From: Arshad N. <ars...@st...> - 2013-04-16 16:53:38
|
Once again, you're a little confused about what a PKI does and what you're looking for. While a PKI is essential to issuing and managing large numbers of digital certificates, its not intended to be used as a repository for applications to retrieve private-keys at will to decrypt data sent by application users. If I understand your use-case correctly, you're looking to register users into your application, perhaps issue them digital certificates (with private-keys) and then use that digital certificate to verify signatures performed by them and decrypt content they might send you. While a PKI can definitely be used to issue the certificate with the private-key, and while the PKI can also be used to escrow the private-key, you don't necessarily want to use the PKI to constantly retrieve the private key to decrypt content since that is really in the realm of "use of certificates" as opposed to "issuance and management of certificates". While you can publish your digital certificates to an LDAP directory to retrieve them at-will and verify signatures, you need something else to retrieve private-keys by applications for decrypting objects and content sent by application users. You can technically use your application database to store the P12 files in the user-record if you want to, but, then you cannot rely on the private-key within this P12 for signing operations, since you also have a copy. You will want to issue two types of certs, one for signing where you do NOT generate/store the private-key anywhere in your infrastructure, and one for encryption operations where you DO want to generate/issue the private-key with the cert. If you want more security to store the P12's instead of relying upon your application database, there are products out there - including one from our company - that can store sensitive objects like keys, P12, data, etc. in a "vault" under strong and hardware cryptographic control. But, that's a separate discussion - and I certainly do not want to hijack an EJBCA forum for that. All this is getting fairly complex for a public forum; my strong recommendation is to read a book - Secure Electronic Commerce - by Warwick Ford and Michael Baum, and then design your application. After you've had a chance to read that, if you have more questions on PKI, this forum can provide answers; but if you have other application-related questions, contact me directly. Arshad Noor StrongAuth, Inc. On 04/16/2013 05:57 AM, parveez basha mohammad wrote: > Thanks Arshad Noor for your reply. > I would be using PKI Tool(EJBCA) Admin UI for creating Asymmetric > KeyPair and generating Digital Certificate for the public key.Along with > this I would be saving Digital Certificate shared by my Project Clients > in PKI Tool. > > I understand EJBCA has interfaces for fetching Digital Certificates and > Private Key. > > In my Project the requirement is to fetch the Asymmetric Key(+ > Algorithm) from PKI tool for decrypting the data. > Also I have to fetch the Digital Certificate from PKI Tool for > retrieving the Public Key/Signature Algorithm for non-repudation. > > Can you please tell me the available interface for the above.And when I > create a Keypair or save a DigitalCertificate will the EJBCA tool > returns some alias string which I can use in future to retrieve the > Keys/DigitalCertificate. > Regards, > Parveez > > > > > On Tue, 16 Apr 2013 02:36:43 +0530 wrote > >Parveez, > > > > You are mixing up two different business requirements into a single > > technology. > > > > The requirement to generate symmetric keys and manage them securely > > is part of a discipline called Symmetric Key Management; the > > requirement to generate and manage asymmetric keys/digital certificates > > is the Public Key Infrastructure. There is, currently, no single > > product that handles both capabilities out-of-the-box on a large-scale > > basis. The JCE KeyStore - which can store both types of objects - is > > useful only on an individual scale. > > > > While EJBCA is the appropriate technology choice for the PKI part of > > your requirements, managing symmetric keys is a little complex because > > there are different ways of solving that problem. Our company alone > > provides three different (free and open-source) ways of dealing with > > the SKM problem: > > > > - By generating keys on the KM server and handing them out to clients > > with policies (http://sourceforge.net/projects/strongkey/) although > > this software is a little dated; > > > > - By generating keys in your application (or on a middle-ware machine > > as a web-service provider) using default key-use policies, and > > sending the key to a KM vault for secure escrow/recovery > > (http://sourceforge.net/projects/skce/); and > > > > - By not dealing with cryptography at all in your application and just > > sending structured data-elements (Credit Card Numbers, Bank A/C > > numbers) to a central KM vault where the data is encrypted, tokenized > > and held in escrow until you retrieve it. There are many advantages > > to this method in that it removes your applications from audit-scope > > for regulatory compliance around cryptography/KM; but it doesn't > > preclude you from using Option #2 at the same time too. > > > > So, while the asymmetric key-management problem gives you one choice - > > PKI (thanks to standardization), you need to determine how you want > > your applications to deal with encryption and/or symmetric keys, > > before you decide which SKM path to choose. > > > > Hope that helps. > > > > Arshad Noor > > StrongAuth, Inc. > > > > On 04/15/2013 11:09 AM, parveez basha mohammad wrote: > > > > > > Dear Yousif Hussin, > > > Thanks for your reply > > > Actually I have a Java Application that would be interacting with PKI > > > tool(EJBCA)through the > > > provided interfaces. > > > The EJBCA would generate Symmetric Key and save it in Keystore(mapped by > > > some alias). > > > My Java Application would fetch the Symmetric Key from EJBCA using the > > > alias. > > > Similary EJBCA would generate the Asymmetric Keys and save the same in > > > Keystore and my Java > > > Application would fetch the same based on alias. > > > > > > Coming to Digital Certificate.The Java Application has to manage Digital > > > Certificates provided > > > by my Project clients.It would use the EJBCA for managing these > > > certificates.The certificates > > > would be passed to the EJBCA.EJB CA should save them in KeyStore(manged > > > by EJBCA) mapped with > > > alias,also notify if the Certificate is going to expire in near future. > > > Also the Java Application has to create a new Key Pair and generate a > > > new Digital Certificate > > > with Public Key and Signature Details.It would be using EJBCA for > > > this.In future I have to > > > share the generated Digital Certificate with my client.I should be able > > > to send the same. > > > > > > could you please confirm my understanding? > > > > > > Thanks and Regards, > > > Parveez > > > On Mon, 15 Apr 2013 21:46:59 +0530 wrote > > > >Dear Parveez, > > > Firstly, since you know that EJBCA is used for PKI systems, you should > > > be familiar with the > > > fact that PKI is a system to manage the Digital Certificate. Starting > > > from your last question, > > > the certificate always contains the Public Key. In fact the Digital > > > Certificate is the binding > > > of the public key to one's identity. > > > > > > Using EJBCA, you can generate Asymmetric keys and sign a Digital > > > Certificate. > > > As for the "saving" of the keys (I'll assume you're talking about the > > > Private Keys), yes you > > > can enable the option of backing up the key. But then it's important to > > > note that you'd better > > > back up Encryption Keys but not Signing Keys. The signing Key should > > > always be with the owner > > > of the key only for non-repudiation purposes. > > > > > > Best Regards;Yousif Hussin > > > > > > On Mon, Apr 15, 2013 at 5:33 PM, parveez basha mohammad wrote: > > > > > > Dear All, > > > > > > I am planning to use EJBCA as PKI tool.Below are some queries > > > > > > > > > > > > Can it generate Symmetric Key and Asymmetric Key(Public Key/Private Key) > > > > > > Will it takes care of saving and retrieving of generated Symmetric and > > > ASymmetric Keys. > > > > > > > > > > > > Will it generate Certicate based on the Public Key > > > > > > Thanks and Regards, > > > > > > Parveez > > > > > > > > > Get your own FREE website and domain with business email solutions, > > > click here > > > > > > > ------------------------------------------------------------------------------ > > > > > > Precog is a next-generation analytics platform capable of advanced > > > > > > analytics on semi-structured data. The platform includes APIs for > building > > > > > > apps and a phenomenal toolset for data science. Developers can use > > > > > > our toolset for easy data analysis & visualization. Get a free account! > > > > > > http://www2.precog.com/precogplatform/slashdotnewsletter > > > _______________________________________________ > > > > > > Ejbca-develop mailing list > > > > > > Ejb...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > Precog is a next-generation analytics platform capable of advanced > > > > > > analytics on semi-structured data. The platform includes APIs for > building > > > > > > apps and a phenomenal toolset for data science. Developers can use > > > > > > our toolset for easy data analysis & visualization. Get a free account! > > > > > > http://www2.precog.com/precogplatform/slashdotnewsletter > > > _______________________________________________ > > > > > > Ejbca-develop mailing list > > > > > > Ejb...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > > > > > > > > > > Get your own *FREE* website and domain with business email solutions, > > > click here > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Precog is a next-generation analytics platform capable of advanced > > > analytics on semi-structured data. The platform includes APIs for > building > > > apps and a phenomenal toolset for data science. Developers can use > > > our toolset for easy data analysis & visualization. Get a free account! > > > http://www2.precog.com/precogplatform/slashdotnewsletter > > > > > > > > > > > > _______________________________________________ > > > Ejbca-develop mailing list > > > Ejb...@li... > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > > ------------------------------------------------------------------------------ > > Precog is a next-generation analytics platform capable of advanced > > analytics on semi-structured data. The platform includes APIs for building > > apps and a phenomenal toolset for data science. Developers can use > > our toolset for easy data analysis & visualization. Get a free account! > > http://www2.precog.com/precogplatform/slashdotnewsletter > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?> > > > Get your own *FREE* website and domain with business email solutions, > click here > <http://track.rediff.com/click?url=___http://hosting.rediff.com/rediffmailpro/business-email?sc_cid=sig___&cmp=sig&lnk=sig&nsrv1=host> > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |