1-4 Oracle Fusion Middleware Reference for Oracle Security Developer Tools
Relying third parties use the certificates issued by the CA and the public keys contained therein to verify digital certificates and encrypt data.
1.2.1 Key Pairs
Encryption techniques often use a text or number called a key
, known only to the sender and recipient.
When both use the same key, the encryption scheme is called symmetric. Difficulties with relying on a symmetric system include getting that key to both parties without
allowing an eavesdropper to get it, too; and the fact that a separate key is needed for every two people, so that each individual must maintain many keys, one for each
recipient.
Public key cryptography uses a key pair
of mathematically related cryptographic keys - the
public key and the
private key . For an explanation of the use of key pairs, see
Asymmetric Cryptographic Algorithms .
Table 1–1 summarizes who uses public and private keys and when:
1.2.2 Certificate Authority
A Certificate Authority CA
is a trusted third party that vouches for the public key owners identity. Examples of certificate authorities include Verisign and Thawte.
1.2.3 Digital Certificates
The certification authority validates the public keys link to a particular entity by creating a
digital certificate . This digital certificate contains the public key and
information about the key holder and the signing certification authority. Using a PKI certificate to authenticate ones identity is analogous to identifying oneself with a
drivers license or passport.
1.2.4 Related PKI Standards
A number of standards and protocols support PKI certificate implementation.
Cryptographic Message Syntax Cryptographic Message Syntax CMS
is a general syntax for data protection developed by the
Internet Engineering Task Force IETF . It supports a wide variety
of content types including signed data, enveloped data, digests, and encrypted data, among others. CMS allows multiple encapsulation so that, for example, previously
signed data can be enveloped by a second party.
Values produced by CMS are encoded using X.509 Basic Encoding Rules BER, meaning that the values are represented as octet strings.
Table 1–1 Summary of Public and Private Key Usage
Function Key Type
Whose Key
Encrypt data for a recipient Public key
Receiver Sign data
Private key Sender
Decrypt data received Private key
Receiver Verify a signature
Public key Sender
Introduction to Oracle Security Developer Tools 1-5
SecureMultipurpose Internet Mail Extension SecureMultipurpose Internet Mail Extension SMIME
is an Internet Engineering Task Force IETF standard for securing MIME data through the use of digital
signatures and encryption. SMIME provides the following cryptographic security services for electronic
messaging applications:
■
Authentication
■
Message integrity and non-repudiation of origin using digital signatures
■
Privacy and data security using encryption
Lightweight Directory Access Protocol Lightweight Directory Access Protocol LDAP
is the open standard for obtaining and posting information to commonly used directory servers. In a
public key infrastructure PKI
system, a user’s digital certificate
is often stored in an LDAP directory and accessed as needed by requesting applications and services.
Time Stamp Protocol In a
Time Stamp Protocol TSP system, a trusted third-party Time Stamp Authority
TSA issues time stamps for digital messages. Time stamping proves that a message was sent by a particular entity at a particular time, providing
non-repudiation for
online transactions. The Time Stamp Protocol, as specified in RFC 3161, defines the participating entities,
the message formats, and the transport protocol involved in time stamping a digital message.
To see how a time-stamping system can work, suppose Sally signs a document and wants it time stamped. She computes a
message digest of the document using a secure
hash function and then sends the message digest but not the document itself to the
TSA, which sends her in return a digital time stamp consisting of the message digest, the date and time it was received at the TSA server, and the signature of the TSA.
Since the message digest does not reveal any information about the content of the document, the TSA cannot eavesdrop on the documents it time stamps. Later, Sally
can present the document and time stamp together to prove when the document was written. A verifier computes the message digest of the document, makes sure it
matches the digest in the time stamp, and then verifies the signature of the TSA on the time stamp.
Online Certificate Status Protocol Online Certificate Status Protocol OCSP
is one of two common schemes for checking the validity of digital certificates. The other, older method, which OCSP has
superseded in some scenarios, is known as the
certificate revocation list CRL .
OCSP overcomes the chief limitation of CRL: the fact that updates must be frequently down-loaded to keep the list current at the client end. When a user attempts to access a
server, OCSP sends a request for certificate status information. The server sends back a response of good, revoked, or unknown. The protocol specifies the syntax for
communication between the server which contains the certificate status and the client application which is informed of that status.
Certificate Management Protocol The
certificate management protocol CMP handles all relevant aspects of certificate
creation and management. CMP supports interactions between public key
1-6 Oracle Fusion Middleware Reference for Oracle Security Developer Tools
infrastructure PKI components, such as Certificate Authorities CAs, Registration Authorities RAs, and end entities that are issued certificates.
1.2.5 Benefits of PKI