Monday, January 28, 2008

Using ASN.1 Notation DER Encoded ECDSA Signature in BC Lightweight API

So this is my first post and my first attempt to give back to the open source software community...

I have been working on a secure mobile payment system project for the past few months at university (www.sjsu.edu). We are using elliptic curve cryptography for our security needs. For implementation purposes, I am using Bouncy Castle Light Weight API for J2ME (http://www.bouncycastle.org/latest_releases.html).


Currently, I am attempting to create Certificate Requests using the API and I came across a hurdle that the API does not have a supporting Signature class that lets one create ASN.1 form of EC DSA (Elliptic curve DSA signatures) signatures that are embedded in certificates and so I set about creating one and is available here and here

This class was made to fulfil my need for a class that mimics the ECDSA functionality of java.Security.Signature and org.bouncycastle.jce.provider.JDKDSASignature. However, the class does not extend the Signature class since the Signature class in BC Lite API does not have a constructor. The class can be used to create and verify an ECDSA Signature in J2ME with the Bouncy Castle Lightweight Crypto API for J2ME.

The ECDSA Signature in ASN.1 Notation, this string is given as:
SEQUENCE {
r INTEGER,
s INTEGER
}

Signatures can be made of a CertificateRequestInfo Object and used to create a CertificationRequest (a pkcs 10 certificate request)

All classes mentioned above are classes of BouncyCastle Lightweight J2ME API and is needed to run this class as well.

Please refer comments in the file and accompanying test classes to understand the proper usage.


I hope to make available the PKI Infrastructure asap.

7 comments:

Yunpu said...

Hi there,
This is a very interesting topic for me. I am currently involved in a research in ECDSA employed in Java ME. I'll keep an eye on your blog.

Himanshu said...

Hi Yunpu...Good to hear from you....Let me know if there is something particular you are looking for. I worked on a mobile security project for one year using ECDH, ECDSA and ECIES. However, my knowledge of ECC is brief and was restricted to its advantages, disadv, and knowing how to use it correctly. You should check out the bouncycastle user lists.

yunpu zhu said...

Hi there,

I am working in implementing ECDSA to j2me platform. Currently I have some problems with the bouncycastle cldc-classes.zip. It got to be missed with some class in java package. I need to Generate public key and private key in j2me mobile device, and then sign it to send it via http.

Himanshu said...

Hey, I did not quite understand your question. Did you get some errors which said java system classes not being allowed. If yes, you need obfuscation. Check out http://tecknolojia.blogspot.com/2008/01/getting-your-j2me-project-working-with.html or reply to this comment here. There are also open source obfuscators if you do not use an IDE

jack said...

I am a student and are new to Cryptographie and I am interested in ciphers like ECC (elliptic curve cryptography) to encrypt and decrypt text, but I need them to work on my mobile phone to test the performance on the phone, the most codes I found on the web are not fully suported on J2ME(some classes from JavaSE are not suported in JavaME and i just can't fix that problem, it's driving me crazy...), do you got some cut-downjava code written just in J2ME for ECC or maybe a mobile midlet of that kind that works? Or du you know where can I find them?
I really need help ;) Thank U!

Anonymous said...

I am a student and are new to Cryptographie and I am interested in ciphers like ECC (elliptic curve cryptography) to encrypt and decrypt text, but I need them to work on my mobile phone to test the performance on the phone, the most codes I found on the web are not fully suported on J2ME(some classes from JavaSE are not suported in JavaME and i just can't fix that problem, it's driving me crazy...), do you got some cut-downjava code written just in J2ME for ECC or maybe a mobile midlet of that kind that works? Or du you know where can I find them?
I really need help ;) Thank U!

Himanshu said...

Hi Jack, Go the Bouncy Castle website where you can download a security library for J2ME. It also contains a sample MIDLET. Under a folder that contains test programs, you will also find a file called ECIESTest.java which performs ECIES using J2ME.

Also, yes, J2ME includes some classes that are not part of J2SE. Bouncy castle includes classes such class within their library. Hence, this would require you to "obfuscate" your code. Check my post here: http://tecknolojia.blogspot.com/2008/01/getting-your-j2me-project-working-with.html