Generating 128-bit keys with keytool

java security cryptography bouncycastle keytool

11,311

Solution 1

You just need to specify different storetype

keytool -genseckey -alias check2 -keyalg AES -keysize 128 -storepass changeit -storetype JCEKS -keystore ks.jck

Solution 2

Certificates are used for public key cryptography and do not contain encryption keys for the symmetric block cipher AES-128. Instead, public key cryptography is used only to encrypt or negotiate the 128-bit AES key and the rest of the conversation uses AES.

The 128-bit AES key is not a certificate, it's just 128 bits from a cryptographically strong random number generator or derived from a passphrase using a hashing algorithm such as PBKDF2. How you get these bits will depend on your application. SSL/TLS must negotiate a random key, but a hard disk encryption program would derive the key from a passphrase.

11,311

Author by

user3137901

I develop software for a living.

Updated on June 04, 2022

Comments

user3137901 almost 2 years

Is there a way to generate a 128-bit key pair suitable for encryption using Sun's keytool program? It seems that the algorithms available in http://java.sun.com/javase/6/docs/technotes/guides/security/StandardNames.html#KeyPairGenerator are either not supported or do not allow keys shorter than 512 bits.

The key pair will be used with the ff. code snippet:

Security.addProvider(new BouncyCastleProvider());

KeyStore keyStore = KeyStore.getInstance("PKCS12");

FileInputStream keyStoreSource = new FileInputStream("keystore");

try {
    keyStore.load(keyStoreSource, "password".toCharArray());
} finally {
    keyStoreSource.close();
}

String alias = (String) keyStore.aliases().nextElement();
PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, "password".toCharArray());
X509Certificate certificate = (X509Certificate) keyStore.getCertificate(alias);

CMSEnvelopedDataStreamGenerator generator = new CMSEnvelopedDataStreamGenerator();

generator.addKeyTransRecipient(certificate);

OutputStream output2 = generator.open(output, CMSEnvelopedDataGenerator.AES128_CBC, BouncyCastleProvider.PROVIDER_NAME);

try {
    IOUtils.copy(input, output2);
} finally {
    output2.close();
    output.close();
}

where output is some OutputStream where the encrypted data will be saved and input is some InputStream where the plaintext data will be read.

user3137901 almost 15 years

I was looking to generate a test cert to use with AES-128. Am I going about it the wrong way then?
Sani Singh Huttunen almost 15 years

Could you explain in a bit more detail what you wish to accomplish?
user3137901 almost 15 years

Updated question with code snippet where key pair generated will be used.
user3137901 almost 15 years

Updated question with code snippet where key pair generated will be used. Hopefully, I have cleared up any confusion. But, yeah, I'm a crypto beginner. :P