Generating 128-bit keys with keytool

Question

Is there a way to generate a 128-bit key pair suitable for encryption using Sun's keytool program? It seems that the algorithms available in http://java.sun.com/javase/6/docs/technotes/guides/security/StandardNames.html#KeyPairGenerator are either not supported or do not allow keys shorter than 512 bits.

The key pair will be used with the ff. code snippet:

Security.addProvider(new BouncyCastleProvider());

KeyStore keyStore = KeyStore.getInstance("PKCS12");

FileInputStream keyStoreSource = new FileInputStream("keystore");

try {
    keyStore.load(keyStoreSource, "password".toCharArray());
} finally {
    keyStoreSource.close();
}

String alias = (String) keyStore.aliases().nextElement();
PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, "password".toCharArray());
X509Certificate certificate = (X509Certificate) keyStore.getCertificate(alias);

CMSEnvelopedDataStreamGenerator generator = new CMSEnvelopedDataStreamGenerator();

generator.addKeyTransRecipient(certificate);

OutputStream output2 = generator.open(output, CMSEnvelopedDataGenerator.AES128_CBC, BouncyCastleProvider.PROVIDER_NAME);

try {
    IOUtils.copy(input, output2);
} finally {
    output2.close();
    output.close();
}

where output is some OutputStream where the encrypted data will be saved and input is some InputStream where the plaintext data will be read.

score 5 · Answer 1 · answered Apr 20 '12 at 15:29

5

You just need to specify different storetype

keytool -genseckey -alias check2 -keyalg AES -keysize 128 -storepass changeit -storetype JCEKS -keystore ks.jck

answered Apr 20 '12 at 15:29

igorp1024

1,103
2
12
19

score 2 · Answer 2 · answered May 19 '09 at 18:17

Certificates are used for public key cryptography and do not contain encryption keys for the symmetric block cipher AES-128. Instead, public key cryptography is used only to encrypt or negotiate the 128-bit AES key and the rest of the conversation uses AES.

The 128-bit AES key is not a certificate, it's just 128 bits from a cryptographically strong random number generator or derived from a passphrase using a hashing algorithm such as PBKDF2. How you get these bits will depend on your application. SSL/TLS must negotiate a random key, but a hard disk encryption program would derive the key from a passphrase.

Updated question with code snippet where key pair generated will be used. Hopefully, I have cleared up any confusion. But, yeah, I'm a crypto beginner. :P — Chry Cheng, May 20 '09 at 07:08

score 0 · Answer 3 · answered May 19 '09 at 09:17

0

It would make sense that shorter than 512-bit key pairs cannot be generated. Public Key cryptography needs a longer key than symmetric key cryptography to sustain the same level of security. A 128-bit key pair is not recommended for public key cryptography.

answered May 19 '09 at 09:17

Sani Huttunen

23,620
6
72
79

I was looking to generate a test cert to use with AES-128. Am I going about it the wrong way then? – Chry Cheng May 19 '09 at 10:10
1

Could you explain in a bit more detail what you wish to accomplish? – Sani Huttunen May 19 '09 at 11:39
Updated question with code snippet where key pair generated will be used. – Chry Cheng May 20 '09 at 07:07

Generating 128-bit keys with keytool

3 Answers3