logi.crypto is a non-certified 100% pure java library for using strong encryption in your java 1.1 programs. It includes tools for encryption and authentication and a framework for general cryptographic protocols.
It is distributed with full source-code, since no-one can be expected to trust an encryption package without seeing the source.
Price and Distribution Terms?
logi.crypto is distributed in two ways. You can choose to use it according to the Free software Foundation's (FSF) General Public License (GPL), or buy purchasing a commercial license for USD100 per developer. See The License for details.
Note that when evaluating the package you are considered to be using it under the GPL, so if you release any of the code written for testing purposes it will fall under the GPL unless you buy a license.
Most countries allow the use of encryption software within their borders, but many do not allow export. This includes the US and much of Europe. Some countries do not allow the use of encryption software at all. Luckily, the world seems to be getting more sane in this regard, but you should still check the laws in your region to be sure.
The RSA algorithm used is patented in the USA. This patent will expire in September, 2000. The Diffie-Hellman patent has expired. The DH-EKE protocol is also patented.
Note that not all countries accept patents on software. As far as I know only the USA and Canada do. You should check the status of these algorithms in your region.
There are no known efficient attacks against the RSA algorithm, but it has slight flaws which can be exploited if it is used carelessly. These can be avoided by always padding encrypted messages with random data and by never signing messages directly, but always a hash of the message. The strength also depends heavily on the size of the key you use and the quality of the random number generator used when creating it.
The random number generator included in logi.crypto should be fairly good. The idea is similar to that used in Sun's SecureRandom class, but it spends less time on the initial seeding and is continuusly re-seeded. The seeding is done from random elements in the scheduler and may have problems on systems which are idle and therefore somewheat predictable. Run the Spinner program to access the seeding algorithm for you own testing. You might also want to run the org.logi.crypto.test.TestRandom program, although it can only test the statistical properties of an RNG, which do not give sufficient guarantees about its cryptographic strength.
The DES algorithm is good but suffers from a too small key and the block size is beginning to become too small. The former is addressed by the Triple-DES variant of DES (or simply by using the Blowfish algorithm) and the latter by using CBC mode in which case up to 32GB og data can safely be encrypted with a single key.
Note, however, that in most cases the algorithms are not the weak point in computer security. It is very easy to misuse a strong algorithm in a way that gives little real security. Be careful. Read a book.
Encryption with logi.crypto happens on three levels. The simplest is to encrypt single fixed-size blocks of data directly by calling the CipherKey.encrypt() methods and decrypt them with the CipherKey.decrypt() methods. CipherKey classes are included for RSA, DES, triple-DES and Blowfish.
Alternatively you can create an EncryptMode object with a particular cipher-key to encrypt arbitrary arrays of data and decrypt them again with a corresponding DecryptMode object. Mode classes are included for the ECB, CBC, OFB and CFB modes.
The most useful method is to use the EncryptStream and DecryptStream classes to filter your i/o operations. They will encrypt or decrypt all data that passes through them and optionally execute non-interactive protocols, such as key-exchange protocols. If you need interactive key exchange or other interactive protocols, you can use the CipherStreamClient and CipherStreamServer classes.
There is also support for hashing, signatures, blind signatures and secret sharing in the library. See the class documentation for information about these.
In addition to this, the library is organized so that it is relatively easy to add your own ciphers, modes or utility classes.
Finally, you may want to look at the programs in the org.logi.crypto.test package.
The logi.crypto archive contains these files:
README Rudimentary installation instructions logi.crypto.jar A JAR file containing the logi.crypto package src.zip Complete source code doc.zip This documentation fingerprint Fingerprints of these files and all source files created with the org.logi.crypto.test.hash utility
The simplest way to install logi.crypto is to place logi.crypto.jar in your CLASSPATH. See the documentation for your Java environment for instructions. Alternatively you may wish to unpack the source archive into a directory which resides in your CLASSPATH, since this allows you to modify the source. In this case you should take care to preserver the directory structure in the archive.
To browse this documentation locally, unpack the documentation archive and point your web browser to doc/index.html. Again, you should be careful to preserve the directory structure.
To test your installation try running java org.logi.crypto.test.TestKey and java org.logi.crypto.test.TestMode.
There are two mailing lists for the logi.crypto library. email@example.com is a closed list only used to announce new versions of the libary and to warn of serious bugs. It is higly recommended that you subscribe to this list.
firstname.lastname@example.org is an open list for general discussion of the library. You may also want to subscribe to this list.
When subscribing to the above mentioned lists it is sufficient to send mail to the given address. Nothing needs to be in the subject or body of the message, since the request is encoded in the address.