RSA cryptography based on the mathematical problem of factoring the product of two large prime numbers. Elliptic Curve Cryptography (ECC) is based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to RSA to provide equivalent security. So an ECC 256bit key is stronger than a 256bit RSA key.
In my last post, “Java gRPC client and server using secure HTTP/2 channels on the Hyperledger Fabric virtual machine“, I could have just as well used an Elliptic Curve certificate and private key instead of RSA to allow my two gRPC Java programs to communicate with each other securely over SSL/TLS.
In this post, I will demonstrate how to generate the ECC certificate and key, modify the Java examples and run them again.
First, start our Hyperledger Fabric virtual image and log into it by SSH. Open a Cygwin prompt in Windows, do :
Once in Linux, do:
It’s important that the computer the TstServiceClient.java program will try to connect to, i.e. “hyperledger-devenv“, be found in the Elliptic Curve certificate we will generate.
It is also important that this computer name be resolved. A good way of ensuring the latter is to add a line in the file /etc/hosts:
Next, do the following single OpenSSL command to generate the Elliptical Curve certificate and private key:
openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp256r1) -keyout ec.key -out ec.crt -days 3650
You will be prompted to enter information. It is critical that you enter the correct value for “Common Name” (indicated in red below):
using curve name prime256v1 instead of secp256r1
Generating a 256 bit EC private key
writing new private key to ‘ec.key’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Quebec
Locality Name (eg, city) :Quebec City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bertrand Szoghy
Organizational Unit Name (eg, section) :dev
Common Name (e.g. server FQDN or YOUR name) :hyperledger-devenv
Email Address :firstname.lastname@example.org
Now, log in to the virtual machine through the Virtualbox window as user ubuntu:
Next, do the command to launch the graphical user interface:
Double-click to start Eclipse Neon, accept the workspace.
Expand our “JavaGrpc” Maven project.
Open file com.wordpress.bertranszoghy.grpc.TstServiceServer.java and change lines 11 and 12 from:
File cert = new File(“/opt/gopath/src/github.com/hyperledger/fabric/devenv/nodecode/certs/server.crt”);
File key = new File(“/opt/gopath/src/github.com/hyperledger/fabric/devenv/nodecode/certs/key.pem”);
File cert = new File(“/opt/gopath/src/github.com/hyperledger/fabric/devenv/nodecode/certs/ec.crt”);
File key = new File(“/opt/gopath/src/github.com/hyperledger/fabric/devenv/nodecode/certs/ec.key”);
Next, open file com.wordpress.bertranszoghy.grpc.TstServiceClient.java and change line 20 from:
Next, we clean the project by clicking on the project name “JavaGrpc” > menu Project > Clean…
Next, right-click on the “JavaGrpc” project name > Build Project
Start the Java gRPC server
In Eclipse, right-click on file TstServiceServer.java > Run As > Java Application
Server start on port 7777 is displayed in the console, you can ignore the warning:
Leave the server running.
Run the Java gRPC client
Next, in Eclipse, right-click on file TstServiceClient.java > Run As > Java Application
As before, the communication over SSL/TLS is successful:
(end of post)
Bertrand Szoghy, 2017-06, Quebec City.