The past week happened to be sort of a Security Week. On separate ocassions I was working with symmetric key cryptography and PKI using certificates with digital signatures.
Symmetric keys were more straightforward. Create a cipher, throw in the secret key and data – viola – you have the encrypted data. What’s left is just to keep the secret key safe. DON’T overwrite it yourself!
PKI with Java needed more effort. As usual it was the confusion between the terms: keystore, certificate, signature, CA, keytool, etc. Despite understanding it before, the knowledge just got lost somewhere at the back of my brain.
So what I’ve figured out AGAIN today was: Certificates were invented as an attempt to solve the problem of public key distribution, through a trusted Root Certification Authority. A certificate contains a public key, information about the certified entity, and a signature.
The signature is created by encrypting the HASH of the certificate information and public key using the private key of the certificate issuer. Therefore the signature algorithm is described using a hash algo WITH an encrytion algo, e.g. SHA1withDSA. To verify the signature, calculate the hash using the hash algo on the certificate. Use the issuer’s public key to “decrypt” the signature to get the original hash. If both hashes match, its a valid signature. You do not have to calculate the hash yourself, Java has Signature classes that will compute the hash internally; you just supply it with the relevant data.
A keystore is a database of key pairs and certificates. Certificates may also be contained in independant files. The keystore is protected by a password, and individual key pairs within the keystore is protected by another separate password, each key pair has its unique password.
The keystore can be manipulated using the keytool command line tool. My preferred method is using Windows tools such as KeyToolGUI to help manage and generate keys. Of course if you’re on Unix then too bad. Using keytool you will be able to generate key pairs, export public keys to certificates and import other certificates. A Java application can also read from the keystore (with appropriate passwords) to access key pairs and certificates for the corresponding public/private keys. The keys can then be used in code to encrypt, decrypt, sign, verify signatures, etc.
Sample code are not provided as they can be readily found on the web and by referencing APIs.