Go4Expert - Introduction to Bouncy Castle APIs

The Bouncy Castle Crypto APIs is a set of implementations of cryptographic concepts and algorithms. Bouncy Castle APIs are developed in both Java and C#. These APIs can be freely downloaded from the Bouncy Castle home page.

Let us have a glance at some of the important type of implementations and algorithms provided by BC APIs -

Digests

Digests are the hash values which are generated after applying a hash algorithm on message. Digests are also known as Hash Value, fingerprints, checksums, etc.

Bouncy castle APIs provide us, implementation of following hash algorithms –

GOST3411
MD2, MD4, MD5
RIPEMD128, RIPEMD160, RIPEMD256, RIPEMD320
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
Tiger
Whirlpool.

X.509

X509 is a standard, which specifies the standard format for public key certificates, Certificate revocation list and attribute certificates. Bouncy Castle APIs include the implementation for generators, parsers for Version1 and Version3 certificates, Version 2 CRLs and attribute certificates.

It provides the classes for X509 formats, also, e.g. PEM, p12, pfx etc.

Following are some of the important X509 related classes, provided by Bouncy Castle –

PEMParser
X509 certficate
X509 certficate parser
X509 crl
X509 signature util
X509 v1 generator
X509 v2 generator
X509 v3 generator

Password Based Encryption

There are many instances when data should be encrypted by the passphrase or password provided by the user. This secret password selected by the user acts like the encryption key. This is unlike the situation in which the keys are generated by the system itself. However, there are steps to be followed for generating or deriving the key from the password selected by the user.

A hash value of the password text is computed. This is done by using the hash algorithms like SHA1. To make the derived key strong, salt is appended in the password. (Salts are the extra random bytes added in the message during encryption. Salt is different and random for every input, thus the output produced by the hash algorithms also differ every time and hence dictionary attacks are prevented.
A DES or AES key is generated from the password and salt.

Bouncy castle provides the following PBE algorithms –

SHA1 and DES-CBC,
SHA1 and RC2-CBC,
SHA-1 and 128bit RC4,
SHA-1 and 40bit RC4,
SHA-1 and 3-key DESEDE-CBC,
SHA-1 and 2-key DESEDE-CBC,
SHA-1 and 128bitRC2-CBC,
SHA-1 and 40bit RC2-CBC,
HmacSHA-1,
Hmac SHA-224,
HmacSHA-256,
HmacRIPEMD128,
HmacRIPEMD160,
HmacRIPEMD256.

Signature algorithms

Signature are applied to digital data to verify that the data is not tampered during transmission and also, that the data has been sent by the correct authority or person.

In signature mechanism, the hash value of the message is computed, using the Hash algorithms like MD2, MD5 etc. This hashed value is used by the signature algorithm to generate the digital signature. Note: - for signing, the private key is needed by the algorithm. The digital signature is sent along with the message.

Following implementation are provided by the Bouncy castle apis-

MD2withRSA,
MD4withRSA,
MD5withRSA,
RIPEMD128withRSA,
RIPEMD160withRSA,
RIPEMD256withRSA,
SHA-1withRSA,
SHA-224withRSA,
SHA-256 with RSA and MGF1,
SHA-384 with RSA and MGF1,
SHA-512 with RSA and MGF1,
SHA-1 with DSA,
SHA-1 with ECDSA.

Symmetric key algorithms:

Following secret key algorithm are implemented –

AES
Blowfish
Camellia
CAST5, CAST6
DESede, DES
GOST28147
HC-128, HC-256
IDEA
NaccacheStern
RC2, RC4, RC5-32, RC5-64, RC6,
Rijndael, Serpent, Skipjack, TEA/XTEA, Twofish, and VMPC.

Asymmetric key algorithms:

Following asymmetric key algorithm are implemented -

RSA (with blinding)
ElGamal
DSA
ECDSA.

Apart from the above listed algorithms, Bouncy Castle provides implementation for PGP (Pretty good Privacy, Online Certificate Status Protocol. Time Stamp Protocol etc.

In my next article, we will discuss the RSA implementation provided by Bouncy castle.