Friday, February 22, 2013

Java Security Crib Sheet


"A certificate is a statement, issued by one person, that the public key of another person has a certain value. Essentially, a certificate is a signed public key. Marian creates the certificate by placing some information about her, some information about Will, and Will's public key value into a file. She then signs the file with her own private key. Robin Hood (or anyone else) can download this certificate and verify it using Marian's public key. Robin Hood trusts Marian, so he also now has a trustworthy copy of Will's public key, which he can use to verify files signed by Will.

"To verify a certificate, you need a public key.To verify a public key, you need a certificate. Essentially, one certificate can be verified by another, which is verified by another and so forth. This is called certificate chaining. The chain can't be infinite, so where does it start? The certificate chain starts with a certificate whose issuer and subject are the same. Usually such a certificate is issued by a Certificate Authority."


"A KeyStore is a handy box that holds keys and certificates. One KeyStore contains all the information a single person (or application, or identity) needs for authentication. Usually, you have two distinct uses for authentication

 - You need to prove to others who you are
 - You need to make sure that other people are legitimate

"In the first case you can use a private key to sign data. A certificate that contains the matching public key can be used to prove your identity... The private key is used to sign data; the certificates can be presented as credentials backing up the signature.

"In the second case, you can use other people's certificates to prove to yourself that they are who they say they are."

Message Digest

"A message digest is a special number calculated from a set of input data. If you are familiar with hash functions, it will help you to know that a message digest is a lot like a hash value, except longer. Message digests are sometimes called secure hash functions or cryptographic has functions."


"A Message Authentication Code (MAC), for example, is basically a message digest with an associated key. It produces a short value based on both its input data and the key. In theory, only someone with the same key can produce the same MAC from the same input data."

"MACs differ from digital signatures as MAC values are both generated and verified using the same secret key." [1]

Signing Files

"Another approach to authentication comes from the combination of a message digest and an asymmetric cipher. If Marian encrypts the message digest with her private key, Robin Hood can download the encrypted message digest, decrypt it using Marian's public key, and compare the message digest to one that he computes from the downloaded file. If they match, then he can be sure that the file is correct."

"The encrypted digest is called a signature; Marian has signed the file."

All quotes taken from Java Cryptography, Jonathan Knudsen, except:

[1] Wikipedia 

No comments:

Post a Comment