Key Management in Java

Sometimes developers find it confusing or hard to connect the dots between some of the key management interfaces in Java especially the key generators, key tool and key store.

In Java, keys are generated using a special class called key generator. Creating new random keys involves – invoking a key generator object for the algorithm you want to use, initializing the key generator and then request it to generate the keys.

There are two types of keys that can be generated asymmetric and symmetric keys. The asymmetric keys are generated using class while the symmetric one by javax.crypto.KeyGenerator class. Mind you, the latter one is part of Java Cryptography Extension (JCE).
Both follow the same steps as descibed above. A symmetric key generation example is –

KeyGenerator myKG = KeyGenerator.getInstance(“DES”);
myKG.init(new SecureRandom());
SecretKey myKey = myKG.generateKey();

An example for asymmetric key generation would be –

KeyPairGenerator myKPG = KeyPairGenerator.getInstance(“DSA”);
KeyPair myKeyPair = myKPG.generateKeyPair();

In case Sun’s APIs does not support the required algorithms, then you may to look for other cryptographic provider APIs. IAIK, RSA and Entrust are some of the well known cryptographic providers, at least those that I have used. In your code, you will have to add these providers before generating the keys.

After the generating the keys, you need to store them. KeyStore ( comes handy for holding keys as well as certificates. KeyStore contains two types of entries – (1) a private key along with the chain of certificates that correspond to the matching public key (2) a certificate of someone you trust. KeyStore supports storing and loading of keys, adding key pair entries, as well as adding and retrieving trusted certificate entries.

A passphrase is required to check the integrity of the data while you are in the operation of either storing and loading of a key or while adding key pairs. A clear text passphrase can be used, however that’s definitely not secure. One of the ways to avoid dictionary attacks, though not a real secure way, is to encrypt the private key by randomly creating a passphrase and then mixing it with the private key. The other one, probably the best one, is to use Password Based Encryption (PBE). Here a passphrase is used to generate a session key. The session key will be used with a symmetric cipher to encrypt the original private key before it is saved to the KeyStore.

While KeyStore is a simple database for storing private keys, public keys and certificates, keytool is a command line interface to the class. You can use it to generate key pairs, inspect the KeyStore, generate CSR and also import certificates along with other options and functions.

1 comment

  1. Good article – gives a nice overview of key generation in Java, for symmetric and asymmetric keys….
    Maybe a bit of KeyStore code will also help those who read this.

Leave a comment

Your email address will not be published. Required fields are marked *