Chapter 8: Java Implementation of Key Management
This chapter explores key stores, trust stores, trust managers, policy tools, and files. The SPI layer provides great flexibility for key management and the different tools provided by the JDK 1.4 provide a clear and interactive way to set properties. IntroductionKey management deals with the generation and distribution of keys. These keys could be a keypair consisting of both a private and public key, or a secret key used as both a public and private key. According to the FIPS 140-2, Security Requirements for Cryptographic Modules from the National Institute of Standards and Technology (NIST), cryptographic management includes random-number and key generation, key establishment, key distribution, key entry/output, key storage, and key zeroization. The JDK 1.4 supports these properties of cryptographic management by providing the ability to implement digital signatures, message digest algorithms, key generation algorithms, key factories, key store creation and management, algorithm parameter management, algorithm parameter generation, certificate factories, and Pseudo-Random Number Generators (PRNG). Each class is typically an engine class. It comprises a Service Provider Interface (SPI), in which at least one provider instance is distributed, and a factory that normally returns a getInstance( ) method on the cryptographic class with the normal parameter to pass in as the type of algorithm for the creation of the object. SPI OverviewRecall from Chapter 5 that the JDK 1.4 provides the Service Provider Interface (SPI) layer, which loads up the appropriate algorithms and protocols based on the parameters passed in through the Application Layer Interface (API). The provider implements the SPI layer, which is used by the abstract class for any of its implementations of the operations. Having an SPI layer gives organizations a layer to develop code that can still be used by the abstract class. An example is an organization that uses the JKS implementation and at later time decides to switch to a PKCS12 implementation for key stores because they want stronger security. Instead of changing all the implementation of the KeyStore (discussed in the next section of this chapter) functionality, they simply need to change the algorithm name that the getInstance( ) is calling and the underlying implementation that is interfacing to the SPI API.
The following classes are considered the engine classes, and to fully support a new provider instance, all these classes should have an extended SPI implementation if the developer wants to fully utilize the key store, signature classes, and key generation of the new type of key. These classes are Signature , MessageDigest , KeyPairGenerator , SecureRandom , KeyFactory , CertificateFactory , KeyStore , AlgorithmParameterGenerator, and AlgorithmParameters . The KeyStore class handles the management of keys; it stores the keys and certificates. How keys are stored and how they are accessed is just as important as the key itself. How many times have people saved confidential information to hard disk with access to it thinking that because it is physically nearby, it is safe? The KeyStore class, which usually saves information to a file, uses passwords and signatures to protect the information. This is discussed further later in this chapter.
 Java Security Solutions ISBN: 0764549286
EAN: 2147483647 Year: 2001
Pages: 222 Authors: Rich Helton, Johennie Helton
flylib.com © 2008-2017. If you may any questions please contact us: flylib@qtcs.net |
