Presentation is loading. Please wait.

Presentation is loading. Please wait.

Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication (Part B)

Published byHomer Simpson Modified over 9 years ago

Similar presentations

Presentation on theme: "Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication (Part B)"— Presentation transcript:

1 csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication (Part B)

2 csci5233 Computer Security2 Topics

3 csci5233 Computer Security3 Digital Certificates  A certificate (also known as a public-key certificate) is a digitally signed statement from one entity (the issuer), saying that the public key (and some other information) of another entity (the subject) has some specific value.  When data is digitally signed, the signature can be verified to check the data integrity and the authenticity. (How? )  a certificate = E (the CA’s private key, Subject’s public key + other identity info. )  certificate chaining

4 csci5233 Computer Security4 Digital Certificates  Sample application: A JAR (Java Archive) file packages class files, images, sounds, and/or other digital data in a single file. The jarsigner tool uses information from a keystore to generate or verify digital signatures for JAR files.jarsigner jarsigner verifies the digital signature of a JAR file, using the certificate that comes with it (it is included in the signature block file of the JAR file), and then checks whether or not the public key of that certificate is "trusted", i.e., is contained in the specified keystore. More information in Chapter 7.  certificate chaining

5 csci5233 Computer Security5 X.509 Certificates  X.509 Certificates The X.509 standard defines what information can go into a certificate, and describes how to write it down (the data format).  All X.509 Certificates have the following data, in addition to the signature. Version: This identifies which version of the X.509 standard applies to this certificate (v1, v2, v3). Serial Number: The entity that created the certificate is responsible for assigning it a serial number to distinguish it from other certificates it issues.

6 csci5233 Computer Security6 X.509 Certificates Signature Algorithm Identifier: This identifies the algorithm used by the CA to sign the certificate. Issuer Name: The X.500 Distinguished Name of the entity that signed the certificate.X.500 Distinguished Name This is normally a CA. Using this certificate implies trusting the entity that signed this certificate. Note that in some cases, such as root or top-level CA certificates, the issuer signs its own certificate.

7 csci5233 Computer Security7 X.509 Certificates Validity Period: Each certificate is valid only for a limited amount of time. Subject Name: The name of the entity whose public key the certificate identifies. This name uses the X.500 standard, so it is intended to be unique across the Internet. Subject Public Key Information: This is the public key of the entity being named, together with an algorithm identifier which specifies which public key crypto system this key belongs to and any associated key parameters.

8 csci5233 Computer Security8 Certificates in Java  Main classes:  java.security.cert. Certificate Primary methods: getPublicKey( ), verify( )  java.security.cert.X509Certificate Provides extra get( ) methods for fetching X.509 attributes from a certificate  java.security.cert. CertificateFactory a factory class (that is, use the getInstance( ) to initiate it) generates a certificate object from an encoding of a certificate

9 csci5233 Computer Security9 The Keytool  Keytool - Key and Certificate Management Tool keytool stores the keys and certificates in a so-called keystore. The default keystore implementation implements the keystore as a file (the default.keystore in the user’s home directory). It protects private keys with a password. It manages a keystore of private keys and their associated X.509 certificate chains authenticating the corresponding public keys. It also manages certificates from trusted entities. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures.

10 csci5233 Computer Security10 The Keytool  keytool usage: -certreq -delete -export: Exports a certificate from a keystore into a certificate file. -genkey: Generates a key pari and a self-signed certificate. -help -identitydb -import: Imports a certificate into the keystore. -keyclone -keypasswd -list: Lists all the aliases in the keystore. -printcert: Displays a certificate (stored in a file). -selfcert: Generates a self-signed certificates. -storepasswd

11 csci5233 Computer Security11 The Keytool  To generate a key pair and a certificate using the default algorithm, DSA: > keytool -genkey -alias test > keytool –list > keytool –list -v  To generate a key pair and a certificate by using the changing the default algorithm to RSA: > keytool -genkey -alias test2 –keyalg RSA  To store a certificate into a file (i.e., export) > keytool -export -alias test -file test.cert

12 csci5233 Computer Security12 Certificates in Java  A sample program to print information from an existing certificate: PrintCertInfo.java > java PrintCertInfo test.cert c.f., > keytool -v -printcert -file test.cert  To print certificate information directly from a keystore: PrintCertFromKeyStore.java >java PrintCertFromKeyStore test password

13 csci5233 Computer Security13 Certificates in Java  A sample program demonstrating how to build your own CA: SignCertificate.java SignCertificate.java  Given: 1. a root CA (either self-signed or issued by a trusted CA) > keytool -genkey -v -alias CA -keyalg RSA -keystore keystore 2. a certificate to be certified by the root CA > keytool -genkey -v -alias myKey -keyalg RSA -keystore keystore  Output: a new certificate in which the issuer is CA and the subject is myKey > java SignCertificate keystore CA myKey myKey_signed > keytool -list -v -keystore keystore

14 csci5233 Computer Security14 PKI  Public Key Infrastructure A system for managing public-key crypto. An attempt to integrate a number of protocols and standards into a more unified system that will provide secure services. See http://csrc.nist.gov/pki/documents/nissc98a.ppt for a snapshot of the PKI standards.http://csrc.nist.gov/pki/documents/nissc98a.ppt See http://www.ietf.org/html.charters/pkix-charter.html.http://www.ietf.org/html.charters/pkix-charter.html  Required services: certificate creation certificate revocation certificate validation certificate distribution

15 csci5233 Computer Security15 Next  Bishop, Chapter 10: Key management, digital signatures  Relevant links: How do I export certificates in Windows 2000? http://www.jsiinc.com/SUBK/tip5000/rh5015.htm

Download ppt "Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication (Part B)"

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.

Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.
SMUCSE 5349/7349 Public-Key Infrastructure (PKI).

SMUCSE 5349/7349 Public-Key Infrastructure (PKI).
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Similar presentations

Ads by Google