Oracle Cryptographic Toolkit Programmer's Guide
Release 2.0.3

A54082-01

Library

Product

Contents

Index

Prev Next

3
Concepts

This chapter discusses concepts behind the Oracle Cryptographic Toolkit. The following topics are discussed:

3.1 Security Concepts

Following is a list of security concepts used in this document. Refer to Section 1.1.1, "Oracle Security Server Features" for an explanation of how these concepts apply to the Oracle Cryptographic Toolkit.

Authentication

The recipient of an authenticated message can be certain of the message's origin (its sender). Authentication reduces the possibility that another person has impersonated the sender of the message.

Authorization

The set of privileges available to an authenticated entity.

Certificate

An entity's public key signed by a trusted identity (certificate authority) in the form of a certificate. This certificate gives assurance that the entity's information is correct and that the public key actually belongs to the entity.

Certificate Authority

An application that creates identities by signing public key certificates and stores them in a database or a repository. The certificate authority signature certifies that the information in the certificate is correct and the public key actually belongs to the entity.

Confidentiality

A function of cryptography. Confidentiality guarantees that only the intended recipient(s) of a message can view the message (decrypt the ciphertext).

Cryptography

The act of writing and deciphering in a secret code resulting in secure messages.

Decryption

The process of converting the contents of an encrypted message (ciphertext) back into its original readable format (plaintext).

Digital Signature

A public key algorithm is used to sign the sender's message with the sender's private key. The digital signature means that the document is authentic, has not been forged by another entity, has not been altered, and cannot be repudiated by the sender.

Encryption

The process of disguising the contents of a message and rendering it unreadable (ciphertext) to anyone but the intended recipient.

Integrity

The guarantee that the contents of the message received were not altered from the contents of the original message sent.

Non-repudiation

Undeniable proof of the origin, delivery, submission, or transmission of a message.

Public-Key Encryption

The process where the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the message is decrypted with the recipient's private key.

Public/Private Key Pair

Each private key has an associated public key that anyone can access. Data encrypted with a public key can be decrypted with its associated private key and vice versa. However, data encrypted with a public key cannot be decrypted with a public key.

X.509

The ISO authentication framework uses public key cryptography (X.509 protocols). X.509 has a structure for public key certificates. This framework allows for authentication across networks to occur.

3.2 Oracle Cryptographic Toolkit Concepts

Following is a list of Oracle Cryptographic Toolkit concepts. Refer to Section 1.3, "Oracle Cryptographic Toolkit Functional Layers" for information on how these concepts are implemented.

Cryptographic Engine

A cryptographic engine (CE) is an implementation of cryptographic functions. The CE can be software based, such as RSA's BSAFE, or it can be hardware based, such as a FORTEZZA card.

Detached Signature

A detached signature gives you the ability to manipulate the message independently of the signature for that message. Use a detached signature to sign an object that can be used with or without signature verification (for example, applets and database rows).

Entity

An entity is a person (physical or imaginary) or a process.

Enveloping

Enveloping is the process of digitally signing a message for authentication and encrypting the message with the recipient's public key for privacy. It provides both sender verification and message privacy.

Identity

An identity is composed of the public key and any other public information for an entity. The public information may include user identification data: an e-mail address, for example.

Persona

A persona is the combination of an identity (public information) and its associated private information. A persona's type is inherited from that persona's identity. A persona is always protected by a password associated with the wallet.

Personal Resource Locator

The personal resource locator (PRL) acts as a reference to a group composed of a persona, its self-identity, and its trusted identities. It is a string in the format:

type:parameters

where type is one of the defined persona types and parameters is 0 or more parameters necessary to access the persona. The platform specific PRL can be specified with:

default:

to indicate that the persona is contained inside the wallet and can provide an additional protection key that is specific for this persona.

Note:

The value of the platform specific PRL above is default, because only the default wallet is supported in this release of the Oracle Cryptographic Toolkit.  

Protection Set

A protection set is a list of tuples (elements) in the form ((cryptographic-function-1, format, algorithm(s), parameter(s)) (cryptographic-function-2, format, algorithm(s), parameter(s)), ...). It represents the current set of algorithms and message formats to be used with the cryptographic functions.

Recipient Oriented Encryption

Recipient Oriented Encryption is the process of encrypting a message with a randomly generated symmetric key and then encrypting the encrypted message with the public key of the recipient.

Signature

See "Digital Signature".

Symmetric Encryption

Symmetric Encryption is an encryption method where both of the communicating parties agree on a secret key (or algorithm) that can be used to both encrypt and decrypt a message.

Toolkit Data Unit

A toolkit data unit (TDU) is an encoding of possibly formatted and/or cryptographically altered data that is created by an application using the Oracle Cryptographic Toolkit. The TDU is usually transferred to another application that, in turn, uses the Oracle Cryptographic Toolkit to decrypt the TDU back into data. The TDU is the message granularity of the Oracle Cryptographic Toolkit, and it is transport independent.

Trust Point

A trust point is a third party identity contained within a persona that is qualified with a level of trust. The trust point is used when an identity is being validated as the entity it claims to be.

Wallet

A wallet implements the storage and retrieval of credentials for use with various cryptographic services. It represents a storage facility that is location and type transparent once it is opened. A Wallet Resource Locator provides all the necessary information to locate the wallet.

A Wallet Resource Locator (WRL) is a string in the format:

type:parameters

where type is one of the defined wallet types and parameters is 0, or more, parameters necessary to access the wallet. The platform specific WRL can be specified with:

default:

to quickly access the default wallet.

Note:

The value of the platform specific WRL above is default, because only the default wallet is supported in this release of the Oracle Cryptographic Toolkit.  




Prev

Next
Oracle
Copyright © 1997 Oracle Corporation.

All Rights Reserved.

Library

Product

Contents

Index