|
|
Featured White Papers
- Why choose an Open Source BPM?
- 10 FAQs on Business Process Management
- Best Practices for Getting Started with BPM
- Free Your Devs From The Pain Of Java Redeploys
- Increase Velocity 40% by Using JRebel
- What Developers Want: The End of Application Redeploys
- Developer Productivity Report: Java Tools, Tech, Devs, and Data
- Coding with JRebel: Java Forever Changed
- Utilizing Fast Testing to Transform Java Development
- Do You Really Get Classloaders?
- Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
- Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
- Coding with JRebel, Java Forever Changed
- 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data
Sponsored Links
Sponsored Links
Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs
Construct secure networked applications with certificates, Part 1
Certificates add value to public-key cryptography
Page 3 of 3
The simplest practical arrangement consists of a chain of two certificates. One certificate contains the public key of the entity with which you wish to communicate. The second certificate, or root certificate, contains the public key of the entity that certified the first certificate. That arrangement is illustrated in Figure 1 below.
Figure 1. A certificate chain
Figure 2. A solo certificate
As I previously mentioned, for that system to be effective, the root certificate must be generally available and its validity easily verified. Furthermore, all parties planning on taking part in the secure interaction must trust the issuer. In light of that trust, and as an indication of their ability and willingness to create signed certificates for other entities, the root certificate's creator is called a certificate authority (CA).
In practice, transmitting the entire certificate chain between entities is often unnecessary. Many applications (popular Web browsers and Web servers, for example) are preconfigured with a set of acceptable root certificates from well-known CAs. As such, the entities represented by those applications only need to send the certificate containing their public key, as illustrated in Figure 2 above.
The certificate chain could also contain intermediate certificates between the root certificate and the ultimate certificate containing the public key of interest. Figure 3 illustrates the arrangement. In that case, each certificate in the chain may be validated by the next in the chain until the root certificate is reached. Typically, you only encounter certificate chains of that length in situations involving CA mutual authentication.
Figure 3. A long certificate chain
More on certificates
As I mentioned earlier, certificates come in multiple formats. Popular types include X.509 certificates, PGP (Pretty Good Privacy) certificates, and SDSI (Simple Distributed Security Infrastructure) certificates. The PGP certificate format was the first to achieve widespread usage. Java supports the X.509 format, an international standard created by the ITU (International Telecommunication Union).
Beyond the certificate's owner name and public key and the certifying entity's name and signature, X.509 certificates include additional information that makes them more useful, including the certificate's serial number (used for certificate revocation), a validity period (used to limit a certificate's lifetime), and its signature algorithm identifier.
Conclusion
Trust limits the scalability of public-key cryptography. The difficulties associated with managing public keys and the dangers associated with using an invalid public key mandate the usage of certificates. Certificates, along with a network of trusted third parties known as certificates authorities (CAs), allow public keys to scale to meet the needs to enterprise and interenterprise usage.
Next month, I'll discuss certificate support in the Java platform. You'll examine the APIs, write some code, and consider the important issue of certificate interoperability with other platforms.
About the author
Todd Sundsted has been writing programs since computers became available in convenient desktop models. Though originally interested in building distributed applications in C++, Todd moved on to the Java programming language when it became the obvious choice for that sort of thing. In addition to writing, Todd is cofounder and chief architect of PointFire.Read more about Tools & Methods in JavaWorld's Tools & Methods section.
- Feedback
More from JavaWorld
Resources
- "Construct Secure Networked Applications with Certificates," Todd Sunsted (JavaWorld)
- Part 1Certificates add value to public-key cryptography (January 12, 2001)
- Part 2Learn to use the X.509 certificates (February 16, 2001)
- Part 3Use the Java CRL and X509CRL classes (March 16, 2001)
- Part 4Authenticate clients and servers, and verify certificate chains (April 13, 2001)
- Sun's security mailing list
http://archives.java.sun.com/archives/java-security.html - The java.security.cert package
http://java.sun.com/j2se/1.3/docs/api/java/security/cert/package-summary.html - Information on X.509 certificates
http://java.sun.com/products/jdk/1.2/docs/guide/security/cert3.html - Have a security question? Check out JavaWorld's Java Security discussion
http://www.itworld.com/jump/jw-0112-howto/forums.itworld.com/webx?14@@.ee6b80e - Sign up for the JavaWorld This Week free weekly email newsletter and keep up with what's new at JavaWorld
http://www.idg.net/jw-subscribe - For a complete listing of all How-To Java columns
http://www.javaworld.com/javaworld/topicalindex/jw-ti-howto.html - Read more articles on Java Security in the JavaWorld Topical Index
http://www.javaworld.com/javaworld/topicalindex/jw-ti-security.html