Oracle Cryptographic Toolkit Programmer's Guide Release 2.0.3 A54082-01 |
|
This chapter discusses concepts behind the Oracle Cryptographic Toolkit. The following topics are discussed:
Following is a list of security concepts used in this document. Refer to Section 1.1.1, "Oracle Security Server Features" for an explanation of how these concepts apply to the Oracle Cryptographic Toolkit.
The recipient of an authenticated message can be certain of the message's origin (its sender). Authentication reduces the possibility that another person has impersonated the sender of the message.
The set of privileges available to an authenticated entity.
An entity's public key signed by a trusted identity (certificate authority) in the form of a certificate. This certificate gives assurance that the entity's information is correct and that the public key actually belongs to the entity.
An application that creates identities by signing public key certificates and stores them in a database or a repository. The certificate authority signature certifies that the information in the certificate is correct and the public key actually belongs to the entity.
A function of cryptography. Confidentiality guarantees that only the intended recipient(s) of a message can view the message (decrypt the ciphertext).
The act of writing and deciphering in a secret code resulting in secure messages.
The process of converting the contents of an encrypted message (ciphertext) back into its original readable format (plaintext).
A public key algorithm is used to sign the sender's message with the sender's private key. The digital signature means that the document is authentic, has not been forged by another entity, has not been altered, and cannot be repudiated by the sender.
The process of disguising the contents of a message and rendering it unreadable (ciphertext) to anyone but the intended recipient.
The guarantee that the contents of the message received were not altered from the contents of the original message sent.
Undeniable proof of the origin, delivery, submission, or transmission of a message.
The process where the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the message is decrypted with the recipient's private key.
Each private key has an associated public key that anyone can access. Data encrypted with a public key can be decrypted with its associated private key and vice versa. However, data encrypted with a public key cannot be decrypted with a public key.
The ISO authentication framework uses public key cryptography (X.509 protocols). X.509 has a structure for public key certificates. This framework allows for authentication across networks to occur.
Following is a list of Oracle Cryptographic Toolkit concepts. Refer to Section 1.3, "Oracle Cryptographic Toolkit Functional Layers" for information on how these concepts are implemented.
A cryptographic engine (CE) is an implementation of cryptographic functions. The CE can be software based, such as RSA's BSAFE, or it can be hardware based, such as a FORTEZZA card.
A detached signature gives you the ability to manipulate the message independently of the signature for that message. Use a detached signature to sign an object that can be used with or without signature verification (for example, applets and database rows).
An entity is a person (physical or imaginary) or a process.
Enveloping is the process of digitally signing a message for authentication and encrypting the message with the recipient's public key for privacy. It provides both sender verification and message privacy.
An identity is composed of the public key and any other public information for an entity. The public information may include user identification data: an e-mail address, for example.
A persona is the combination of an identity (public information) and its associated private information. A persona's type is inherited from that persona's identity. A persona is always protected by a password associated with the wallet.
The personal resource locator (PRL) acts as a reference to a group composed of a persona, its self-identity, and its trusted identities. It is a string in the format:
type:parameters
where type is one of the defined persona types and parameters is 0 or more parameters necessary to access the persona. The platform specific PRL can be specified with:
default:
to indicate that the persona is contained inside the wallet and can provide an additional protection key that is specific for this persona.
Note:
The value of the platform specific PRL above is |
A protection set is a list of tuples (elements) in the form ((cryptographic-function-1, format, algorithm(s), parameter(s)) (cryptographic-function-2, format, algorithm(s), parameter(s)), ...). It represents the current set of algorithms and message formats to be used with the cryptographic functions.
Recipient Oriented Encryption is the process of encrypting a message with a randomly generated symmetric key and then encrypting the encrypted message with the public key of the recipient.
See "Digital Signature".
Symmetric Encryption is an encryption method where both of the communicating parties agree on a secret key (or algorithm) that can be used to both encrypt and decrypt a message.
A toolkit data unit (TDU) is an encoding of possibly formatted and/or cryptographically altered data that is created by an application using the Oracle Cryptographic Toolkit. The TDU is usually transferred to another application that, in turn, uses the Oracle Cryptographic Toolkit to decrypt the TDU back into data. The TDU is the message granularity of the Oracle Cryptographic Toolkit, and it is transport independent.
A trust point is a third party identity contained within a persona that is qualified with a level of trust. The trust point is used when an identity is being validated as the entity it claims to be.
A wallet implements the storage and retrieval of credentials for use with various cryptographic services. It represents a storage facility that is location and type transparent once it is opened. A Wallet Resource Locator provides all the necessary information to locate the wallet.
A Wallet Resource Locator (WRL) is a string in the format:
type:parameters
where type is one of the defined wallet types and parameters is 0, or more, parameters necessary to access the wallet. The platform specific WRL can be specified with:
default:
to quickly access the default wallet.
Note:
The value of the platform specific WRL above is |