Construct secure
networked applications with certificates, Part 1 - JavaWorld January
2001
Tutorial Details:
Construct secure networked applications with certificates, Part 1
Construct secure networked applications with certificates, Part 1
By: By Todd Sundsted
Certificates add value to public-key cryptography
am thankful that the security issue has been pushed out of obscurity and into the spotlight during the last few years. Due to well-publicized threats and attacks, almost everyone, from the development staff on the front line to members of the marketing team, understands (or at least pretends to understand) why good security is important.
Unfortunately, though interest in security has grown, a weak understanding persists on how to achieve strong security. Like any maturing industry, you must gain familiarity with a growing body of literature, research, technology, and terminology (How many readers have wondered just what PKI, PKCS, and PKIX are?) before realizing proficiency.
As Java programmers, we have it easier than most. Sun seems to recognize the importance of providing high-quality tools with which to build secure solutions, especially in the enterprise arena. Even so, judging by the questions on Sun's security mailing list (see Resources for a link) little introductory material is available on the topic.
This series, then, is an attempt to shed a little more light on some of the core tools used to build secure applications in Java -- not secure from the byte code perspective that was so popular in the past, but rather secure from a user, application, and network perspective. If you're not clear on the difference between the two, read on and you'll soon see where I'm heading.
I'll begin Part 1 by introducing public-key cryptography, and later explain how to add value with certificates.
You can read the whole series on certificates:
Part 1: Certificates add value to public-key cryptography
Part 2: Learn to use the X.509 certificates
Part 3: Use the Java CRL and X509CRL classes
Part 4: Authenticate clients and servers, and verify certificate chains
The foundation
Much of the mechanism underlying modern application and network security builds upon a type of cryptography known as public-key cryptography. You can understand the importance of public-key cryptography to security without understanding the technical details, so let's take a brief cruise through the neighborhood.
Public-key cryptography differs from traditional symmetric, or shared-key cryptography, in its use of two related, but slightly different, keys. One key, the private key, is kept secret by the owner of the key. The other key, known as the public key, may be distributed far and wide by its owner. The keys in the key pair are complementary. Only the private key can decrypt information encrypted with the public key, and vice versa. And only the public key verifies information signed with the private key, and vice versa.
There are several public-key algorithms in use today. The most popular is known as RSA (because it was invented by Rivest, Shamir, and Adleman), which was the subject of a patent that expired in September 1999.
Whatever the specific algorithm used, public-key cryptography avoids the complicated problem of key exchange -- the process by which communicating parties each exchange or otherwise obtain the keys necessary to secure a conversation between them -- and enables a number of desirable applications, including digital signatures.
Key exchange illustrates one of the problems with symmetric-key cryptography that public-key cryptography so elegantly solves. It also introduces the inherent need in public-key cryptography that certificates solve, verifying the authenticity of an entity's purported public key.
Let's take a look.
Key exchange
For any cryptographic process to work, the entities that are intent on using the process must hold the necessary cryptography keys. In the case of shared-key cryptography, both entities must hold the same key. Since the shared key must be kept absolutely secret for the process to be secure, the act of key exchange becomes critical to the security of the process as a whole. You can't just mail the key to your buddy. If any flaws in the key exchange process crop up, the security of the entire application weakens.
Public-key cryptography nicely avoids the key-exchange issue. In public-key cryptography, owners keep their private-keys private and never exchange them. On the other hand, owners can publish public keys anywhere they'd like. As long as you keep your private-key private, and a potential correspondent can obtain your public key, the communication between the two of you remains secure.
Therein lies the problem with public-key cryptography. Consider two entities that have never previously communicated. How can you be sure that the public key that one entity is using to communicate with the other entity is, in fact, that entity's public key? What if the public key, in fact, belongs to a malicious third party performing a man-in-the-middle attack?
Keys are, after all, nothing more than strings of bits. Even if they are tagged with metadata, how can you be sure that no one has tainted the metadata? The solution involves the introduction of an item called a certificate and a trusted third-party known as a certificate authority .
An introduction to certificates
Certificates come in many shapes and sizes, but they all play the same role. At the barest minimum, a certificate is a document that contains information identifying an entity (in the case of X.509 certificates, using that entity's X.500 distinguished name (DN)) and the entity's public key. Another entity digitally signs and therefore certifies both pieces of information.
If you believe that the signing entity is honest and that its private key hasn't been compromised, then you can safely assume that the signing entity believes that the public key indeed belongs to the named entity. Depending on how much you trust the signing entity, that may be all that's required to conduct business.
Of course, to validate the signature of the signing entity, you need the signing entity's public key. Often, that public key is stored in a self-signed certificate -- a certificate digitally signed by the same entity whose public key is contained within. That certificate, to be effective, must be generally distributed (as part of a software package, for example) and easily verified (via a published SHA1 or MD5 hash, for example).
The simplest practical arrangement consists of a chain of two certificates. One certificate contains the public key of the entity with which you wish to communicate. The second certificate, or root certificate, contains the public key of the entity that certified the first certificate. That arrangement is illustrated in Figure 1 below.
Figure 1. A certificate chain
Figure 2. A solo certificate
As I previously mentioned, for that system to be effective, the root certificate must be generally available and its validity easily verified. Furthermore, all parties planning on taking part in the secure interaction must trust the issuer. In light of that trust, and as an indication of their ability and willingness to create signed certificates for other entities, the root certificate's creator is called a certificate authority (CA).
In practice, transmitting the entire certificate chain between entities is often unnecessary. Many applications (popular Web browsers and Web servers, for example) are preconfigured with a set of acceptable root certificates from well-known CAs. As such, the entities represented by those applications only need to send the certificate containing their public key, as illustrated in Figure 2 above.
The certificate chain could also contain intermediate certificates between the root certificate and the ultimate certificate containing the public key of interest. Figure 3 illustrates the arrangement. In that case, each certificate in the chain may be validated by the next in the chain until the root certificate is reached. Typically, you only encounter certificate chains of that length in situations involving CA mutual authentication.
Figure 3. A long certificate chain
More on certificates
As I mentioned earlier, certificates come in multiple formats. Popular types include X.509 certificates, PGP (Pretty Good Privacy) certificates, and SDSI (Simple Distributed Security Infrastructure) certificates. The PGP certificate format was the first to achieve widespread usage. Java supports the X.509 format, an international standard created by the ITU (International Telecommunication Union).
Beyond the certificate's owner name and public key and the certifying entity's name and signature, X.509 certificates include additional information that makes them more useful, including the certificate's serial number (used for certificate revocation), a validity period (used to limit a certificate's lifetime), and its signature algorithm identifier.
Conclusion
Trust limits the scalability of public-key cryptography. The difficulties associated with managing public keys and the dangers associated with using an invalid public key mandate the usage of certificates. Certificates, along with a network of trusted third parties known as certificates authorities (CAs), allow public keys to scale to meet the needs to enterprise and interenterprise usage.
Next month, I'll discuss certificate support in the Java platform. You'll examine the APIs, write some code, and consider the important issue of certificate interoperability with other platforms.
This page formated for crawlers and browsers that don't support scripts and tables.
Home
EZone
Read
Tutorial at: Click here to view the tutorial
Rate Tutorial: Construct secure
networked applications with certificates, Part 1 - JavaWorld January
2001
View Tutorial: Construct secure
networked applications with certificates, Part 1 - JavaWorld January
2001
Related
Tutorials:
|
Displaying 1 - 50 of about 2596 Related Tutorials.
|
JDO UNPLUGGED - PART 1
UNPLUGGED - PART I
JDO UNPLUGGED - PART I... for
complex applications. Enterprise Java Beans or EJB is developed to support...
applications become more complex. When our application needs object persistence |
SSL Certificates
Free Secure SSL Server Certificate And IIS SSL Apache SSL Certificates using..., Enterprise SSL allows secure and quick deployment of globally trusted SSL certificates...
SSL Certificates,SSL Hosting,SSL Certificates Tutorial,SSL Hosting UK |
EnGarde Secure Linux 3.0.4 has been released now
on EnGarde Secure Linux HOWTO
3. Installing PHP Applications on EnGarde Secure Linux...
EnGarde Secure Linux 3.0.4
has been released now
EnGarde Secure Linux 3.0.4
has been released now
Guardian Digital is happy to announce |
EnGarde Secure Linux 3.0.7 is available now
EnGarde Secure Linux 3.0.7 is available now
EnGarde Secure Linux 3.0.7
is available now
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.7. This release includes several bug fixes |
Bayanihan Linux 4 Beta 1 has been released
Bayanihan Linux 4 Beta 1 has been released
Bayanihan Linux 4 Beta 1
has been released
Bayanihan Linux 4 Beta 1 is now available... capability; educational applications; image editing tools; improved support |
JDO UNPLUGGED - PART II
UNPLUGGED - PART II
JDO UNPLUGGED - PART II... find the following four jar files
1. jdo.jar : It contains the standard... needed for our application. They are,
1. jta.jar : The synchronization interface |
Java - The switch construct in Java
Java Switch,Switch Construct in Java,Switch Statement Construction Java
Java - The switch construct in Java
 ...
control of the program as per conditions. It works same as If-Else
construct |
Write a program to construct a triangle with the ?*?
Triangle in Java,Java Triangle Program,Construct Triangle with '*' in Java
Write a program to construct a triangle...; for (int i=1; i<a;i++  |
Open Source Firewall
Source Firewall
A firewall is one of the tools used to secure a computer... more secure protection for your PC, and it is FREE.
* It can block the most... on windows 2000 and above versions of windows. Features
:
1. User can Block all |
Building Search Engine Applications Using Servlets !
Building Search Engine Applications Using Servlets...
Search Engine Applications Using Servlets... for:
1. Web developers willing to use java |
Tutorials - Java Server Pages Technology
faces when developing web
applications, are:
1. Scalability... web server
applications are as follows:
1. Serve HTML... in a
portable, secure and well-defined way. The JavaServer Pages
specification |
Tutorials - Java Server Pages Technology
faces when developing web
applications, are:
1. Scalability... web server
applications are as follows:
1. Serve HTML... in a
portable, secure and well-defined way. The JavaServer Pages
specification |
Common Interview Questions Page -1
Common Interview Questions Page -1
Common Interview Questions Page -1
 ...;
Question:1. Tell Me a Little |
How To Manage Your Username And Password The Easy And Secure Way
How To Manage Your Username And Password The Easy And Secure Way... The Easy And Secure Way
 ... and managing password in general.
Tip #1 - Always create a strong master password Safe |
Open Source EAI written in Java
|
Open Source EAI written in Java
|
Applications and Applets
Applications and Applets
Applications and Applets...;
Now a days, Java is widely used for applications and
applets... and is executed by a run-time interpreter.
Applications are stand alone |
Navigable Map Example
;String>();
navMap.put(1, "January");
 ...=June, 5=May, 4=April, 3=March, 2=February, 1=January}
First data: 1... key: 6=June
Removing First: 1=January
Removing Last: 12 |
WEBSERVICE USING APACHE AXIS - TUTORIAL-2 AXIS FOR EJB-WEBSERVICE (part-5)
had seen parts 1 to 4 of this tutorial on exposing an EJB as XML-Webservice using Axis. This is a 7 part
article.?
part-1 : Overview
part-2 : deploying... applications is the key inan enterprise scenario. It is important
thatexisting |
Thread Creation
.
Thread a: 0
Thread b: 0
Thread a: 1
Thread b: 1 |
String Exercises 1 - Answers
Java: String Exercises 1 - Answers
Java: String Exercises 1 - Answers
Answers to the String Exercises 1.
3 -- s refers to exactly the same string as a.
ERROR -- t |
Definition of Bioinformatics
;
About Bioinformatics
In February 2001, the human genome was finally... for Biotechnology Information (NCBI
2001) defines bioinformatics as:
"... the Bioinformatics will become an
integral part of the biology.
  |
Wi-Fi as a part of LBS
Wi-Fi as a part of LBS
Wi-Fi as a part of LBS
  |
IBM WebSphere Application Server Training
. It
enables programmers to develop, deploy and integrate the secure, scalable, and
flexible e-business applications. It also supports business applications from
simple... as a run-time
environment for J2EE or Portal applications. This course is intended |
Simple Linked List Exercise 1
Java: Simple Linked List Exercise 1
Java Notes: Simple Linked List Exercise 1
Name... strings and puts
them in a doubly linked list.
1
2
3
4
5
6 |
Weblogic Training
and deploy reliable, secure, scalable and manageable applications. It manages... to the development and
implementation of scalable distributed applications using Enterprise... as a server-side technology offering
available to build business applications.   |
Ajax Login Example
applications requires authentication
before accessing the secured part of the web..._login();">
<table border="0" bgcolor="#CCCCFF" cellspacing="1 |
LG3D LiveCD 2.4 Test 1 has been relesed now
LG3D LiveCD 2.4 Test 1 has been relesed now
LG3D LiveCD 2.4 Test 1 has been relesed now
LG3D LiveCD 2.4-test1 available... that attempts to bring a richer user experience to the desktop and applications |
Foresight Desktop Linux 0.9.4 Pre 1 has been released now
Foresight Desktop Linux 0.9.4 Pre 1 has been released now
Foresight Desktop Linux 0.9.4 Pre 1
has been released now
I am please... GNOME 2.12 as the preferred desktop environment.
Feature
1. Beagle beagle |
Applications - text example
Java: Applications - text example... normally run are called applications.
A typical MS Windows application has an extension.... Applications, as opposed to applets for example,
must have is a main method.
Here |
J2ME Books
experienced Java application developers how to write Java applications... in January, 2005, the best selling book Mastering EJB is now in it?s third edition... a secure, vendor-independent, ubiquitous Java(tm) platform for smart cards and other |
Developing responsive Ajax based Applications with ajax technologies
applications. These days Ajax has been used for the development of
responsive web... of chat application developed in Ajax. These chat applications are very... development of Ajax Applications.
Ajax |
Buy SuSe 9.1 Professional CDs in India from us. Suse 9.1 Professional is available with us.
Now Available SuSe 9.1 Professional CD's
SuSE Linux 9.1 is secure and stable... to a powerful and efficient operating system, SuSE Linux comes with all applications...
Total amount.
1.
SuSe 9.1 |
GPS Tracking and its Applications
GPS Tracking and its Applications
GPS Tracking and its Applications
 ... and this prompted companies to find new applications for the technology. GPS Tracking is one |
WEBSERVICE USING APACHE AXIS TUTORIAL-2 UNDERSTANDING APACHE AXIS
.? The January 2004 issue of
DeveloperIQ dealt with Apache and the CD also carried...!
In the next article of this seven-part
tutorial, we will take up |
Struts Books
you can make your applications secure, robust and
maintainable... can make your applications secure, robust, and
maintainable. Techniques...: Using Tiles
In part 1 in this series of book excerpts on using tiles |
JSP Programming Books
JavaBeans technologies, this book demonstrates how to design and construct secure... processional e-commerce applications, dynamic Web pages, and Web-enabled applications and services.
Servlets and JSP technology is the foundation |
Buy SuSe 9.2 Professional CDs in India from us. SuSe 9.2 Professional is available with us.
Now Available SuSe 9.2 Professional CD's
SuSE Linux 9.2 is secure and stable... to a powerful and efficient operating system, SuSE Linux comes with all applications... Charges
Total amount.
1.
SuSe 9.2 |
Struts Book - Popular Struts Books
to Struts best practices so you can make your applications secure, robust... for building web applications with Servlets and JSPs is becoming, the online... information crucial to developers writing today's complex web applications |
Struts Book - Popular Struts Books
to Struts best practices so you can make your applications secure, robust... for building web applications with Servlets and JSPs is becoming, the online... information crucial to developers writing today's complex web applications |
Eclipse Plugin-Rich Client Applications
Eclipse Plugin-Rich Client Applications
Eclipse Plugin-Rich Client Applications
 ...-in enables Rich Internet Applications (RIA) Platform for Eclipse. It allows |
Applet versus Application
) is that java applications are designed to work under the homogenous
and more secure... in milliseconds since January 1, 1970.
arraycopy (Object src, int src...;
Applets as previously described, are the small programs
while applications |
E-Commerce Web Hosting
Hosting refers to the web hosting for E-Commerce Web Applications. In
case of e... sales. These tools are shopping carts, Merchant Account services, SSL
(Secure Socket Layer), database support, secure transactions, web
promotion |
How JSF Fits For Web Applications?
How JSF Fits For Web Applications
How JSF Fits For Web Applications?
  |
Product Components of JDBC
;
JDBC has four Components:
1...-ODBC Bridge.
1. The JDBC API.
The JDBC application.... JDBC application programmming interface is a part of the Java |
VB and ASP programmers
Desktop and Intranet applications.
You have to debug and rectify the errors in existing applications.
Desired Candidate...: 1- 5 Years
Keywords:
VB, ASP, Visual Basic, Oracle, SQL |
Difficult Interview Questions Page -1
Difficult Interview Questions Page -1
Difficult Interview Questions Page -1
 ...;
Question 1: Tell me about yourself |
Eclipse Plunging/Team Development
. This integration has been available since January 2003,
and on April 9th... similar to CVS support, which is already part of the
standard Eclipse platform |
Technology What is and FAQs
it
is the part of the MPEG-4 standard.
ASCIIASCII, the
abbreviation... is the standard unit of measuring frequency and
Giga is it?s multiplier of 1 billion times... is design in such a way that
it can assess the only two digit. 0 and 1 |
SME Server 7.0 Pre 2 has been released now
(known as e-smith at the time) was founded in January 1999 by Joseph and Kim... a solid, easy-to-use server for their small-business customers. In July 2001, e-smith..., powerful, secure Linux server used by thousands of individuals, companies |
|
|
|