Hi!

I'm trying to write my own ciphersuite. The idea is testing an algorithm for key exchange. The rest of the ciphersuite should be typical, a standard symmetric encryption (like AES or RC4) and a hmac for message authentication(MD5, SHA, whatever). So the only new thing is that I want to use another public key cryptosystem for key exchange. I already got this asymmetric encryption ready. I also changed the class RSAKeyExchangeExample from chapter 4 to use my algorithm and it works just fine. (Maybe I'll change this to use AES_128_CBC later, but AES with CTR is just fine for the first test)

Now my question is how do I write my own ciphersuite and include it in TLS/SSL? Even if there are different ways to implement this, I would be thankfull if you would explain them to me!

By the way: the book helped me a lot troughout my studies, thanks for the great book!

Greetings
Daniel

I have to admit I've never tried to do this. The best I can suggest is having a look at http://openjdk.java.net/ - from memory the cipher suites are dictated by default SSL socket factory implementation - if you dig around the source you should be able to find out where the magic needs to be added.

It may also be useful to have a look at Bouncy Castle's lightweight TLS API. You might find it's simpler to be a foundation on that.

Good luck!

David

First of all thanks for your answer!

I searched in both the openjdk source and in suns java source code but couldn't find the net.ssl packages. Finally I was lucky in the JSSE API. Here is where I'm trying to insert my ciphersuites now. Do you know if my JDK/JRE will complain that the JSSE.jar is no longer signed if I change a few things in the JSSE and recompile it?

I'm sure this is not the way it is thought to add ciphersuites into java (though from a security point of view it may not at all be wanted to be possible to add ciphersuites), but if it works this way it serves the purpose...

But, if I find that I'm not able to add my ciphersuites this way, I'll take up the possibility with Bouncy Castle's lightweight TLS APIs. I'm a bit confused about them, I do use the Bouncy Castle Provider but haven't noticed the TLS APIs up to now? Where are they? I only read there is a client side TLS API, but haven't found anything more about this.. Is there something about this in the Book? Or do I find something about this in the documentation or is there an usage example? Please excuse that I'm asking so many questions and not reading on my own, but I don't find anything about it...

Thanks!
Daniel

I think you'll be okay with the JSSE jar - I think it's just the JCE jar that triggers the signing check.

The BC TLS API appeared shortly after the book was written - it's in the org.bouncycastle.crypto.tls package. It's primarily a "light weight" API, you can find it in the provider distribution or the light weight one.

Regards,

David

I modified jsse.jar and I'm almost there, but I still have this one problem which I'm still struggling on:

The problem is as follows:
I took the jsse.jar of my jdk 1.6.18 and imported it into eclipse. This does not show me the source code. So I took a decompiler (jd - java decompiler) and loaded the jsse.jar into the Decompiler, saved the source and imported it into Eclipse. Now I compile the it again. Whoops, 926 erros. Ok, I change the "Forbidden reference (acces rules)" from error to warning (because it only warns me about it, it is not an error). Still 377 errors. And without any rewriting of the code, the code is unchanged!

Now how do I solve this? It was a working .jar and when I compile it again it doesn't work? funny... or not, because I already put so much effort into this..

How it does work but doesn't help me:
Maybe the decompiler does something which has unwanted consequences? So I loaded the jsse source directly (with java research license) as described by ghstark in this thread: http://forums.sun.com/thread.jspa?threadID=665691 . BUT this one is for java 1.5. Looking at the code I notice that it is way different than the one from jdk1.6.18! But it comes in a bundle with jce and jgss. I import all three (jsse, jce, jgss) into eclipse and compile it: 9 errors. Ok, I do this on my uncles computer with jdk1.5 and there: it works!

Now I could do my changes to jsse of jdk1.5 and it would work. But I already put around two weeks effort into reading and changing jsse.jar of jdk1.6 and they are very different! So I really want it to work on jdk1.6!

So what did I do wrong?
In jdk1.6.18 I ONLY took the jsse source decompiled and imported it into eclipse. This doesn't compile without errors. Comparing, in jdk1.5 if I only import the jsse source it also doesn't compile without errors. Only if I take jsse, jce and jgss.
In jdk1.6 there is no jgss anymore! So I tried with jsse and jce but it doesn't compile.

Two Ideas:
- what other jars do I need to compile jsse? I tried with jce but it is not enough. Any help here?
- Can I download the source code of jsse for version java1.6 ? Searching on javas page I don't find it! I do find the source code of java1.6 but without jsse (and jce)!

I really put a lot of work into this. I only need this last step of compiling jsse again (because in another file I wrote down all the changes I have to do for my algorithm to work) and I'm sure then it will work!

Thanks again for all your help and time!
If I get this done (, it works) and you are still interested I'll show you what changes I made for my algorithm to work.

Hmmm... not really sure what's happening here. One thing, when you introduced your version of the JSSE jar did you make sure the original one was no longer in the classpath?

Regards,

David

yes, i did try with and without the original jsse.jar, but I couldn't find the error. Now I'm trying with openjdk...

Regards,
Daniel