Package io.mosip.kernel.core.crypto.spi

Interface CryptoCoreSpec<R,D,S,P,K,T>

Type Parameters:

R - the return type of data

D - the type of input data

S - the type of symmetric key

P - the type of public key

K - the type of private key

T - the type of signature

public interface CryptoCoreSpec<R,D,S,P,K,T>

This interface is specification for Core Cryptographic Operations. The user of this interface will have all cryptographic basic operations like asymmetricEncrypt(Object, Object) , asymmetricDecrypt(Object, Object) , #symmetricEncrypt(Object, Object) , #symmetricEncrypt(Object, Object) , hash(Object, Object) , sign(Object, Object) , verifySignature(Object, Object, Object), random().

Since:

1.0.0

Author:

Urvil Joshi

Method Summary

Modifier and Type	Method	Description
D	asymmetricDecrypt(K privateKey, P publicKey, R data)	This method is used for core Asymmetric Decryption .
D	asymmetricDecrypt(K key, R data)	This method is used for core Asymmetric Decryption .
R	asymmetricEncrypt(P key, D data)	This method is used for core Asymmetric Encryption .
T	hash(D data, D salt)	This method is used as core Cryptographic hash .
<U> U	random()	This method is responsible for Cryptographically Secure Pseudorandom Number Generator (RNG).
T	sign(D data, K privateKey)	This method is responsible for core Digital Signature .
T	sign(D data, K privateKey, X509Certificate x509Certificate)	This method is responsible for core Digital Signature with JSON WEB SIGNATURE specification This method is for signing data.
D	symmetricDecrypt(S key, R data, D aad)	This method is used for core Symmetric Decryption .
D	symmetricDecrypt(S key, R data, D iv, D aad)	This method is used for core Symmetric Decryption .
R	symmetricEncrypt(S key, D data, D aad)	This method is used for core Symmetric Encryption .
R	symmetricEncrypt(S key, D data, D iv, D aad)	This method is used for core Symmetric Encryption .
boolean	verifySignature(D data, T signature, P publicKey)	This method is responsible for core Digital Signature .
boolean	verifySignature(T signature)	This method is responsible for core Digital Signature with JSON WEB SIGNATURE specification This method verifies signature.

Method Detail

symmetricEncrypt

R symmetricEncrypt(S key,
                   D data,
                   D aad)

This method is used for core Symmetric Encryption . Symmetric encryption is a type of encryption where only one key (a secret key) is used to both encrypt and decrypt electronic information. The entities communicating via symmetric encryption must exchange the key so that it can be used in the decryption process. This encryption method differs from asymmetric encryption where a pair of keys, one public and one private, is used to encrypt and decrypt messages. By using symmetric encryption algorithms, data is converted to a form that cannot be understood by anyone who does not possess the secret key to decrypt it. Once the intended recipient who possesses the key has the message, the algorithm reverses its action so that the message is returned to its original and understandable form. The secret key used by the sender and recipient could be a specific password/code or it can be random string of letters or numbers that have been generated by a secure random number generator (RNG). Symmetric Encryption is described in Symmetric-key_algorithm AEAD is Authenticated Encryption with Associated Data which provides both confidentiality and data origin authentication. AEAD is described in rfc5116#section-3.3. AAD(Advance Authentication Data) The aim of AAD is to attach information to the ciphertext that is not encrypted, but is bound to the ciphertext in the sense that it cannot be changed or separated. Conceptually, the MAC is computed over the AAD and the ciphertext together.

Parameters:

key - Symmetric Key as key

data - data to encrypt

aad - Advance Authentication Data

Returns:

encrypted data

symmetricEncrypt

R symmetricEncrypt(S key,
                   D data,
                   D iv,
                   D aad)

This method is used for core Symmetric Encryption . Symmetric encryption is a type of encryption where only one key (a secret key) is used to both encrypt and decrypt electronic information. The entities communicating via symmetric encryption must exchange the key so that it can be used in the decryption process. This encryption method differs from asymmetric encryption where a pair of keys, one public and one private, is used to encrypt and decrypt messages. By using symmetric encryption algorithms, data is converted to a form that cannot be understood by anyone who does not possess the secret key to decrypt it. Once the intended recipient who possesses the key has the message, the algorithm reverses its action so that the message is returned to its original and understandable form. The secret key used by the sender and recipient could be a specific password/code or it can be random string of letters or numbers that have been generated by a secure random number generator (RNG). Symmetric Encryption is described in Symmetric-key_algorithm AEAD is Authenticated Encryption with Associated Data which provides both confidentiality and data origin authentication. AEAD is described in rfc5116#section-3.3. AAD(Advance Authentication Data) The aim of AAD is to attach information to the ciphertext that is not encrypted, but is bound to the ciphertext in the sense that it cannot be changed or separated.Conceptually, the MAC is computed over the AAD and the ciphertext together.

Parameters:

key - Symmetric Key as key

data - Data to encrypt

iv - Initialization vector

aad - Advance Authentication Data

Returns:

symmetricDecrypt

D symmetricDecrypt(S key,
                   R data,
                   D aad)

This method is used for core Symmetric Decryption . Symmetric encryption is a type of encryption where only one key (a secret key) is used to both encrypt and decrypt electronic information. The entities communicating via symmetric encryption must exchange the key so that it can be used in the decryption process. This encryption method differs from asymmetric encryption where a pair of keys, one public and one private, is used to encrypt and decrypt messages. By using symmetric encryption algorithms, data is converted to a form that cannot be understood by anyone who does not possess the secret key to decrypt it. Once the intended recipient who possesses the key has the message, the algorithm reverses its action so that the message is returned to its original and understandable form. The secret key used by the sender and recipient could be a specific password/code or it can be random string of letters or numbers that have been generated by a secure random number generator (RNG). Symmetric Encryption is described in Symmetric-key_algorithm AEAD is Authenticated Encryption with Associated Data which provides both confidentiality and data origin authentication. AEAD is described in rfc5116#section-3.3. AAD(Advance Authentication Data) The aim of AAD is to attach information to the ciphertext that is not encrypted, but is bound to the ciphertext in the sense that it cannot be changed or separated. Conceptually, the MAC is computed over the AAD and the ciphertext together.

Parameters:

key - Symmetric Key as key

data - data to decrypt

aad - Advance Authentication Data

Returns:

decrypted data

symmetricDecrypt

D symmetricDecrypt(S key,
                   R data,
                   D iv,
                   D aad)

This method is used for core Symmetric Decryption . Symmetric encryption is a type of encryption where only one key (a secret key) is used to both encrypt and decrypt electronic information. The entities communicating via symmetric encryption must exchange the key so that it can be used in the decryption process. This encryption method differs from asymmetric encryption where a pair of keys, one public and one private, is used to encrypt and decrypt messages. By using symmetric encryption algorithms, data is converted to a form that cannot be understood by anyone who does not possess the secret key to decrypt it. Once the intended recipient who possesses the key has the message, the algorithm reverses its action so that the message is returned to its original and understandable form. The secret key used by the sender and recipient could be a specific password/code or it can be random string of letters or numbers that have been generated by a secure random number generator (RNG). Symmetric Encryption is described in Symmetric-key_algorithm AEAD is Authenticated Encryption with Associated Data which provides both confidentiality and data origin authentication.AEAD is described in rfc5116#section-3.3. AAD(Advance Authentication Data) The aim of AAD is to attach information to the ciphertext that is not encrypted, but is bound to the ciphertext in the sense that it cannot be changed or separated.Conceptually, the MAC is computed over the AAD and the ciphertext together.

Parameters:

key - Symmetric Key as key

data - data to decrypt

iv - Initialization vector

aad - Advance Authentication Data

Returns:

decrypted data

asymmetricEncrypt

R asymmetricEncrypt(P key,
                    D data)

This method is used for core Asymmetric Encryption . Asymmetric Encryption is a form of Encryption where keys come in pairs. What one key encrypts, only the other can decrypt. Frequently (but not necessarily), the keys are interchangeable, in the sense that if key A encrypts a message, then B can decrypt it, and if key B encrypts a message, then key A can decrypt it. While common, this property is not essential to asymmetric encryption. Asymmetric Encryption is also known as Public Key Cryptography, since users typically create a matching key pair, and make one public while keeping the other secret. Users can "sign" messages by encrypting them with their private keys. This is effective since any message recipient can verify that the user's public key can decrypt the message, and thus prove that the user's secret key was used to encrypt it. If the user's secret key is, in fact, secret, then it follows that the user, and not some impostor, really sent the message. Users can send secret messages by encrypting a message with the recipient's public key. In this case, only the intended recipient can decrypt the message, since only that user should have access to the required secret key. The key to successful use of Asymmetric Encryption is a Key Management system, which implements a Public Key Infrastructure. Without this, it is difficult to establish the reliability of public keys, or even to conveniently find suitable ones. Asymmetric Encryption is described in Public-key_cryptography

Parameters:

key - Public Key as key

data - data to encrypt

Returns:

encrypted data

asymmetricDecrypt

D asymmetricDecrypt(K key,
                    R data)

This method is used for core Asymmetric Decryption . Asymmetric Encryption is a form of Encryption where keys come in pairs. What one key encrypts, only the other can decrypt. Frequently (but not necessarily), the keys are interchangeable, in the sense that if key A encrypts a message, then B can decrypt it, and if key B encrypts a message, then key A can decrypt it. While common, this property is not essential to asymmetric encryption. Asymmetric Encryption is also known as Public Key Cryptography, since users typically create a matching key pair, and make one public while keeping the other secret. Users can "sign" messages by encrypting them with their private keys. This is effective since any message recipient can verify that the user's public key can decrypt the message, and thus prove that the user's secret key was used to encrypt it. If the user's secret key is, in fact, secret, then it follows that the user, and not some impostor, really sent the message. Users can send secret messages by encrypting a message with the recipient's public key. In this case, only the intended recipient can decrypt the message, since only that user should have access to the required secret key. The key to successful use of Asymmetric Encryption is a Key Management system, which implements a Public Key Infrastructure. Without this, it is difficult to establish the reliability of public keys, or even to conveniently find suitable ones. Asymmetric Encryption is described in Public-key_cryptography

Parameters:

key - Private Key as key

data - data to decrypt

Returns:

decrypted data

asymmetricDecrypt

D asymmetricDecrypt(K privateKey,
                    P publicKey,
                    R data)

This method is used for core Asymmetric Decryption . Asymmetric Encryption is a form of Encryption where keys come in pairs. What one key encrypts, only the other can decrypt. Frequently (but not necessarily), the keys are interchangeable, in the sense that if key A encrypts a message, then B can decrypt it, and if key B encrypts a message, then key A can decrypt it. While common, this property is not essential to asymmetric encryption. Asymmetric Encryption is also known as Public Key Cryptography, since users typically create a matching key pair, and make one public while keeping the other secret. Users can "sign" messages by encrypting them with their private keys. This is effective since any message recipient can verify that the user's public key can decrypt the message, and thus prove that the user's secret key was used to encrypt it. If the user's secret key is, in fact, secret, then it follows that the user, and not some impostor, really sent the message. Users can send secret messages by encrypting a message with the recipient's public key. In this case, only the intended recipient can decrypt the message, since only that user should have access to the required secret key. The key to successful use of Asymmetric Encryption is a Key Management system, which implements a Public Key Infrastructure. Without this, it is difficult to establish the reliability of public keys, or even to conveniently find suitable ones. Asymmetric Encryption is described in Public-key_cryptography

Parameters:

key - Private Key as privateKey

key - Public Key as publicKey

data - data to decrypt

Returns:

decrypted data

hash

T hash(D data,
       D salt)

This method is used as core Cryptographic hash . Cryptographic hashing is described in Cryptographic_hash_function. There are some Standards for password hashing can be found at OWASP Password Storage Sheet. Iterations should be included by implementation. The iterations specifies how many times the hash executes its underlying algorithm. A higher value is safer. You need to experiment on hardware equivalent to your production systems. As a starting point, find a value that requires one half second to execute. Scaling to huge number of users is beyond the scope of this document. Remember to save the value of iterations with the hashed password.

Parameters:

data - data to hash

salt - salt argument should be random data and vary for each user. It should be at least 32 bytes long.

Returns:

hashed data

sign

T sign(D data,
       K privateKey)

This method is responsible for core Digital Signature . This method is for signing data. A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. As the digital equivalent of a handwritten signature or stamped seal, a digital signature offers far more inherent security, and it is intended to solve the problem of tampering and impersonation in digital communications. Digital signatures can provide the added assurances of evidence of origin, identity and status of an electronic document, transaction or message and can acknowledge informed consent by the signer. In many countries, including the United States, digital signatures are considered legally binding in the same way as traditional document signatures. Digital Signature is described in Digital_signature.

Parameters:

data - data to sign

privateKey - privateKey of owner

Returns:

signed data

sign

T sign(D data,
       K privateKey,
       X509Certificate x509Certificate)

This method is responsible for core Digital Signature with JSON WEB SIGNATURE specification This method is for signing data. A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. As the digital equivalent of a handwritten signature or stamped seal, a digital signature offers far more inherent security, and it is intended to solve the problem of tampering and impersonation in digital communications. Digital signatures can provide the added assurances of evidence of origin, identity and status of an electronic document, transaction or message and can acknowledge informed consent by the signer. In many countries, including the United States, digital signatures are considered legally binding in the same way as traditional document signatures. Digital Signature is described in Digital_signature.

Parameters:

data - data to sign

privateKey - privateKey of owner

x509Certificate - {@link X509Certificate) of owner

Returns:

signed data

verifySignature

boolean verifySignature(D data,
                        T signature,
                        P publicKey)

This method is responsible for core Digital Signature . This method verifies signature. A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. As the digital equivalent of a handwritten signature or stamped seal, a digital signature offers far more inherent security, and it is intended to solve the problem of tampering and impersonation in digital communications. Digital signatures can provide the added assurances of evidence of origin, identity and status of an electronic document, transaction or message and can acknowledge informed consent by the signer. In many countries, including the United States, digital signatures are considered legally binding in the same way as traditional document signatures. Digital Signature is described in Digital_signature

Parameters:

data - data to sign

signature - signed data

publicKey - public key of owner

Returns:

True; if signature is verified;False otherwise

verifySignature

boolean verifySignature(T signature)

This method is responsible for core Digital Signature with JSON WEB SIGNATURE specification This method verifies signature. A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. As the digital equivalent of a handwritten signature or stamped seal, a digital signature offers far more inherent security, and it is intended to solve the problem of tampering and impersonation in digital communications. Digital signatures can provide the added assurances of evidence of origin, identity and status of an electronic document, transaction or message and can acknowledge informed consent by the signer. In many countries, including the United States, digital signatures are considered legally binding in the same way as traditional document signatures. Digital Signature is described in Digital_signature

Parameters:

signature - signed data

Returns:

True; if signature is verified;False otherwise

random

<U> U random()

This method is responsible for Cryptographically Secure Pseudorandom Number Generator (RNG).

A cryptographically strong random number minimally complies with the statistical random number generator tests specified in FIPS 140-2, Security Requirements for Cryptographic Modules, section 4.9.1. RNG is described in Cryptographically_secure_pseudorandom_number_generator

Type Parameters:

U - the type of random

Returns:

RNG