Menu
▾
▴
Re: [Ejbca-develop] Some Queries related to EJBCA
|
From: Arshad N. <ars...@st...> - 2013-04-15 21:06:19
|
Parveez, You are mixing up two different business requirements into a single technology. The requirement to generate symmetric keys and manage them securely is part of a discipline called Symmetric Key Management; the requirement to generate and manage asymmetric keys/digital certificates is the Public Key Infrastructure. There is, currently, no single product that handles both capabilities out-of-the-box on a large-scale basis. The JCE KeyStore - which can store both types of objects - is useful only on an individual scale. While EJBCA is the appropriate technology choice for the PKI part of your requirements, managing symmetric keys is a little complex because there are different ways of solving that problem. Our company alone provides three different (free and open-source) ways of dealing with the SKM problem: - By generating keys on the KM server and handing them out to clients with policies (http://sourceforge.net/projects/strongkey/) although this software is a little dated; - By generating keys in your application (or on a middle-ware machine as a web-service provider) using default key-use policies, and sending the key to a KM vault for secure escrow/recovery (http://sourceforge.net/projects/skce/); and - By not dealing with cryptography at all in your application and just sending structured data-elements (Credit Card Numbers, Bank A/C numbers) to a central KM vault where the data is encrypted, tokenized and held in escrow until you retrieve it. There are many advantages to this method in that it removes your applications from audit-scope for regulatory compliance around cryptography/KM; but it doesn't preclude you from using Option #2 at the same time too. So, while the asymmetric key-management problem gives you one choice - PKI (thanks to standardization), you need to determine how you want your applications to deal with encryption and/or symmetric keys, before you decide which SKM path to choose. Hope that helps. Arshad Noor StrongAuth, Inc. On 04/15/2013 11:09 AM, parveez basha mohammad wrote: > > Dear Yousif Hussin, > Thanks for your reply > Actually I have a Java Application that would be interacting with PKI > tool(EJBCA)through the > provided interfaces. > The EJBCA would generate Symmetric Key and save it in Keystore(mapped by > some alias). > My Java Application would fetch the Symmetric Key from EJBCA using the > alias. > Similary EJBCA would generate the Asymmetric Keys and save the same in > Keystore and my Java > Application would fetch the same based on alias. > > Coming to Digital Certificate.The Java Application has to manage Digital > Certificates provided > by my Project clients.It would use the EJBCA for managing these > certificates.The certificates > would be passed to the EJBCA.EJB CA should save them in KeyStore(manged > by EJBCA) mapped with > alias,also notify if the Certificate is going to expire in near future. > Also the Java Application has to create a new Key Pair and generate a > new Digital Certificate > with Public Key and Signature Details.It would be using EJBCA for > this.In future I have to > share the generated Digital Certificate with my client.I should be able > to send the same. > > could you please confirm my understanding? > > Thanks and Regards, > Parveez > On Mon, 15 Apr 2013 21:46:59 +0530 wrote > >Dear Parveez, > Firstly, since you know that EJBCA is used for PKI systems, you should > be familiar with the > fact that PKI is a system to manage the Digital Certificate. Starting > from your last question, > the certificate always contains the Public Key. In fact the Digital > Certificate is the binding > of the public key to one's identity. > > Using EJBCA, you can generate Asymmetric keys and sign a Digital > Certificate. > As for the "saving" of the keys (I'll assume you're talking about the > Private Keys), yes you > can enable the option of backing up the key. But then it's important to > note that you'd better > back up Encryption Keys but not Signing Keys. The signing Key should > always be with the owner > of the key only for non-repudiation purposes. > > Best Regards;Yousif Hussin > > On Mon, Apr 15, 2013 at 5:33 PM, parveez basha mohammad wrote: > > Dear All, > > I am planning to use EJBCA as PKI tool.Below are some queries > > > > Can it generate Symmetric Key and Asymmetric Key(Public Key/Private Key) > > Will it takes care of saving and retrieving of generated Symmetric and > ASymmetric Keys. > > > > Will it generate Certicate based on the Public Key > > Thanks and Regards, > > Parveez > > > Get your own FREE website and domain with business email solutions, > click here > > ------------------------------------------------------------------------------ > > Precog is a next-generation analytics platform capable of advanced > > analytics on semi-structured data. The platform includes APIs for building > > apps and a phenomenal toolset for data science. Developers can use > > our toolset for easy data analysis & visualization. Get a free account! > > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > > Precog is a next-generation analytics platform capable of advanced > > analytics on semi-structured data. The platform includes APIs for building > > apps and a phenomenal toolset for data science. Developers can use > > our toolset for easy data analysis & visualization. Get a free account! > > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?> > > > Get your own *FREE* website and domain with business email solutions, > click here > <http://track.rediff.com/click?url=___http://hosting.rediff.com/rediffmailpro/business-email?sc_cid=sig___&cmp=sig&lnk=sig&nsrv1=host> > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
