بسم اهلل الرمحن الرحيم
International University of Africa Faculty of Computer Studies Department of Computer Science
Graduation Project Title
Supervised by: Mr. Mohamed Dewa Waziri
Prepared by: Muhedin Abdullahi Mohamed
August 2008
High above is Allah, the king, the truth! Be not in haste with the Qur-an before its revelation to thee is completed, but say "O my Lord! Increase me in knowledge. Surat Ta-ha, Ayah:114
ii
Dedication To
my
beloved
parents,
who
brought me up, encouraged and supported throughout my life in education and knowledge?
To students who are interested in the field of computer science. Muhedin Abdullahi Mohamed
iii
Acknowledgements All thanks to the Almighty Allah whose mercy we live and whose guidance we are Muslims. After that I would like to thank all people who participated in the achievement of this project from the days it was a concept to its current form. My deep thanks to my parents who encouraged and stand with me all the time. Special thanks to the International University of Africa for giving me the scholarship of which without it I could not write this research Final thanks to my supervisor Mr. Mohamed Dewa Waziri who helped me in collecting, supervising and reviewing this project.
Muhedin Abdullahi Mohamed
iv
Abstract Public Key Infrastructure (PKI) is a computer technology which facilitates secure exchange of information between individuals through computer systems. The system permits trusted parties such as a bank, to issue Digital Certificates to people that need to trust each other. The technology generally operates with the IP address. The purpose of the certificates is for holders to prove their identity. It is possible for them to also digitally sign transactions and documents. Authenticity of the transaction is substantiated by the signature and also proves that the data exchanged has not been tampered with or changed. The concept of the PKI is often summarized into five concepts. First, Authentication assures that the persons or resources involved in a networked communication have been identified correctly. Second, Authorization assures that persons and systems have the proper permissions to perform the requested activities. Third, Data integrity assures that the content has not been altered, either on purpose or by accident. Fourth, Confidentiality assures that the content is available only to the intended audience and fifth, Non-repudiation assures that the signer of a message cannot later deny signing it. In this project we explained the necessary cryptographic backgrounds of the public key infrastructure. Further details of the public key infrastructure, its basic components and protocols are introduced. We finally implemented a prominent PKI protocol (SSL protocol) by using java programming language.
v
Table of Contents
Pages
A Verse ………………………………………………………………. ii Dedication …………………………………………………………….iii Acknowledgments.…………………………………………………….iv Abstract ………………………………………………………………..v Table of Contents ……………………………………………………..vi Table of Figures ……………………………………………………… viii
Chapter One:
Basic Cryptographic Concepts
1.1 Introduction……………………….…………..……………………2 1.2 What is cryptography?.......................................................................3 1.3 Types of cryptography…………………….…..……………………5 1.3.1 Private Key cryptography………………………………………...6 1.3.2 Public Key cryptography ……………………………………..10 1.3.3 Hash functions………………………………………………..14 1.4 Digital cryptography basics………………………………………..18 1.4.1 Message digests……………………………………………….18 1.4.2 Message authentication codes………………………………..21 1.4.3 Digital signatures…………………………………………….23 1.5 Cryptanalysis……………………………………………………….25 1.5.1 Classical cryptanalysis……………………………………….26 1.5.2 Modern cryptanalysis………………………………………..26 1.6 Key concept………………………………………………………..28 1.6.1 Key management…………………………………………….28 1.6.2 Key distribution………………………….…………………..29 1.6.3 Key protection…………………………….…………………32
vi
Chapter Two: Public Key Infrastructure 2.1 Introduction………………………………………………………34 2.2 What does the e-commerce mean?.................................................35 2.3 Certificates……………………………………………………….37 2.4 PKI components…………………………………………………40 2.4.1 Certificate Authority (CA)…………………………………40 2.4.2 Certificate Revocation …………………………………….43 2.4.3 Registration Authority……………………………………..45 2.5 PKI management functions…………….………………………..46 2.6 PKI security services…………………….………………………48 2.6.1 Confidentiality……………………..………………………48 2.6.2 Integrity………………………………………..…………..49 2.6.3 Authentication…………………………………..…………49 2.6.4 Non-Repudiation………………………………..…………50 2.7 Uses of PKI systems…………………………………..………....51 2.8 PKI protocols…………………………………………..………...53 2.8.1 Secure Socket Layer (SSL)……….……………..………...53 2.8.2 Transport Layer Security (TLS)…..……………….………55 2.8.3 IPsec protocol ……………………………………..………56 2.8.4 Pretty Good Privacy (PGP)…………….…………….…….58 2.8.5 Secure/ Multipurpose Internet Mail Extension (S/MIME)…60 2.8.6 Secure Electronic Transaction (SET)………………………61
Chapter Three: SSL- Secure Socket Layer 3.1 What is SSL and how does it works..…………………………….65 3.2 Negotiable encryption…………………………………………….68 3.3 Java Secure Socket Extension 'JSSE'………………………..……71
vii
3.3.1 The javax.net package…………..…………………………..72 3.3.2 The javax.net.SSL package…………………………………73 3.3.3 The javax.Security.cert package……………………………76 3.3.4 Installing and Customizing JSSE…………………………..78 3.4 Programming with JSSE………………………………………….80 3.4.1 Making existing client/server application secure…………...81 3.4.2 A complete example ………………………………………..82 3.4.3 Extending httpServer to handle https://URLs........................90 3.4.3.1 Creating server certificate…………………..……...90 3.5 Programming client applications with JSSE………………..……98 3.5.1 Working with low-level SSL-socket …………………..…..99 3.5.2 Exporting and importing certificates……………………….102
Chapter Four: Conclusions 4.1 Results……………………………..…………………………….107 4.2 Project's problems………………………..………………………108 4.3 Recommendations…………………………..……………………109 4.4 Glossary………………………………………..…………………110 4.5 References………………………………………………………..117
Table of Figures Fig 1.1 Process of cryptography…………………………………….4 Fig 1.2 Secret key cryptography…………………………………….8 Fig 1.3 Public key cryptography…………………………………….12 Fig 1.4 Hash function………………………………………………..15 Fig 1.5 PGP uses Hash function……………………………………..18 Fig 1.6 Message digest function……………………………………..19 Fig 1.7 Message authentication codes……………………………….22 viii
Fig 1.8 Digital signatures…………………………………………….24 Fig 2.1 Digital certificate……………………………………………39 Fig 2.2 PKI architecture……………………………………………..46 Fig 2.3 Position of the SSL protocol………………………………...53 Fig 2.4(A) PGP at the sender site……………………………………59 Fig 2.4(B) PGP at the receiver site…………………………………..60 Fig 3.1 SSL handshake protocol……………………………………..69 Fig 3.2 The index.html page…………………………………………89 Fig 3.3 Certificate creation…………………………………………..90 Fig 3.4 Unknown server certificate………………………………….96 Fig 3.5 A view of the generated certificate………………………….97
ix
x