[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [iaik-jce] Data encryption algs for PKCS7



Not yet statically regisered AlgorithmIDs can be created and registered by using the

 public AlgorithmID(String objectID, String name, String implementationName);

constructor of the AlgorithmID class, where "objectID" specifies the "OID"
string, name the name of the algorithm, and "implementationName" a
transformation string that will work on Cipher.getInstance(...), e.g. (for IDEA).

AlgorithmID idea_CBC = AlgorithmID("1.3.6.1.4.1.188.7.1.1.2", "IDEA-CBC",
"IDEA/CBC/PKCS5Padding");
 
The setupCipher(contentEA, Key key, AlgorithmParameterSpec params) method of the EncryptedContentInfo(Stream) class may be used for setup the cipher with precomputed key/parameters of a particular algorithm. The parameters shall be be set for the algorithmID (by means of the setAlgorithmParameters or setParameter method) before calling setupCipher, and the supplied AlgorithmParameterSpec has to match to the parameters incorporated in the algorithmID.
 
The setupCipher then calls Cipher.getInstance(..) with the implementationName previously registered when creating the AlgorithmID. However, it will take the algorithm-implementation of the first provider supporting the specific algorithm.
 
On recipient side the setupCipher(Key) method only should be used when the content encryption algorithmID contains an initialization vector that is encoded as OCTET STRING. In situations where there are other parameters/encodings the algorithmID should be parsed explicitly for the including parameters, and the setupCipher(Key key, AlgorithmParameterSpec params) method should be used to setup the cipher for decryption, e.g.:
 
// get the content encryption algorithm:
 AlgorithmID contentEA = eci.getContentEncryptionAlgorithm();
 // get and parse the parameters:
 ASN1Object params =  contentEA.getParameter();
 // create an AlgorithmParameterSpec from the parameters to setup the cipher
// for decryption with previously decrypted recipient key
 ...
 eci.setupCipher(secretKey, paramSpec);
 // get and read the data thereby actually performing the decryption:
 InputStream data_is = eci.getInputStream();
 ....

An example can be found in the Javadoc of Jce2.51.
 
Dieter Bratko


                
 
 
----- Original Message -----
From: Alan Grenadir <alang@lexias.com>
To: <iaik-jce@iaik.tu-graz.ac.at>
Sent: Fri, 16 Jul 1999 12:56:18 -0400
Subject: [iaik-jce] Data encryption algs for PKCS7
 
> Dear Sirs:
> I am writing to enquire which data encryption algorithms may be used in
> the  IAIK PKCS7 EnvelopedDataStream.

> I use eci.setupCipher(AlgorithmID) to specify the dat encryption
> cipher.  For symmetric ciphers for which the AlgorithmID class provides
> a static member, those algorithms can be used easily:
> cast5_CBC
> des_CBC
> des_EDE3_CBC
> rc2_CBC
> rc4

> Can other algorithms or other modes be used in PKCS7?  Is it to be done
> by defining new AlgorithmID's?  And can the implementation of another
> provider (such as Jsafe) be accessed for that algorithm?  If yes, is
> there a different way other than to put that provider before IAIK in the
> list of providers, which would have effects on other features also be
> selected from that provider by precedence.

> For example, you provide other modes for 3DES, and you provide an
> implementation of Blowfish cipher.

> Will the decryption logic in the EncryptedDataStream class be able to
> read whatever info about the data encryption algorithm was placed into
> the PKCS7 object and generate a request to Cipher.getInstance( ) or the
> equivalent to locate an implementation of the correct algorithm?

> Do we have to register an algorithm with an OID and a name?  If so,
> which? Does the protected member "implementations" of class AlgorithmID
> figure into this?  Is is true that for sending a message encrypted with
> a data encryption algorithm, we must do the registration on both the
> encrypting side and also on the decrypting side .

> Is it an issue of lack of standardized ObjectID's for the algorithms?
> Is the ASN1 for the parameters standardized for different providers of
> the same algorithm?

> Thank you.

smime.p7s