Java Cryptography

by Jonathan Knudsen
O'Reilly & Associates 1998
344 pages. Index, five appendices. $29.95. ISBN 1-56592-402-9

Reviewed by Robert Bruen, Cipher Book Review Editor

Aimed at Java programmers, Java Cryptography is not a book on cryptography, but instead about to how use cryptography in Java 1.2. There is an introductory chapter on crypto, but is it intended only as a backdrop to the real focus of the book. If you are new to Java, it will be work for you get the fullest benefit from the book, but if you can write Java code and know something about encryption, keys and authentication, you should get a lot out of reading it. It is a hands-on-while-reading book.

The first example of code appears on page 6, a simple program that creates a message digest for the contents of a given file using MD5. I dutifully typed it in and ran it with no problem. It is accompanied by a clear, step by step explanation of how it works. The subsequent examples require JDK 1.2 which requires a Sun or Wintel at the present time. (I am waiting on the Linux version.) These examples are as well written as the first with the same clear explanations for what is going on in the code.

The first four chapters are mainly background material for concepts, architecture and random numbers, all very useful. Chapter five is is a solid one that covers key management in detail. Java has classes for key generation, translation and agreements (like Diffie-Hellman). You can specify your choice of algorithms easily when invoking a method. Knudson provides an in depth look at writing code to use the Simple Key Management for Internet Protocols (SKIP) for both the client and server side.

He addresses the change from 1.1 to 1.2 in the approach to key management which started as a javakey command-line utility and ended up as a keystore which uses a command line interface called keytool. This represents noticeable change for developers, but this chapter should help.

The topic of chapter six is authentication: message digests, digital signatures and certificates, again with good explanations and example code. Chapter seven covers encryption through a close look at the javax.crypto class using cipher block chaining and cipher feedback modes for code examples.

Java applets that are signed are supposed to be a way to permit code to run outside of the sandbox, beyond the normal controls placed on Java code. It is the contentious DMZ where security requirements meet user desires for utility and convenience. In order to spice up web pages some security concerns must be ignored. By cryptographically signing applets the level of trust by the user is raised for an unknown applet running on some remote web site. The specifics of how HotJava, Netscape and Internet Explorer implement signed applets are discussed in chapter eight, and yes they are all slightly different. The same applet is used for each for comparison.

Extending Java by writing your own cryptographic provider is explained in chapter nine using ElGamal. If you were not sure how ElGamal works, this is a good way to find out. The author provides a set of classes to support signatures and ciphers using ElGamal. Chapters ten and eleven are in depth examples of applications: SafeTalk and CipherMail. Chapter twelve wraps up the book discussing application design and security. The appendices are all full of useful information on Javakey, jar files, and a summary of the crypto classes.

I found Java Cryptography easy to read because of the author's style, informative, and a great place to start working with cryptography and Java. It delivers on its promise, making it a recommended book, something that should have if you want to develop code in this area.