|
Summary
This chapter discussed the concepts of IPSec and SASL. IPSec is a set of protocols that are used to secure the Internet Protocol for VPNs, IP version 4, and IP version 6. No discussion of network security would be complete without discussing the standards that are used to protect the current version of the Internet Protocol. The IPSec has defined protocols for secure key exchanges and secure messaging through the network. IPSec also provides tunneling, which provides the capability to proxy through firewalls. I started this chapter by looking at the Simple Key Management for Internet Protocols (SKIP), which led me to the
www.skip.org
, RFC 2356, and Sun's SunScreen product.
Many references that led to the SKIP disappeared after 1996 and were
replaced
by ISAKMP. ISAKMP is just one of the protocols that are part of the IPSec. The IPSec covers securing the Internet Protocol and provides multiple protocols working together to make up the IPSec. The SKIP protocol is just one protocol that makes up the secure key exchange. I
looked
for a while for any implementation of SKIP and found several examples from other books. Most of them did not implement a CDR, header, or other
components
of SKIP.
The IPSec was created to be used with Ipv4 and Ipv6 and is handled by many services at the hardware and device driver level. It is also important when generating IP services that talk at the network transport level, such as applications that use Java sockets, that they can support these protocols if the security is high. There are many other protocols that can be used to some degree in place of IPSec, such as SSL, TLS, and GSS-API, but hardware devices like routers, that IPSec supports, do not support these protocols.
No discussion can happen about authentication with Java without SASL. SASL is heavily used for authenticating LDAP servers and is used with JNDI authentications. SASL is a protocol for key transfer and authentication that can use different pluggable authentication mechanisms. SASL doesn't define the implementation like JAAS, and JAAS can be used as the implementation for SASL. SASL doesn't have to be used just for JNDI or LDAP, but can be used as an authentication protocol for any client-server connection.
|
| Chapter 7: Implementing Keys with Java In This Chapter This chapter describes the process that JDK 1.4 uses to generate keys and how the security provider creates key generators. Generating keys is the fundamental process when working with other protocols, such as JSSE and GSS, for encrypting and decrypting data. In this chapter, you learn some of the fundamental principles of generating keys, such as generating a random number that will assist in key generation. | | | | | |
|
Introduction
Just to recap from other chapters, key material is any material used to generate or retrieve a public key. Before understanding SSL, JSSE, or any other protocol that uses key material, the first step in Java is to understand how Java generates and
manages
key material. Some keys are generated and then are used in JSSE. Other keys, such as
Password Based Encryption
(PBE), are generated from a password and
salted
with a pass phrase.
|
Cross-Reference
|
For more detailed information on key algorithms, see Chapter 6.
|
The concept of a
salt
is to combine multiple inputs to generate a more complex key. For example, you salt a password by combining both the password and pass phrase, possibly in an XOR, to generate a more complex value to use as a key. A simple XOR algorithm (simple because it is easy to decrypt) is combining the bits to produce a different output.
|
Tip
|
Recall that when combining two bits, XOR produces a one value when the bits are different,
otherwise
it produces a zero.
|
The more complex the algorithm is for generating a key, the harder it becomes to decipher the key. Once a key algorithm and key material is deciphered for an organization, keys from the organization can be replicated. The
key material
is the material outside of the key algorithm itself that is used to generate the key. In the example of a password and pass phrase, the key material was the password and pass phrase. Other examples of key material may be a username that is used to look up a certificate in a keystore to pass certificates to JAAS and JSSE.
|
Cross-Reference
|
The keystore is demonstrated in Chapter 10.
|
{% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}
Keys
are needed for any type of encryption. They are combined with a cryptographic algorithm to encrypt and decrypt messages.
Cryptographic algorithms
work such that if hackers do not possess the key, they cannot decrypt or re-encrypt a secret message. Java supports two types of keys:
asymmetric
and
symmetric
keys.
Asymmetric
keys are a combination of public and private keys where one cannot work without the other. Sometimes these keys are called a
key pair
because a public key and private key can only work together.
The public key is useless without the private key, and the private key is useless without the public key. The public key works only with its particular private key, and the private key works only with its particular public key. The private key is used to encrypt the message and is kept private from users
decrypting
the message. The public key is used to decrypt the message and is given to all users who want to read the encrypted message. The keys are kept apart from each other because the messages cannot be compromised unless both keys are captured.
Each key is a product of the other, meaning that the private key is a logarithmic value of the public key and the public key is the inverse of the
logarithmic
method of the private key.
Symmetric
keys are normally called secret keys.
A
secret key
is one that is shared among everyone in a
group
for both encrypting and decrypting the same data message. Before a key can be used in an algorithm, it must first be generated. Java provides a framework for supporting many encryption and key generating algorithms.
| | |