1

I've a task to write a communicator with PKI. I think about implementation (in Java)of X.509 certificate - I mean SSL/TLS to allow for data/message confidentiality, and message authentication codes for message integrity. All about these I've read in some literature and it's all theoretical. I'm not sure if I think properly. Could anyone, who good understand idea of PKI, give me any advice (for example website where it's good explanation of implementation PKI)?

mydew
  • 57
  • 2
  • 9
  • Even experts in cryptography and IT security don't always get this stuff right – I think it's unreasonable to expect a newcomer to be able to produce a secure application. – ntoskrnl Oct 31 '13 at 16:13
  • It's not commercial project but academical. It doesn't have to be strongly secure. I want only to understand how to implement PKI in Java. – mydew Oct 31 '13 at 16:16
  • Do you want to create the PKI (private keys/certificates) in Java, or do you want to use an existing PKI inside of Java for SSL, etc.? – gtrig Nov 01 '13 at 18:42
  • I want to make certificates using something outside (for example openSSL)and in Java use SSL/TLS to make communication. Do you have any good literature or website for beginners? – mydew Nov 01 '13 at 20:26

1 Answers1

1

As ntoskrnl commented, this is hard to do exactly right, even by the experts.

Here is a basic high-level look at the PKI you will need for an SSL connection:

  • A CA root key and corresponding self-signed certificate.
  • An intermediate CA key and certificate signed by the CA root key (this is optional).
  • A server identity key and certificate signed by either the intermediate CA or the CA root.
  • A client identity key and certificate signed by some CA that the server trusts. For your academic work, you may want this CA to be the same as the one you created. The client identity is only needed if you want to have 2-way (mutual) SSL, where the server authenticates the client.

A web service that is running on something like Tomcat that can be configured for SSL. On the server side, the identity would point to the server key certificate. For 2-way SSL, there would also be a list or keystore of trusted CA certs on the server. Unless a client's certificate was signed by one of those trusted CAs, the server would not allow the client to connect.

On the client side, you would also need a list or keystore of trusted CA certs, and the server's certificate would have to be signed by one of those CAs. The client ID key and certificate and trust keystore would be used by Java when establishing an SSL connection. If you search Stack Overflow, you should find plenty of Java SSL connection examples.

To create the PKI, OpenSSL is a good tool to use. Here is one helpful website:

https://pki-tutorial.readthedocs.org/en/latest/simple/index.html

For a key and its corresponding certificate, you first create a private key, then create a certificate signing request (CSR). The CSR is then signed by a CA key, and becomes a certificate. The certificate contains the public key that corresponds to the private key used to create the CSR.

For MAC, there's a Java example of HMAC here: HMAC-SHA1: How to do it properly in Java?

Community
  • 1
  • 1
gtrig
  • 12,550
  • 5
  • 28
  • 36
  • But I still don't catch few things. First of all as it was in "PKI tutorial" I use openSSL to make TLS CA and I can create client and server certificates, but client certs I want to do remotely (on the other computer user client must be able to make his own certificate). Now I can do all these things locally using openSSL commands. Let me explain what I think about my project: 1) server is linked with CA 2) server has a database of all users 3) server has it's own cert signed by CA 4) user (client) register to the server and gets it from server (cert is generated by CA) 5) users can connect ea – mydew Nov 02 '13 at 22:00
  • The client will use OpenSSL to create a private key and generate a CSR. The client will send the CSR to the CA. The CA, after verifying the client's identity will create and sign the certificate, and send the certificate back to the client. The client can then use the certificate together with the private key to establish an SSL connection to the server. – gtrig Nov 03 '13 at 21:44
  • Ok. I now understand - a little study on myself and your comment I think I will implement my project. Thank you. – mydew Nov 03 '13 at 22:19