SymmetricCipherMac ("Entrust Authority Security Toolkit for the Java Platform")

java.lang.Object
- javax.crypto.MacSpi
- - com.entrust.toolkit.security.crypto.mac.SymmetricCipherMac

Direct Known Subclasses:

AesMac, Cast128Mac, DesMac, IdeaMac, TripleDesMac
```
public abstract class SymmetricCipherMac
extends javax.crypto.MacSpi
```
Defines Entrust's Data Authentication Code (DAC) architecture; it contains all the common functionality used by Entrust's DAC algorithms.
Algorithms that provide a way to check the integrity of information based on a secret key are called message authentication codes (MAC). Typically, message authentication codes are used between two parties that share a secret key in order to validate information transmitted between these parties. An DAC is simply a MAC algorithm based on a symmetric cipher. This implementation of the DAC algorithm is designed based on FIPS 113, but modified to operate with any symmetric cipher.

A symmetric cipher algorithm transforms (or encrypts) n-bit input vectors to n-bit output vectors using a cryptographic key, where n indicates the cipher block size. Let D be any n-bit input vector and assume a key has been selected. The n-bit vector, O, which is the output of the symmetric cipher algorithm when applied to D, using the enciphering operation, is represented as follows:
- O = e(D)
The data (e.g., record, file, message, or program) to be authenticated is grouped into contiguous n-bit blocks: D1, D2,.... Dx. If the number of data bits is not a multiple of n, then the final input block will be a partial block of data, left justified. with zeroes appended to form a full n-bit block. The calculation of the MAC is given by the following equations:
- O1 = e(D1)
- O2 = e(D2 xor O1)
- O3 = e(D3 xor O2)
- Ox = e(Dn xor Ox-1)
The MAC is selected from Ox. By using the appropriate algorithm parameters, the leftmost M bits of Ox can be selected as as the MAC, where 16 < M < 64 and M is a multiple of 8.

The Cipher Block Chaining Mode (CBC) with Initialization Vector (IV) = 0 and the n-bit Cipher Feedback Mode with IV = D1 and data equal to D2, D3, ..., Dn (see FIPS PUB 81) both yield the required MAC calculation. This implementation uses the CBC mode for the underlying symmetric cipher.

An DAC algorithm instance can be obtained using the Java Cryptography Architecture (JCA), by requesting the '<algorithm>' MAC from the Entrust cryptographic service provider. This can be done using the following call:

Mac.getInstance("<algorithm>", "Entrust");

The following key types are currently supported:
- Standard secret keys (software keys); keys with 'RAW' primary encoding format
FIPS 140-2:

This class is part of the Toolkit's FIPS 140-2 cryptographic module and contains APIs that are considered part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; refer to the API documentation for further details
Since:

7.0

See Also:
FIPS 113, Computer Data Authentication

Method Summary

Methods
Modifier and Type	Method and Description
`protected byte[]`	`engineDoFinal()` Completes the MAC computation and resets the MAC for further use, maintaining the secret key that the MAC was initialized with.
`protected int`	`engineGetMacLength()` Returns the length of the MAC in bytes.
`protected void`	`engineInit(java.security.Key key, java.security.spec.AlgorithmParameterSpec params)` Initializes the MAC with the given (secret) key and algorithm parameters.
`protected void`	`engineReset()` Resets the MAC for further use, maintaining the secret key that the MAC was initialized with.
`protected void`	`engineUpdate(byte input)` Processes the given byte.
`protected void`	`engineUpdate(byte[] input, int offset, int len)` Processes the first `len` bytes in `input`, starting at `offset` inclusive.

Methods inherited from class javax.crypto.MacSpi
clone, engineUpdate

Methods inherited from class java.lang.Object
equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Method Detail
  - engineGetMacLength
```
protected final int engineGetMacLength()
```
    Returns the length of the MAC in bytes.
    FIPS 140-2:
    
    FIPS Service: Query Object
    
    This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:
    
    control input interface (API call)
    
    data output interface (return value)
    
    status output interface (exceptions)
    Specified by:
    
    engineGetMacLength in class javax.crypto.MacSpi
    
    Returns:
    [FIPS 140-2 data output] the MAC length in bytes.
    
    Throws:
    
    Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations
  - engineInit
```
protected final void engineInit(java.security.Key key,
              java.security.spec.AlgorithmParameterSpec params)
                         throws java.security.InvalidKeyException,
                                java.security.InvalidAlgorithmParameterException
```
    Initializes the MAC with the given (secret) key and algorithm parameters.
    FIPS 140-2:
    
    FIPS Service: Initialization
    
    This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:
    
    control input interface (API call)
    
    data input interface (parameters)
    
    status output interface (exceptions)
    Specified by:
    
    engineInit in class javax.crypto.MacSpi
    
    Parameters:
    key - [FIPS 140-2 data input] [FIPS 140-2 CSP] the (secret) key.
    params - [FIPS 140-2 data input] the algorithm parameters.
    
    Throws:
    
    java.security.InvalidKeyException - [FIPS 140-2 status output] if the given key is inappropriate for initializing this MAC.
    
    java.security.InvalidAlgorithmParameterException - [FIPS 140-2 status output] if the given algorithm parameters are inappropriate for this MAC.
    
    Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations
  - engineUpdate
```
protected final void engineUpdate(byte input)
```
    Processes the given byte.
    FIPS 140-2:
    
    FIPS Service: MAC Generation/Verification
    
    This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:
    
    control input interface (API call)
    
    data input interface (parameters)
    
    status output interface (exceptions)
    Specified by:
    
    engineUpdate in class javax.crypto.MacSpi
    
    Parameters:
    input - [FIPS 140-2 data input] the input byte to be processed.
    
    Throws:
    
    Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations
  - engineUpdate
```
protected final void engineUpdate(byte[] input,
                int offset,
                int len)
```
    Processes the first len bytes in input, starting at offset inclusive.
    FIPS 140-2:
    
    FIPS Service: MAC Generation/Verification
    
    This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:
    
    control input interface (API call)
    
    data input interface (parameters)
    
    status output interface (exceptions)
    Specified by:
    
    engineUpdate in class javax.crypto.MacSpi
    
    Parameters:
    input - [FIPS 140-2 data input] the input buffer.
    offset - [FIPS 140-2 data input] the offset in input where the input starts.
    len - [FIPS 140-2 data input] the number of bytes to process.
    
    Throws:
    
    Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations
  - engineDoFinal
```
protected final byte[] engineDoFinal()
```
    Completes the MAC computation and resets the MAC for further use, maintaining the secret key that the MAC was initialized with.
    FIPS 140-2:
    
    FIPS Service: MAC Generation/Verification
    
    This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:
    
    control input interface (API call)
    
    data output interface (return value)
    
    status output interface (exceptions)
    Specified by:
    
    engineDoFinal in class javax.crypto.MacSpi
    
    Returns:
    [FIPS 140-2 data output] the MAC result.
    
    Throws:
    
    Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations
  - engineReset
```
protected final void engineReset()
```
    Resets the MAC for further use, maintaining the secret key that the MAC was initialized with.
    FIPS 140-2:
    
    FIPS Service: Modify Object
    
    This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:
    
    control input interface (API call)
    
    status output interface (exceptions)
    Specified by:
    
    engineReset in class javax.crypto.MacSpi
    
    Throws:
    
    Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations

Class SymmetricCipherMac

Method Summary

Methods inherited from class javax.crypto.MacSpi

Methods inherited from class java.lang.Object

Method Detail

engineGetMacLength

engineInit

engineUpdate

engineUpdate

engineDoFinal

engineReset