Luu Pham – [email protected] Song – [email protected] – Mar. 2004Table of ContentsIImmpplleemmeennttaattiioonn ooff SSooffttwwaarree TToooollss FFoorr TThhee MMeeddiiuumm--SSiizzee CCeerrttiiffiiccaattiioonn AAuutthhoorriittyy (Specification – Version 1) Luu Pham – [email protected] Song – [email protected] GMU – Mar. 2004ECE 746–Software Tools For Certification Authority Luu Pham-Hee Song Table of Contents 1. ABSTRACT 2. INTRODUCTION 3. DESIGN SPECIFICATIONS i. Languages, compiler, and platform to the run application ii. Main functions iii. Inputs/Outputs 4. TESTING AND SIMULATION PLAN 5. POTENTIAL CHANGE TO SPECIFICATION 6. PROJECT SCHEDULE 7. LITERATURE 4/24/2004 Page 2 of 8ECE 746–Software Tools For Certification Authority Luu Pham-Hee Song 1. ABSTRACT The purpose of this project is to develop and implement software tools for medium-size Certification Authority. KeyTool (Command Line Utility) and Java Cryptography Extension (JCE), which is a set of APIs and implementations of cryptographic functionality, will be used to generate and manage both keys and certificates. Java Secure Socket Extension (JSSL) is utilized to ensure secure Networking communication. MySQL is used for database engine; Apache and Tomcat are used to perform functions of Web server and web server - database interface. 2. INTRODUCTION Integrity, Authenticity, Confidentiality, and Non-repudiation are essential requirements to exchange information over the Internet, and those constraints can be obtained using Public Key Cryptography. In Public Key Infrastructure (PKI), a pair of the two keys, public key and private key, are computed and used for cryptographic processes. Public key, published in the public domains, is used to encrypt messages or to verify digital signature of the sender. Secret key, kept in secret, is used to decrypt a message decrypted under matching public key or to perform digital signature. Although a sender can obtain the public key of a certain receiver on public domain and securely sent receiver a private message with sender’s signature, the sender still needs to be sure that she/he is really communicating with the desire receiver. This means that the sender needs to be sure the public key she/he is using is corresponds to the one she/he wants to talk to. Similarly, the receiver also needs to verify that the signature signed by the sender corresponds to the right sender. Certification Authority (CA) offers a solution to this problem; CA can act as a Trusted Third Party to issue certificates for other entities (person, organization, business, or computer…). The primary goal of this project is to utilize public domains to implement a software tool performing Certification Authority for a medium size of users. Java Cryptography Extension (JCE), which is a set of APIs and implementations of cryptographic functionality, including hash functions, message authentication codes, encryptions, key and certificate management, will be used for main processes of Certification Authority. KeyTool (Command Line Utility) is also accommodated to 4/24/2004 Page 3 of 8ECE 746–Software Tools For Certification Authority Luu Pham-Hee Song enable user to administer their own public/private keys and associated certificates for self-authentication. In addition to the above, Socket Extension (JSSL) is used to ensure security during communication over the Internet. MySQL is used for database engine, Apache and Tomcat are utilized for Web server and data base interface. 3. DESIGN SPECIFICATIONS i. Languages, compiler, and plat form to run the application a. Languages: Java Cryptography Extension (JCE), which is a set of APIs and implementations of cryptographic functionality, and KeyTool (Command Line Utility) will be used to generate and manage both keys and certificates. Java Secure Socket Extension (JSSL) is utilized to ensure secure Networking communication. b. Public library: Public libraries may be utilized to this project as much as possible to reduce the workload of code implementation. MySQL is used for database engine; Apache and Tomcat are used for web server and web server – database interface. Core Java libraries needed for JCE, JSSL, and X.509 Certification Authority will be used for the projects, such as: java.math.BigInteger, javax.net.ssl, java.security, java.security.interface, javax.crypto, java.security.cert, java.security.spec, javax.security.auth.x500, and iaik.x509 c. Platform: Web browser, web interface and Windows are the main platforms for the software tools. ii. CA Hierarchy The CA hierarchy and its communication security are shown in the figure 1 below 4/24/2004 Page 4 of 8ECE 746–Software Tools For Certification Authority Luu Pham-Hee Song Figure 1: CA Hierarchy and Security in Communication iii. Main applications, software tools, and functions: a. Main software tools needed for web-browser, web-server, and database: + Apache and Tomcat webserver version 4.0.2-b1 + Servlet JSP and JDBC + MySQL b. Main applications needed on Client site: + Microsoft CryptoAPI + Visual Basic – Scripting Edition (VBScritp) c. Java Cryptography Extension (JCE) + SSL Socket connection for CA-Root and CA-Local + Get Hash value using MD5 or SHA-1 for digital signature d. KeyTool – Key and Certificate Management + Generate key pair and certificate. + Print, Store, Import and Export keys and certificate InternetLOCAL CA LOCAL CA SSL SSL CA ROOTUser User User User SSL SSL SSL OpenLDAP Directory DATABASE SSL SSL SSL SSL SSL 4/24/2004 Page 5 of 8ECE 746–Software Tools For Certification Authority Luu Pham-Hee Song e. Main functions needed for Directory Services: + Database access, retrieving, and searching + Database management such as: Add, Delete, and Update. f. X.509 Certificates-Authentication procedure: + Processing Certification Authority applications for new users + Issue Public Key Certificate for end certified users + Publish signed Certificates in the CAs repository + Maintain Certificate Revocation List f. Certificate revocation (subject to availability of time frame): + Perform all functions needed to check and maintain Certificate Revocation