Java Security

1) What is "private key"/"symmetric"/"secret key" cryptography?

A private key cryptography algorithm uses the same key for encryption and decryption. Since the key is the only data required to decrypt the ciphertext, it must be kept private/secret.

Encryption; creating ciphertext from plaintext with a specific encryption algorithm and an encryption key

Decryption; recovering plaintext from cipertext using a specific encryption algorithm and a decryption key

2) What is "public key"/"asymmetric" cryptography?

A public key cryptography algorithm uses two different (but related) keys for encryption and decryption. The key used for decryption is kept secret (Private) whereas the encryption key can be distributed openly (Public). Thus, anyone in possession of the public encryption key may encrypt and send a message to the holder of the private decryption key. However, only the holder of the private decryption key may decipher the message. Both keys must be created and used in conjunction, and are often referred to as a key pair.

3) What is hybrid cryptography?

Combination of public and private key cryptography, where the exchange of an encrypted session key is done using public key cryptography. The following encrypted session is then pursued with private/symmetric key cryptography. The main reason is that private key cryptography is generally much quicker than public key cryptography.
4) What is a Message Digest?

A Message Digest is a digitally created hash (fingerprint) created from a plaintext block. All the information of the message is used to construct the Message Digest hash, but the message cannot be recovered from the hash. For this reason, Message Digests are also known as one way hash functions.
The size of a Message Digest is always the same, independent of the size or content of the message from which it was created. Generally, the size of a Message Digest is fairly short ( 1024 bits). The ideal Message Digest algorithm would possibly alter 50% of the bits in the resulting hash if one bit was altered in the plaintext message.
5) What is a Digital Signature?
Digital Signatures are used to ensure the identity of a sender. In conjunction with Message Digests, Digital Signatures prevents someone from altering a message and falsely claiming you wrote the altered message. Digital Signatures are a byproduct of public key cryptography, as demonstrated below. (Believe me, it is simpler to describe the concept of a Digital Signature by taking an example).
6) What do you need to establish computer security?
There are essentially four aspects of computer security:
Aspect Generally achieved by Explanation Effect
Confidentiality Encryption Protects message content from any but sender and recipient Transmission eavesdroppers cannot read or use the message content.
Integrity Message Digest Verifies that a message has not been modified since it was sent Transmission hijackers cannot modify message in transit
Authenticity Digital Signature + Password Uniquely identifies the sender of a message Verification of actual sender possible
Nonrepudiation Cryptographic Receipt Prevents a sender from falsely denying sending a message Message recipient can prove that a message was sent by sender

7) What is SSL?

SSL stands for Secure Socket Layer. It is a protocol developed by Netscape for encrypting information sent between processes over TCP/IP sockets. It sits between application software and the TCP/IP sockets. You'll find it frequently used between web browsers and web servers using the https URL prefix, providing encryption, integrity, authentication, and non-repudiation.
8) How can I support HTTPS (SSL) in a servlet?

The servlet technology by design already supports https (SSL). However, the way this works is not through the servlet technology but through the Web Server. The web server controls whether information is done securely (https) versus non-securely (http).
One way to force servlets to go down the https path is to define your web server to only allow secure connections when accessing servlets. In IIS this can be accomplished through the definition if ISAPI filters. The ISAPI filter can instruct the web server to route all requests that end with a pre-defined prefix to the servlet engine. The trick is to then define files, with the predefined extension, in the web servers directory. For example, if the servlet's name is MyServlet a file with the name MyServlet.xxx would be placed on the web server. All calls to this file would be routed to the servlet engine. And IIS would be used to force all calls to the MyServlet.xxx file to go through https. The JRun servlet engine has examples of how to do this documented on their web page.

1 comment:

Tee Chess said...

Great post. Thanks for providing this excellent detail about so many terms that are related to information security. Some are completely new to me and with the help of this post I came to know about them.
digital signature