[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [iaik-ssl] Certification verification



Hello,

a 1024 bit public key anytime will be "longer" than a 128 bit, however
the length of the public key contained in the certificate has no influence on
the strength of the symmetric key used for encryption.

You may use something like the following to only enable cipher suites using
a symmetric key >= 128 bit:


      CipherSuiteList defaultList = new CipherSuiteList(CipherSuiteList.L_DEFAULT);
      System.out.println(defaultList);
      CipherSuiteList myList = new CipherSuiteList();
      Enumeration e = defaultList.elements();
      while (e.hasMoreElements()) {
        CipherSuite cs = (CipherSuite)e.nextElement();
        if (cs.getKeyLength() >= 16) {
          myList.add(cs);   
        }    
      }  
      myList.sort();
      System.out.println(myList); 
      sslContext.setEnabledCipherSuiteList(list);
      sslContext.updateCipherSuites();

Regards,
Dieter Bratko

-----Ursprüngliche Nachricht-----
Von: iaik-ssl-owner@iaik.tu-graz.ac.at
[mailto:iaik-ssl-owner@iaik.tu-graz.ac.at]Im Auftrag von Taqvi, Syed
[IT]
Gesendet: Dienstag, 04. Dezember 2001 18:22
An: 'Dieter Bratko'; iaik-ssl@iaik.at
Betreff: RE: [iaik-ssl] Certification verification


Thanks for the reply.
Can I make the assumption that if the public key of the server certificate
is 1024 bits,
then the certificate strength would be at least 128 bits. Or is that not a
valid assumption.

-----Original Message-----
From: Dieter Bratko [mailto:Dieter.Bratko@iaik.at]
Sent: Tuesday, December 04, 2001 3:52 AM
To: Taqvi, Syed [IT]; iaik-ssl@iaik.at
Subject: AW: [iaik-ssl] Certification verification


Hello,

you may get the key length by doing something like:
     
    X509Certificate[] certs = sslSocket.getPeerCertificateChain();
    if (certs != null) {
      PublicKey publicKey = certs[0].getPublicKey(); 
      int keyLength = -1;
      if (publicKey instanceof java.security.interfaces.RSAPublicKey) {
        keyLength  = ((RSAPublicKey) key).getModulus().bitLength() ;
      } else if (publicKey instanceof java.security.interfaces.DSAPublicKey)
{
        keyLength = ((DSAPublicKey) key).getParams().getP().bitLength() ;
      } else if (publicKey instanceof javax.crypto.interfaces.DHPublicKey) {
        keyLength = ((DHPublicKey) key).getParams().getP().bitLength() ;
      }
    }

However, since you speak of 128 bits I assume you mean the strengh of the
cipher key used to encrypt the data. If so, you only may ensure that you
only offer cipher suites using a symmetric key of >= 128 bits.

Regards,
Dieter Bratko 

-----Ursprüngliche Nachricht-----
Von: iaik-ssl-owner@iaik.tu-graz.ac.at
[mailto:iaik-ssl-owner@iaik.tu-graz.ac.at]Im Auftrag von Taqvi, Syed
[IT]
Gesendet: Mittwoch, 28. November 2001 16:33
An: 'iaik-ssl@iaik.at'
Betreff: [iaik-ssl] Certification verification


Hello,
I want to make sure that the certificate that I am getting from the server
is at least 128 bits. My understanding is that
I need to extend the ChainVerifier class and override the verifyCertificate
method.
But I can not figure out how to get the certificate strength information
from the certificate.
any help will be appreciated.


--
Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content:
UNSUBSCRIBE iaik-ssl
 

--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl
 


--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl