Getting started with RSA BSAFEÂ® Share For JAVA - EMC ...

Getting started with 

RSA BSAFE ® Share for Java Platform 1.1 

RSA, The Security Division of EMC, 

July 16, 2009 

Version 1.0, July 16, 2009

Introduction to Presentation 

This presentation will help you get started using RSA 

BSAFE ® Share for Java TM Platform (Share for Java). 

2

Objective 

As a result of this presentation you will be able to: 

– Describe the features of Share for Java 

3

Agenda 

Introduction 

Product Features 

Feature comparison: Sun’s JRE 6.0 

Feature comparison: RSA BSAFE Crypto-J, Cert-J and 

SSL-J 

4

5 

Introduction

Introduction 

Agenda 

– Product description 

– Associated products 

– Where to find more information 

6

Introduction 

Product Description 

Share for Java is a pure Java security toolkit. 

– Java is a computer programming language created by Sun 

Microsystems. The most recently released version is 6.0. See 

http://java.sun.com/ for more details. 

– Pure Java means that Share for Java is completely written 

using the Java programming language. It doesn’t use any 

native code libraries which are written in other programming 

languages such as C or C++. 

– Share for Java is designed to be used by Java Application 

Developers; software engineers who develop computer 

programs using the Java computer programming language. 

7

Introduction 



– A toolkit is a library or component part. 

– Toolkits provide functionality via Application Programming 

Interfaces (API). 

– Application developers use toolkits to provide functionality 

rather than having to write the source code for the functionality 

themselves. This allows complex components to be re-used, 

rather than having to be developed for each application. 

8

Introduction 



– Security in terms of Share for Java means cryptography, 

Public Key Infrastructure (PKI), and Transport Layer Security 

(TLS). 

• Cryptography: Algorithms that provide encryption, digital 

signatures, message digests and Pseudo Random Number 

Generation (PRNG). 

• PKI: The technology which includes Digital Certificates. Digital 

Certificates are used to identify secure servers on the Internet 

and are used with encrypted and signed email. 

• TLS: The technology which provides the security for secure 

https connections over the Internet. 

– For an introduction to security, see the Security Concepts 

document which comes as part of the Share for Java release. 

9

Introduction 


Share for Java: 

– Is a pure Java security toolkit. 

– Runs on Sun’s Java Standard Edition (SE) JRE 5.0 and 6.0 1 . 

– Can be used in Java Enterprise Edition (EE) deployments 

which use JBoss 1 application server. 

Share for Java contains two jar files: 

– shareCrypto.jar: Cryptographic and PKI functionality 

implemented as a Java Cryptographic Extension (JCE) 

provider. 

– shareTLS.jar: SSL v3.0, TLS v1.0, v1.1 and v1.2 functionality 

implemented as a Java Secure Sockets Extension (JSSE) 

provider. 

Note 1: Refer to the release notes for a detailed platform list. 

10

Introduction 

Associated Products: Share 

Other Share products: 

– RSA BSAFE ® Share for C/C++: C language cryptographic, 

PKI and TLS toolkit. 

– RSA BSAFE ® Share Adapter: C language toolkit providing an 

OpenSSL compatible API. 

• Uses Share for C/C++ to provide the underlying cryptographic 

capabilities. 

11

Introduction 

Associated Products: Crypto-J, Cert-J and SSL-J 

Other BSAFE Java language products: 

– RSA BSAFE ® Crypto-J: Provides FIPS 140 validated pure 

Java cryptographic implementations, native cryptographic 

implementations, support for PKCS #11 devices, and support 

for both the JCE and the JSAFE API. 

– RSA BSAFE ® Cert-J: Provides the CertJ API for certificate 

management and other Public Key Infrastructure (PKI) 

services. Uses Crypto-J for cryptographic functionality. 

• Note that the Java Certification Path (JCP) API which is offered 

in Cert-J 3.0 is being incorporated into Crypto-J 4.1’s and Share 

for Java’s JCE API 

– RSA BSAFE ® SSL-J: SSL v3.0, TLS v1.0, v1.1 and v1.2 

functionality is provided via the SSLJ and the JSSE API. Uses 

Crypto-J for cryptographic functionality. 

12

Introduction 

Associated Products: Crypto-J, Cert-J and SSL-J 

sslj.jar 

RSA BSAFE ® SSL-J 5.1 

RSA BSAFE ® Share 

for Java TM Platform 

shareTLS.jar 

SSLJ API 

JSSE API 

JSSE API 

RSA BSAFE ® Cert-J 3.1 

certj.jar 

CERTJ API 

RSA BSAFE ® Crypto-J 4.1 

cryptoj.jar, cryptojFIPS.jar 

shareCrypto.jar 

JSAFE API 

JCE API 

JCE API 

13

Introduction 

More Information: Share for Java 

Install Guide: Installation instructions. 

Release Notes: Product features, platform list, known 

issues. 

Security Concepts: Introduction to cryptography and 

security 

javadoc: API reference guide. 

Developer’s Guide: Guidance on product usage. 

14

Introduction 

More Information: Share products and BSAFE products 

Share products: www.rsashare.com 

Share Community: 

https://community.emc.com/community/edn/rsashare 

RSA BSAFE: http://www.rsa.com/node.aspxid=1204 

15

16 

Product Features


Agenda 

Agenda 

– Cryptographic features 

– Public Key Infrastructure (PKI) features 

– Transport Layer Security (TLS) features 

– Further information 

17


Cryptographic 

Asymmetric (public key) algorithms: RSA, DSA, DH, ECDSA, 

ECDH, ECDHC and ECIES. 

Symmetric (secret key) ciphers: AES, triple-DES, DES, DESX, 

RC2, RC4, and RC5. 

Message digests: MD2, MD5, RIPEMD160, SHA1, SHA 224, SHA 

256, SHA 384, and SHA512. 

HMAC standards: HMAC/MD5, HMAC/SHA1, HMAC/RIPEMD160, 

HMAC/SHA224, HMAC/SHA256, HMAC/SHA384, and 

HMAC/SHA512. 

Pseudo-random number generator (PRNG) algorithms: MD5- 

based PRNG, SHA1-based PRNG, FIPS 186-2 PRNG, Dual EC- 

DRBG, HMAC DRBG. 

Password Based Encryption (PBE) algorithms and Password 

Based Key Derivation Functions (PBKDF2). 

18


Public Key Infrastructure (PKI) 

Digital Certificates: X.509, Extended Validation (EV), and Suite B. 

X.509 Certificate Path Building and Validation: 

RFC 3280, RFC 5430 Suite B and the NSA’s “Suite B Base 

Certificate and CRL Profile”. 

Certificate Status: Certificate Revocation Lists (CRL) and Online 

Certificate Status Protocol (OCSP). 

Certificate Requests: PKCS #10 and Certificate Request Message 

Format (CRMF), Certificate Management Protocol (CMP). 

Certificate Stores: In Memory and Lightweight Directory Access 

Protocol (LDAP). 

Key Stores: Public Key Cryptography Standards (PKCS) #12. 

19


Transport Layer Security (TLS) 

TLS with support for SSL v3, TLS v1, TLS v1.1 and 

TLS v1.2 protocols. 

Support for associated standards: 

– RFC 3546: TLS Extensions. 

– RFC 4492: ECC Cipher Suites for TLS. 

– RFC 5289: TLS EC Cipher Suites with SHA-256/384 and 

AES/GCM. 

– RFC 5430: Suite-B Profile for TLS. 

20


Further Information 

See the release notes for full details of supported: 

– Cryptographic algorithms 

– Key sizes and named elliptic curves 

– Cipher suites 

– TLS Extensions 

– Protocols and Standards 

21

Feature Comparison 

Share for Java and Sun JRE 6.0 

22

Feature Comparison: Sun JRE 6.0 

Agenda 

Agenda 

– Overall Differences 




23


Overall Differences 

Share for Java has: 

– Straightforward upgrade path to RSA BSAFE Crypto-J / SSL-J 

– Ability to buy support 

– Ability to have defects fixed in a reasonable period of time 

– Greater algorithm and protocol support. In particular: 

• Elliptic Curve Cryptography support in pure Java 

• Modern Transport Layer Security (TLS) standards support 

• Modern Pseudo Random Number Generator (PRNG) support 

24


Cryptographic 

Share for Java supports the following over Sun JRE 6: 

– Asymmetric (public key) algorithms: ECDSA, ECDH, ECDHC 

and ECIES. 

– Symmetric (secret key) ciphers: DESX. 

• Symmetric feedback modes: CCM and GCM. 

– Message digests: RIPEMD160. 

– HMAC standards: HMAC/RIPEMD160. 

– Pseudo-random number generator (PRNG) algorithms: MD5- 

based PRNG, FIPS 186-2 PRNG, Dual EC-DRBG, HMAC 

DRBG. 

– Password Based Key Derivation Function version 2 (PBKDF2). 

25




– Digital Certificates: EV and Suite B. 

– X.509 Certificate Path Building and Validation: 

RFC 5430 Suite B and the NSA’s “Suite B Base Certificate and 

CRL Profile”. 

– Certificate Requests: PKCS #10 and CRMF. 

– Key Stores: PKCS #12 key store only uses FIPS 140 validated 

algorithm. 

26




– TLS with support for TLS v1.1 and TLS v1.2 protocols. 

– Support for associated standards: 

• RFC 3546: TLS Extensions. 

• RFC 5289: TLS EC Cipher Suites with SHA-256/384 and 

AES/GCM. 

• RFC 5430: Suite-B Profile for TLS. 

– Better TLS debug: 

• Multi-threaded debug. 

• Debug information stored to files. 

27

Feature Comparison 

Share for Java and Crypto-J/Cert-J/SSL-J 

28

Feature Comparison: Crypto-J/Cert-J/SSL-J 

Agenda 

Agenda 

– Overall Differences 




– Further information 

29


Overall 

Crypto-J/Cert-J/SSL-J has: 

– Source code is available. 

– Greater platform support: 

• Operating systems: Windows, Linux, Solaris, HPUX, AIX. 

• JREs: Sun, IBM, JRockit, HP. 

– Greater Application Server platform support: 

• JBoss, Weblogic, Websphere. 

30


Cryptography 

Additional Crypto-J features: 

– FIPS 140 validation. 

– JSAFE API, which includes the additional algorithms: 

• X9.31 PRNG 

• Multi-prime RSA 

– PKCS #11 Support 

– Native crypto: Native implementations of some algorithms are 

available 

– (Crypto-J 4.1) Hardware Security Module (HSM) entropy: 

entropy is typically supplied by the operating system. Crypto-J 

allows an entropy source to be specified. This could be from a 

HSM. 

31



Additional Cert-J features: 

– Cert-J API, which includes the additional features: 

• Certificate fulfillment 

• PKCS #7 

32



Additional SSL-J features: 

– SSL-J API 

33

Thank you!

Getting started with RSA BSAFEÂ® Share For JAVA - EMC ...

Create successful ePaper yourself

Delete template?

Save as template?