263198 usec)
<= 01 A4 B7 D6 A4 B7 D6 A4 B7 D6 90 00 ............
Status: No Error
cm> put-key 115/1/RSA-PUB/0301000180ad97a22fe7cb29accc3a0b68844f0cb11d057ed8c80c5a4db856138030c419d0a27556902a939152ce79376b1cd0955ce4303bf7560c95230714c583ff8a8f12f1cf23d867e469773d15f0e708332651110cb615c8d373e86d57b5ffe7ff44bcc7690a4d68cbe07743b19879ac5beaeef6e1af133a1fd37b86a5339960b36e53
=> 80 D8 00 01 88 73 A1 80 AD 97 A2 2F E7 CB 29 AC .....s...../..).
CC 3A 0B 68 84 4F 0C B1 1D 05 7E D8 C8 0C 5A 4D .:.h.O....~...ZM
B8 56 13 80 30 C4 19 D0 A2 75 56 90 2A 93 91 52 .V..0....uV.*..R
CE 79 37 6B 1C D0 95 5C E4 30 3B F7 56 0C 95 23 .y7k...\.0;.V..#
07 14 C5 83 FF 8A 8F 12 F1 CF 23 D8 67 E4 69 77 ..........#.g.iw
3D 15 F0 E7 08 33 26 51 11 0C B6 15 C8 D3 73 E8 =....3&Q......s.
6D 57 B5 FF E7 FF 44 BC C7 69 0A 4D 68 CB E0 77 mW....D..i.Mh..w
43 B1 98 79 AC 5B EA EE F6 E1 AF 13 3A 1F D3 7B C..y.[......:..{
86 A5 33 99 60 B3 6E 53 A0 03 01 00 01 00 ..3.`.nS......
(251210 usec)
<= 6A 80 j.
Status: Wrong data
Add new key set didn't work, try modify ...
jcshell: Error code: -3 (Invalid API parameter)
jcshell: Command failed: Invalid RSA public key
Is it something wrong ?

Self- Signed Certificate - Change RSA Public Key & Signature Algorithim

Hi
My 1801 router (IOS 15x) is using the original self signed certificate (1024) with an signature algorithm MD5. I would like to change the cert to a 2048 key length , with a hash of SHA1 or better but I'm unsure how to do this.
Should I just generate new keys or would I be better creating a new self-signed cert? What is the procedure & explicit commands (CLI) to do this?
Many thanks in advance.
Regards
Bob

Sure, the secure-server is the quickest and easiest method but you can create the new key, define the trustpoint manually and enroll the certificate that way.
Below are the commands. (You can of course call the key, trustpoint, O and CN values whatever locally significant names make sense for you.)
router(config)#crypto key generate rsa label router-rsa modulus 2048
The name for the keys will be: router-rsa
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 10 seconds)
router(config)#
router(config)#crypto pki trustpoint router-ca
router(ca-trustpoint)#enrollment selfsigned
router(ca-trustpoint)#subject-name O=Test,CN=www.router.com
router(ca-trustpoint)#rsakeypair router-rsa
router(config)#crypto pki enroll router-ca
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
router(config)#

How to find modulus(n) and public key exponent(e)Sor

I did the following code:
import java.security.*;
class keypair
public static void main(String args[])
try {
        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
        keyGen.initialize(1024);
        KeyPair keypair = keyGen.genKeyPair();
        PrivateKey privateKey = keypair.getPrivate();
        PublicKey publicKey = keypair.getPublic();
        System.out.println(publicKey);
catch (java.security.NoSuchAlgorithmException e) {
}It produced the following output:
E:\java>java keypair
Sun RSA public key, 1024 bits
modulus: 104598424699919432698042124865237006532583108525971624656815039032375
*68185931249899603942873174007833898125332457427834491991685017307342129730049040*
*85039266578793603162921901877391682504673766949037045217194339504369288262569809*
*64618725280325930282787918761626276736975012559809247463223114702205350103039131*
public exponent: 65537
How to parse modulus(n) and public exponent(e) from this output?
Similarly when i print private key, it produces the following output:
E:\java>java keypair
Sun RSA private CRT key, 1024 bits
modulus:          124578817060208658480856678950235831207402457067036419284514
*60119309486714863949162442643168408523979997168613499493638925829235693238993015*
*36861462235708805467117179894466762970147852286192228334073408407380525883650965*
*26200137024900438305422984852314541271126647102071346646999343089444655087519613*
*147762713*
public exponent: 65537
private exponent: 938527844532658207604152892230342202756165450473898580852699
*91069268853864683730106242370135012901790500054313488639918623825755509450966957*
*25996151023641565209086629652161258725723528561744214714448113895688480371394495*
*69970533766968335232379493089928062691491508442909468663624841001227918721233934*
*90451285*
prime p:          128112715803862066344339615342766575233634768887073748611821
*70613165835421234259251719401979554816266892921739504796026180704477109334458578*
*924582228715587*
prime q:          972415706579323990162180646771186062588725555167352041581263
*11833654947284058644791019214876691698044764118648637510099163830088827138987158*
*06445271350899*
prime exponent p: 102053075991522697645186596252261651077210381075096084960080
*01572103324900452503753532555651687424478224695551102238145517644352533224205327*
*850477437666141*
prime exponent q: 668659136319899226645386130685620335239039277715133737489656
*56694442226518700929665796129185316864860876985624927131126216000167126890435269*
*81971346772483*
crt coefficient: 337801534982286124613379128447816812903646302193598735486466
*78634104811105616496519276355880320340688935923186965279527763125244878069735173*
*60542121091569*
E:\java>
From this output how to parse n and d, where d is the secret exponent or decryption exponent? Thanks in advance. Apologies, for posting in this forum instead of cryptography forum.
Edited by: sowndar on Nov 28, 2009 3:12 AM

sowndar wrote:
From this output how to parse n and d, where d is the secret exponent or decryption exponent? Why do you think you need to parse anything? Why do you need the modulus and exponents?
P.S. Extract the public and private keys from the key pair, cast them to RSAPublicKey and RSAPrivateKey as appropriate then look at the methods of classes RSAPublicKey and RSAPrivateKey to see how to get modulus and exponents.

I can�t decrypt a text encrypted (using RSA) with keys on smartcard.

I use a Cyberflex Access e-gate smartcard and I can encrypt and decrypt any text on the card but if I encrypt a text outside using the exported public key, card is not able to decrypt the message.
On the card side:
�
RSAPrivateCrtKey privateKey;
RSAPublicKey publicKey;
Cipher cipherRSA;
�
private MyIdentity (byte buffer[], short offset, byte length){
        // initialise PIN
        pin = new OwnerPIN(PinTryLimit, MaxPinSize);
        pin.resetAndUnblock();
        // Key Pair
        KeyPair kp = new KeyPair(KeyPair.ALG_RSA_CRT, (short)1024);
        kp.genKeyPair();
        privateKey = (RSAPrivateCrtKey) kp.getPrivate();
        publicKey = (RSAPublicKey) kp.getPublic();
        cipherRSA = Cipher.getInstance(Cipher.ALG_RSA_PKCS1, false);
        if (buffer[offset] == (byte)0) {
            register();
        } else {
            register(buffer, (short)(offset+1) ,(byte)(buffer[offset]));
    private void GetPublicKey (APDU apdu) {
        if (pin.isValidated()){
            byte apduBuffer[] = apdu.getBuffer();
            // short byteRead = (short)(apdu.setIncomingAndReceive());
               short bytesMod = publicKey.getModulus(apduBuffer, (short) 0);
               short bytesExp = publicKey.getExponent(apduBuffer,bytesMod);
               short outbytes = (short) (bytesMod + bytesExp);
                // Send results
             apdu.setOutgoing();
             // indicate the number of bytes in the data field
             apdu.setOutgoingLength((short)outbytes);
             // at offset 0 send 128 byte of data in the buffer
             apdu.sendBytesLong(apduBuffer, (short)APDUDATA, (short)outbytes);
        } else {
            ISOException.throwIt (ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
     private void Decrypt (APDU apdu) {
        byte apduBuffer[] = apdu.getBuffer();
         short byteRead = (short)(apdu.setIncomingAndReceive());
        cipherRSA.init(privateKey, Cipher.MODE_DECRYPT);
          cipherRSA.doFinal(apduBuffer,(short)APDUDATA, byteRead, apduBuffer, (short)APDUDATA);
         // Send results
        apdu.setOutgoing();
        // indicate the number of bytes in the data field
        apdu.setOutgoingLength(byteRead);
        // at offset 0 send x byte of data in the buffer
        apdu.sendBytesLong(apduBuffer, (short)APDUDATA, byteRead);
     }Off the card, I have a java client:
public void getPublicKey () {
        int CLA, INS, P1, P2;
        int iArray[] = new int[0];
        short sArray[] = new short[0];
        String ss = new String("");
        String s;
        byte [] sBytes = null;
        byte [] myModulus = new byte[128];
        byte [] myExponent = new byte[3];
        try     {
            CLA = 0x68;
            INS = 0x78;
            P1 = 0;
            P2 = 0;
            sArray = iopCard.SendCardAPDU(CLA,INS,P1,P2,iArray,0x83);
            int iErrorCode = iopCard.GetLastErrorCode();
            if (iErrorCode != 0x9000)     {
                if (iErrorCode == 0x6300) {
                    System.out.println("Wrong PIN");
                } else {
                    s = iopCard.GetErrorMessage();
                    System.out.println("SendCardAPDU: " + s);
            } else {
                System.out.println("Getting Public Key...");
                if (sArray != null) {
                    sBytes = new byte[sArray.length];
                    for (int i = 0; i < sArray.length; i++) {
                        sBytes[i] = (byte)sArray;
ss = new String(sBytes);
System.out.println ("------ BEGIN PUBLIC KEY -------------------");
for (int i=0; i < sArray.length; i++){
System.out.print(Integer.toHexString(ss.charAt(i)).toUpperCase());
System.out.println ();
System.out.println ("------ END PUBLIC KEY -------------------");
} else {
System.out.println("Nothing.");
} catch (slbException b) {
s = b.getMessage();
System.out.println("Validate error: " + s);
for (int i=0; i<128; i++){
myModulus[i] = (byte) sArray[i];
for (int i=0; i<3; i++){
myExponent[i] = (byte) sArray[128+i];
BigInteger modulus = new BigInteger (1,myModulus);
BigInteger exponent = new BigInteger ("65537"); // there is a well-known bug in getExponent
RSAPublicKeySpec keySpec = new RSAPublicKeySpec(modulus, exponent);
KeyFactory keyFactory =null;
try {
keyFactory = KeyFactory.getInstance("RSA");
publicKey = keyFactory.generatePublic(keySpec);
} catch (NoSuchAlgorithmException e) {
System.out.println(e.getMessage ());
} catch (InvalidKeySpecException e) {
System.out.println(e.getMessage ());
System.out.println("------------------ BEGIN ------------------");
ss = new String(publicKey.getEncoded());
for (int i=0; i < publicKey.getEncoded().length; i++){
System.out.print(Integer.toHexString(ss.charAt(i)).toUpperCase());
System.out.println ();
System.out.println("------------------ END ------------------");
// to a file
try {
//Store in raw format
FileWriter fw = new FileWriter("public_raw.txt");
for (int i=0; i < publicKey.getEncoded().length; i++){
fw.write(Integer.toHexString(ss.charAt(i)).toUpperCase());
fw.close();
//could also store it as a Public key
System.out.println("Public key saved to file");
} catch(Exception e) {
System.out.println("Error opening and writing Public key to file : "+e.getMessage());
public void encrypt () {
byte cadena[] = {0x01,0x02,0x03,0x04};
byte resultado[] = new byte[256];
// Create Cipher
try {
cipherRSA.init(Cipher.ENCRYPT_MODE, publicKey);
resultado = cipherRSA.doFinal (cadena);
} catch (InvalidKeyException e) {
System.out.println(e.getMessage());
} catch (BadPaddingException e) {
System.out.println(e.getMessage());
} catch (IllegalBlockSizeException e) {
System.out.println(e.getMessage());
String ss = new String (resultado);
System.out.println("------------------ BEGIN 4 ------------------");
for (int i=0; i < resultado.length; i++){
System.out.print(Integer.toHexString(ss.charAt(i)).toUpperCase());
System.out.println ();
System.out.println("------------------ END 4 ------------------");
Another question is that I don�t understand why I get a constant length string when I encrypt a text on the card and variable length string when I encrypt off the card

I thought that exponent was 3 bytes long...
On the card I have the following code:
    private void GetExponent (APDU apdu) {
        if (pin.isValidated()){
            byte apduBuffer[] = apdu.getBuffer();
        short bytesExp = publicKey.getExponent(apduBuffer, (short) 0);
           // Send results
             apdu.setOutgoing();
             // indicate the number of bytes in the data field
             apdu.setOutgoingLength((short)bytesExp);
             // at offset 0 send 128 byte of data in the buffer
             apdu.sendBytesLong(apduBuffer, (short)APDUDATA, (short)bytesExp);
        } else {
            ISOException.throwIt (ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
    }And if I don't send an APDU with length expected, I get the exception 6C03 (Correct Expected Length (Le) = 0x6C00) so I send APDU with 03 length and I receive the exponent. The problem is that there is a well know bug in getExponent and it returns 00 00 00... so I set it up to 65537 outside the card.

How to get the private and public key?

there is my code,i want to get the public key and the private key �Cbut i could not find the the approprite method to solve the problem.
import java.security.Key;
import javax.crypto.Cipher;
import java.security.KeyPairGenerator;
import java.security.KeyPair;
import java.security.Security;
public class PublicExample {
public static void main(String[] args) throws Exception {
if (args.length != 1) {
System.err.println("Usage:java PublicExample <text>");
System.exit(1);
byte[] plainText = args[0].getBytes("UTF8");
System.out.println("\nStart generating RSA key");
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(512);
KeyPair key = keyGen.generateKeyPair();
System.out.println("Finish generating RSA key");
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", "BC");
//System.out.println("\n" + cipher.getProvider().getInfo());
System.out.println("\nStart encryption");
cipher.init(Cipher.ENCRYPT_MODE, key.getPublic());
byte[] cipherText = cipher.doFinal(plainText);
System.out.println("Finish encryption:");
System.out.println(new String(cipherText, "UTF8"));
System.out.println("\nStart decryption");
cipher.init(Cipher.DECRYPT_MODE, key.getPrivate());
/*i want to get the private and public key in this method ,but i found the result was not
the one i expected to get,how to solve the problem?
thanks in advance!
System.out.println("private key:" + key.getPrivate().toString());
System.out.println("public key:" + key.getPublic().toString());
byte[] newPlainText = cipher.doFinal(cipherText);
System.out.println("Finish decryption:");
System.out.println(new String(newPlainText, "UTF8"));
thanks in advance!

System.out.println("private key:" +
" + key.getPrivate().toString());
System.out.println("public key:" +
+ key.getPublic().toString());
key.getPrivate() returns an instance of PrivateKey and key.getPublic() returns an instance of PublicKey. Since PublicKey and PrivateKey are interfaces then they will return one of the concrete implementations. Check out the Javadoc for PublicKey and PrivateKey.
When you know which concreate implemenation you have then you can use the methods on that object (by appropriate casting) to find the information you want.

OSB (11.1.1.7): Can OSB/Weblogic (11.1.1.7) support multiple PKIs (Public Key Infra-structure)

Hi All,
Would you be able to help me in understanding if OSB/Weblogic (11.1.1.7) can support multiple private key's in the domain to enable 2-SSL W/S calls ?
Solution walk-through :
A 3rd Party Web Service is only accessible via 2-way SSL http channel. To achieve this, OSB is required to use the private key which is issued by 3rd party. This private key and 3rd party root certificate (CA) need to be installed into OSB’s keystore which is based on Java Keystore format.
The private key (issued by 3rd Party) will be used by OSB for identity signature. This private key is bound to IP address of the OSB machine calling the 3rd Party web service. Also, 3rd Party root certificate (CA) will be used by OSB to verify the identity of 3rd Party web service.
Given the private key is used as the identity of the system and should be guarded closely by the target system, we believe this approach needs to be reviewed and assessed accordingly.
Limitations and drawbacks with the current solution :
1. The private key of OSB system is issued and controlled by an external application vendor.
2. OSB is enforced to use this private key and its signature algorithm for other external parties’ interactions. The current client certificate issued by 3rd Party is X509v3 certificate which uses RSA, with a 2048-bit key size, signed with a SHA-512 hash.
3. The SSL is self-signed, not signed by a publicly trusted cert provider (i.e. VeriSign)
4. Extra dependency on external vendor systems as the key provider. Currently, the keys are bound to server IP address; any changes to the production environment, (i.e. adding new nodes) will require a new key to be generated by 3rd Party system. In case 3rd Party is no more used in the future, the keys can no longer be generated.
Conclusion : OSB does not support multiple PKIs (Public Key Infra-structure) which is a mapping mechanism that OSB uses to provide its certificate for SSL connecitons to the server. Multiple private keys, require multiple PKIs which OSB does not handle.
So, do you agree that OSB/Welblofic (11.1.1.7) could not support multiple private key issued by more than one 3rd party vendor ?
Thanks,
Kunal Singh

Hi Kunal,
Although it is recommended to have 1 key pair for 1 identity store as it represents unique identity of your domain but you can:
import multiple key-pairs in your identity store
Configure PKI credential mapper to use reference of identity store consisting of multiple keys
When in your OSB project, you create Service Key provider(SKP) then it loads all the private keys present in identity store referred by PKI mapper. It will browse both the keys.
Depending on your requirement, you can choose different key pair for for different SKPs for "Client Authentication key" section(For SSL) and "Signature key" for DigiSign.
Please let me know if i understood your query correctly and above helps.
Regards,
Ankit

Encrypting a vote with a servers public key...HELP!

Hey, I really need some help( online voting application)....what I want to do it allow a voter to be able to submit a ballot(vote) via servlets, they encrypt the ballot with the servers public key and then the ballot is stored in a database, where at another time the administrator may decrypt the ballot(s) using the servers private key. I have already sorted the voters authentication(MD5), and at the moment the servlet submits the ballot in an unencrypted form....so I just need a little help from here. I enclose my code and I would be truly grateful of someone could give me a hand.
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.sql.* ;
public class CastVote extends HttpServlet{
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException,IOException{
try {
String jmulligan= request.getParameter("jmulligan");
String pkelly=request.getParameter("pkelly");
String mjones=request.getParameter("mjones");
response.setContentType("text/html");
PrintWriter out=response.getWriter();
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
Connection con = DriverManager.getConnection ("jdbc:odbc:evoting");
Statement stmt = con.createStatement();
stmt.executeUpdate(
"INSERT INTO Ballot (JMulligan, PKelly, MJones)"
+ "VALUES ('"+jmulligan+"','"+pkelly+"','"+mjones+"') ");
stmt.close();
out.println("<HTML>\n"+
"<HEAD><TITLE>EVoting</TITLE></HEAD>\n"+
"<BODY BGCOLOR=\"127734\">\n"+
"<H1>Your Ballot has been entered as follows</H1>\n"+
"<H1>J Mulligan got "+ jmulligan +"</H1>\n"+
"<H1> M Jones got "+ mjones +"</H1>\n"+
"<H1> P Kelly got "+ pkelly +"</H1>\n"+
"</BODY></HTML>");
catch( Exception e ) {
System.out.println(e.getMessage());
e.printStackTrace();
thanks
Jacinta
PS I have ssl configured, with a self signed cert.

Hey!
I am also in the middle of doing an en=voting application as part of my thesis! Its interesting to see the way other people do the voting. Well, my experience so far is that I cannot get public/private key encryption to work. I have posted many topics on this forum regarding it and the reason it wont work is that the ballot that I am trying to enctypt is too large for the ballot object . I used the RSA algoithm and it wasn't able to handle my large object. So instead I have just used a symmetric algorithm and that works fine. I think its the DES algorithm. The only problem with this is that you are using the same key to encrypt and decrypt the ballot. I dont think this is secure. It has been reccomended to me that I use this symmetric algorithm as it is, but that I then use public/private key to encrypt the symmetric key! I still have a problem with this because if the key is still encrypted with public key, the user must have acces to the private key to decrypt the symmetric key to decryt the ballot. See where I'm going?
I would love to know of an asymmetric algorithm that can encrypt large objects. That would solve the whole security issue. I will post a replyhere if I find out the answer.
By the way, how is your project going?
All the best,
Chris Moltisanti

How to store a RSA pair key in Java Key Store (jks) and VS

Hi Everyone ,
I have generated a RSA pair key . now I need to store my public key in a Java Key Store (.jks file) . and then I need to read this .jks file in another application and get this public key to use for verification .
I'll appreciate it if anyone could help me with this matter with a sample code for import/export public key to/from a java key store file or any hints.
Best Regards,
Vivian

I don't think this makes sense. How have you generated an RSA key pair and where is the result stored?

What is the probability to get the same public key twice?

when I encrypt a message using somebody's public key, what are the chances other person has generated the same key independently? Is it safe to identify a user with its public key?

The key pair (public, private key) is generated by choosing random probably prime numbers using a pseudo-random number generator.
The quality of the pseudo-random number generator determines the probability of having two people with the same public-private key pair. Usually pseudo-random number generators (like the JCE SecureRandom) use some entropy sources, like the real-time clock, the time elapsed between keystrokes, bits of the screen, etc.)
If you use true hardware random number generators (like the used in crypto hardware like RSA smartcards and HSM (Hardware Security Modules), or the hardware RNG available in some Intel chipsets for the Pentium !!! and 4), you will have a probability much closer to the minimum theoretical probability.
Use hardware random number generators and crypto hardware if you really are concerned about the probability of having matching keypairs.

RSA public key & transient

Similar Messages

Maybe you are looking for