Chapter 1 Security Concepts

Public-key cryptography

To maintain secure communications between a client and host, public-key cryptography techniques are used for:

• Authentication - verifying the identity of both the client and the server; Public-key cryptography techniques use digitally signed certificates that identify network entities.
• Encryption - modifying data so that it can be read only by the party for whom it is intended. When used with a user's private key, certificates encrypt and decrypt messages.

Unencrypted messages are known as plain text . Encoding the contents of a message is called encryption . This encrypted message is the cipher text . Decryption is the process of retrieving the plain text from the cipher text. A key is usually required to perform encryption and decryption. A CipherSuite defines the parameters and methods supported by both the client and server that perform the encryption and decryption.

Public-key encryption uses a pair of keys for encryption and decryption. One key is secret (the private key) and the other is distributed (the public key). You send your digitally signed public key (certificate) to anyone with whom you wish to communicate using encoded data.

Messages that are sent to you are encrypted with your distributed public key and decrypted by your private key, while messages sent by you are encrypted with your private key and decrypted with your distributed public key. RSA encryption is a widely used public-key encryption system.

For more information on RSA and public-key encryption, see the RSA Web site .

Public-key certificates

Public-key certificates provide a method to identify and authenticate clients and servers on the Internet. Public-key certificates are administered and issued by a third party known as a certification authority (CA). A subject (individual, system, or other entity on the network) uses a program to generate a key pair and submits the public key to the CA along with identifying information (such as name, organization, e-mail address, and so on). This is known as a certificate request . The CA issues a digitally signed certificate. A digital signature is a block of data that is created using a private key.

The CA ties the certificate owner to the public key within the certificate. The subject then uses the certificate, along with his private key to establish his identity. Once this is done, whomever the subject is communicating with knows that a third party has vouched for his identity.

The process requires these steps:

1. A client submits a request for, and receives, a certificate from the CA.
2. An administrator installs the CA's certificate on the server and marks it trusted. Any client certificate signed by the same CA will now be trusted and accepted by the server.
3. The client supplies its certificate and negotiates a secure connection with the server.

SSL, HTTPS, and IIOPS

SSL provides security for network connections. Specifically, SSL uses public-key encryption to provide:

• Client and server authentication using certificates
• Encryption, which prevents third parties from understanding transmitted data
• Integrity checking, which detects whether transmitted data has been altered

Packets for other protocols can be embedded inside of SSL packets. A connection in which the application protocol is embedded inside of SSL is an SSL-tunnelled connection.

Both IIOP and HTTP can be tunnelled inside SSL, which means that these protocols take advantage of SSL security features. For example, HTTPS connections embed HTTP packets inside of SSL packets. Your Web browser creates a secure HTTP connection any time you load a page from a URL that begins with "https:"

See the following SSL-related chapters:

• Chapter 5, "Using SSL in Java Clients"
• Chapter 6, "Using SSL in C++ Clients"
• Chapter 7, "Using SSL in ActiveX Clients"
• Chapter 12, "Managing Keys and Certificates"
• Chapter 14, "Tutorial: Using SSL"

Copyright © 2002 Sybase, Inc. All rights reserved.