Re: Comments, questions, etc. .

Jan Luehe (luehe@laguna.eng.sun.com)
Mon, 8 Mar 1999 14:56:33 -0800 (PST)

Date: Mon, 8 Mar 1999 14:56:33 -0800 (PST)
From: Jan Luehe <luehe@laguna.eng.sun.com>
Subject: Re: Comments, questions, etc. .
To: java-security@java.sun.com, Frank.Yellin@Eng

Frank:

> #1) MAC's seem to be underspecified and underdocumented. How do I make a
> key for them? Neither the KeyGenerator class nor the SecretKeyFactory
> seemed to want to make secret keys for me. I couldn't get the KeyAgreement
> class to make one (which seems an obvious use for a MAC!)
>
> I finally had to use SecretKeySpec, and just guess at a key of 64 bytes.
> But I really had no idea.

You can initialize your MAC object with any secret-key object
of a secret-key algorithm supported by your JCE provider.

For example, in the case of the SunJCE provider, you could
use the DH keyagreement to come up with a shared secret, and
then use the key returned by

SecretKey skey = keyagree.generateSecret("DES")

to initialize your MAC object.

There are no MAC-specific secret-key algorithms, i.e.,
you cannot do

KeyGenerator kgen = KeyGenerator.getInstance("HmacMD5");

Instead, you could do

KeyGenerator kgen = KeyGenerator.getInstance("DES");

and then generate a DES secret key and use that to initialize
your MAC object.

> #2) There has to be a way of adding a new Crypto provider to code that I
> don't own. For example, the JCE says that I shouldn't use the normal
> KeyStore implementation, but use the new JCEKS.
>
> But unless I reinstall my own copy of the JDK, I have no way of telling
> keytool about "com.sun.crypto.provider.SunJCE". The JDK looks in
> one public file to get the list of providers, and no where else. And I
> can't add the line
> Security.addProvider(new com.sun.crypto.provider.SunJCE());
> to code that I haven't written.
>
> Or perhaps keytool needs an argument to tell it to load additional
> subscribers.

We could add a command-line option to keytool that would allow
you to specify a provider that is not listed in the security
properties file, and have keytool install it for you.

>
> #3) Continuing on about MAC's. Is there a reason that we have
> DigestOutputStream but not MaCOutputStream? And MacInputStream? A
> MAC is just Digest with a key. . . .

Yes, this is missing. We could add it in JCE 1.3.

Jan