Featured White Papers

• Measuring Risk to Improve Java Software Quality
• Do You Really Get Classloaders?
• Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
• Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
• Coding with JRebel, Java Forever Changed
• 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data

Sponsored Links

• Graph databases are 1000x faster than relational.

  Learn More!

• Career opportunities at Harman- Careers That'll Rock Your Socks Off.

  Learn More!

• Developer-friendly Java PDF libraries by Qoppa Software

  Live Demos

• Stop blaming your app! Diagnose Java performance issues.

  Free tool >

• UrbanCode: Go From Continuous Integration to
  Continuous Delivery

  Learn More!

Sponsored Links

Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs

Construct secure networked applications with certificates, Part 1

Certificates add value to public-key cryptography

By Todd Sundsted, JavaWorld.com, 01/12/01

Unfortunately, though interest in security has grown, a weak understanding persists on how to achieve strong security. Like any maturing industry, you must gain familiarity with a growing body of literature, research, technology, and terminology (How many readers have wondered just what PKI, PKCS, and PKIX are?) before realizing proficiency.

As Java programmers, we have it easier than most. Sun seems to recognize the importance of providing high-quality tools with which to build secure solutions, especially in the enterprise arena. Even so, judging by the questions on Sun's security mailing list (see Resources for a link) little introductory material is available on the topic.

This series, then, is an attempt to shed a little more light on some of the core tools used to build secure applications in Java -- not secure from the byte code perspective that was so popular in the past, but rather secure from a user, application, and network perspective. If you're not clear on the difference between the two, read on and you'll soon see where I'm heading.

I'll begin Part 1 by introducing public-key cryptography, and later explain how to add value with certificates.

You can read the whole series on certificates:

• Part 1: Certificates add value to public-key cryptography
• Part 2: Learn to use the X.509 certificates
• Part 3: Use the Java CRL and X509CRL classes
• Part 4: Authenticate clients and servers, and verify certificate chains

The foundation

Much of the mechanism underlying modern application and network security builds upon a type of cryptography known as public-key cryptography. You can understand the importance of public-key cryptography to security without understanding the technical details, so let's take a brief cruise through the neighborhood.

Public-key cryptography differs from traditional symmetric, or shared-key cryptography, in its use of two related, but slightly different, keys. One key, the private key, is kept secret by the owner of the key. The other key, known as the public key, may be distributed far and wide by its owner. The keys in the key pair are complementary. Only the private key can decrypt information encrypted with the public key, and vice versa. And only the public key verifies information signed with the private key, and vice versa.

There are several public-key algorithms in use today. The most popular is known as RSA (because it was invented by Rivest, Shamir, and Adleman), which was the subject of a patent that expired in September 1999.

Whatever the specific algorithm used, public-key cryptography avoids the complicated problem of key exchange -- the process by which communicating parties each exchange or otherwise obtain the keys necessary to secure a conversation between them -- and enables a number of desirable applications, including digital signatures.