/oct 5, 2018

Java Crypto Libraries Go Modular

By Mansi Sheth

To complement my recent Java Crypto blog series ("How to get Started Using Java Cryptography Securely", "Cryptographically Secure Pseudo-Random Number Generator (CSPRNG)", "Encryption and Decryption in Java Cryptography", "Message Digests, aka Hashing Functions"), I have been referencing corresponding working code on the GitHub repository.

I am happy to announce a brand-new, shiny, modularized, micro-serviced, and dockerized version of this monolithic secure Java crypto code base.

The benefits of re-architecting monolithic applications into microservices and employing modular programming is well understood and supported. With more and more organizations embracing DevOps principles, development organizations are overwhelmed with growing responsibilities. In this situation, security is often not a top priority. But with the growing popularity of DevSecOps, there is increasing motivation to incorporate security into DevOps pipelines. However, there seems to be a lack of modular security libraries filling this gap. 

In an effort to support these modern principles and methodologies, I re-architected my monolithic Java Crypto library into easily-injectable modules on my Java Crypto repository on Gitlab. This repository has:

1. SecureJavaCrypto: Module that provides all cryptography primitives as an API, in a secure way, through Java, mainly using Java Cryptography Architecture (JCA). Out of box, this provides APIs for:

  • Generating a cryptographically secure pseudo random number, in an OS agnostic way
  • Encryption and decryption
  • Calculating message digests
  • Calculating message authentication codes
  • Signing and verifying digital signatures
  • Secured password storage

2. SecureMicroService, which represents typical use cases on how to use the above module, trying to mimic a service (for example, Lamba, microservice etc). 

3. Dockerfile, for easy containerization.

4. docker hub, for experimenting with the above modules/microservices. Also eases deployment of code into production through your CI/CD pipeline.

For details on API use, please refer to README. As per your architecture, you can choose to pick just the core crypto module (1), or SecureMicroservice (2) as well, or the entire docker container (4).

Happy Java Cryptographying!!!


Related Posts

By Mansi Sheth

Mansi Sheth is a Principal Security Researcher at Veracode Inc. In her career, she has been involved with breaking, defending and building secure applications. Mansi researches various languages and technologies, finding insecure usages in customer code and suggests automation measures in finding vulnerabilities for Veracode's Binary Static Analysis service. She is an avid traveller with the motto "If not now, then when?”