Transcript Case Study: A Forensic Lesson for Web Security (MSS, part one)

GS: Chapter 6
Using Java Cryptography for
Authentication
(Part B)
csci5233 Computer Security
1
Topics

Message digest (MD)

Password authentication for MD

Message Authentication Code (MAC)

Digital signatures & Identity authentication

Digital certificates, X.509, certificate chaining

Keystores

Public Key Infrastructure (PKI)
csci5233 Computer Security
2
Digital Certificates

A certificate (also known as a public-key certificate) is a
digitally signed statement from one entity (the issuer),
saying that the public key (and some other information) of
another entity (the subject) has some specific value.

When data is digitally signed, the signature can be verified
to check the data integrity and the authenticity. (How? )

a certificate = E (the CA’s private key,
Subject’s public key + other identity info.
)

certificate chaining
csci5233 Computer Security
3
Digital Certificates

Sample application:
A JAR (Java Archive) file packages class files, images, sounds, and/or
other digital data in a single file.
The jarsigner tool uses information from a keystore to generate or
verify digital signatures for JAR files.
jarsigner verifies the digital signature of a JAR file, using the certificate
that comes with it (it is included in the signature block file of the
JAR file), and then checks whether or not the public key of that
certificate is "trusted", i.e., is contained in the specified keystore.
More information in Chapter 7.

certificate chaining
csci5233 Computer Security
4
X.509 Certificates

X.509 Certificates
The X.509 standard defines what information can go into a
certificate, and describes how to write it down (the data
format).

All X.509 Certificates have the following data, in addition
to the signature.
•
Version: This identifies which version of the X.509
standard applies to this certificate (v1, v2, v3).
•
Serial Number: The entity that created the certificate is
responsible for assigning it a serial number to distinguish
it from other certificates it issues. <Cont. on Next slide>
csci5233 Computer Security
5
X.509 Certificates
•
Signature Algorithm Identifier: This identifies the
algorithm used by the CA to sign the certificate.
•
Issuer Name: The X.500 Distinguished Name of the
entity that signed the certificate.
This is normally a CA.
Using this certificate implies trusting the entity that
signed this certificate.
Note that in some cases, such as root or top-level CA
certificates, the issuer signs its own certificate.
•
<Cont. on Next slide>
csci5233 Computer Security
6
X.509 Certificates
•
Validity Period: Each certificate is valid only for a limited
amount of time.
•
Subject Name: The name of the entity whose public key
the certificate identifies.
This name uses the X.500 standard, so it is intended to be
unique across the Internet.
•
Subject Public Key Information: This is the public key of
the entity being named, together with an algorithm
identifier which specifies which public key crypto system
this key belongs to and any associated key parameters.
csci5233 Computer Security
7
Certificates in Java

Main classes:

java.security.cert. Certificate
Primary methods: getPublicKey( ), verify( )

java.security.cert.X509Certificate
Provides extra get( ) methods for fetching X.509 attributes from a
certificate

java.security.cert. CertificateFactory
a factory class (that is, use the getInstance( ) to initiate it)
generates a certificate object from an encoding of a certificate
csci5233 Computer Security
8
The Keytool

Keytool - Key and Certificate Management Tool
keytool stores the keys and certificates in a so-called keystore.
The default keystore implementation implements the keystore as a file (the
default .keystore in the user’s home directory).
It protects private keys with a password.
It manages a keystore of private keys and their associated X.509 certificate
chains authenticating the corresponding public keys.
It also manages certificates from trusted entities.
It enables users to administer their own public/private key pairs and
associated certificates for use in self-authentication (where the user
authenticates himself/herself to other users/services) or data integrity
and authentication services, using digital signatures.
csci5233 Computer Security
9
The Keytool

keytool usage:
-certreq
-delete
-export: Exports a certificate from a keystore into a certificate file.
-genkey: Generates a key pari and a self-signed certificate.
-help
-identitydb
-import: Imports a certificate into the keystore.
-keyclone
-keypasswd
-list: Lists all the aliases in the keystore.
-printcert: Displays a certificate (stored in a file).
-selfcert: Generates a self-signed certificates.
-storepasswd
csci5233 Computer Security
10
The Keytool

To generate a key pair and a certificate using the default
algorithm, DSA:
> keytool -genkey -alias test
> keytool –list
> keytool –list -v

To generate a key pair and a certificate by using the
changing the default algorithm to RSA:
> keytool -genkey -alias test2 –keyalg RSA

To store a certificate into a file (i.e., export)
> keytool -export -alias test -file test.cert
csci5233 Computer Security
11
Certificates in Java

A sample program to print information from an existing
certificate:
PrintCertInfo.java
> java PrintCertInfo test.cert
c.f.,
> keytool -v -printcert -file test.cert

To print certificate information directly from a keystore:
PrintCertFromKeyStore.java
>java PrintCertFromKeyStore test password
csci5233 Computer Security
12
Certificates in Java

A sample program demonstrating how to build your own CA:
SignCertificate.java

Given:
1.
a root CA (either self-signed or issued by a trusted CA)
> keytool -genkey -v -alias CA -keyalg RSA -keystore keystore
2.
a certificate to be certified by the root CA
> keytool -genkey -v -alias myKey -keyalg RSA -keystore keystore

Output:
•
a new certificate in which the issuer is CA and the subject is
myKey
> java SignCertificate keystore CA myKey myKey_signed
> keytool -list -v -keystore keystore
csci5233 Computer Security
13
PKI

Public Key Infrastructure
A system for managing public-key crypto.
An attempt to integrate a number of protocols and standards into a more
unified system that will provide secure services.
See http://csrc.nist.gov/pki/documents/nissc98a.ppt for a snapshot of the PKI
standards.
See http://www.ietf.org/html.charters/pkix-charter.html.

Required services:
•
certificate creation
•
certificate revocation
•
certificate validation
•
certificate distribution
csci5233 Computer Security
14
Next

Bishop, Chapter 10:
Key management, digital signatures

Relevant links:
•
How do I export certificates in Windows 2000?
http://www.jsiinc.com/SUBK/tip5000/rh5015.htm
csci5233 Computer Security
15