print Printer View e-mail E-mail this page Bookmark Bookmark
Discuss this tutorial. Printable version (PDF).
Go to Contents page. Go to previous page. Go up a level. Go to next page.

 

 

Concepts

Effective Internet security requires secure information exchange mechanisms that are scalable and that support the security of distributed systems. Public Key Infrastructure (PKI) meets these requirements with minimal inconvenience.

Oracle9i Application Server (Oracle9iAS) can use elements of PKI to provide a secure, resilient environment for deploying electronic commerce. This reliable environment supports building systems to handle virtually any type of electronic interaction, from corporate intranets to e-business applications designed for deployment on the Internet.

Strong system security starts with the physical security of systems and the trustworthiness of personnel. With these in place, PKI enhances secure electronic commerce and Internet communications by supporting the following processes:

  • Authentication. Verifying the identity of users and machines becomes crucial when an organization opens its doors to the Internet. Strong authentication mechanisms, of which PKI is one, verify identities without allowing transmission or storage of reusable passwords. They ensure that persons and machines are the entities they claim to be. This is typically done by a trusted third-party authentication or certification service using conventional cryptography. Proper use of PKI makes impersonation virtually impossible and supports mechanisms enabling systems and applications to trust each other's connections and transmissions.
  • Encryption. Encryption and integrity algorithms are used to secure communications and ensure the privacy of data sent from one computer to another. They ensure that data remains confidential, that it cannot be modified, and that lost packets can be detected.
  • Non-repudiation. Non-repudiation means that senders of digitally signed transactions or email cannot claim they did not do so. Digital signatures using PKI can provide reliable proof that the person signing the electronic transmission really is that person, since no one else can create their unique digital signature. This fact also prevents impersonation, because the impostor cannot create that person's digital signature. A PKI digital signature proves that a specific user performed certain operations.

For public-key cryptography, entities that want to communicate in a secure manner must possess certain security credentials. This collection of security credentials is stored in a wallet. Security credentials consist of:

  • Public and private keys. This form of cryptography uses a secret private key and a mathematically-related public key. Only the public key can be used to encrypt information, and only the corresponding private key can be used to decrypt that information. Only the owner of the key pair knows the private key; the public key can be distributed widely and remains associated with its owner. A message encrypted with the public key can only be decrypted by the owner who knows the associated private key. Such keys are also used in digital signatures to prevent Internet impersonation and repudiation of valid messages. In the process of seeting up this sample application, you will obtain and install certificates for the client and server.
  • Digital certificates. Certificates are digital identities, issued by trusted third parties, that identify users and machines. Certificates are issued when that third party receives trusted information proving to its satisfaction the validity of those identities. The certificates can then be securely stored in wallets or in directories and used to prove the claimed identity to anyone on the Internet who trusts that third party.
  • Certificate Authority (CA). A CA is a third party that acts as a trusted, independent provider of digital certificates.

Use of a cryptographic key pair to set up a secure, encrypted channel ensures the privacy of a message and can validate the authenticity of the sender of the message. Wide distribution of the public key on a server, or in a central directory, does not jeopardize security because the private key is never shared. The public key for an entity is published by a certificate authority in a user certificate. Entities that want to send secure information can encrypt the information with the recipient entity's public key. An entity that receives a communication encrypted by this method can use its own private key to decrypt the message. (In some cases, the sender might need to reassure the recipient regarding who sent the message. Encrypting the coded message again using its own public key would do the trick. The recipient could decrypt the doubly-encoded message using his private key, and then decrypt the resulting coded message using the sender's public key. If the original message was not encoded using both public keys, the result of decrypting will be unreadable.)

Discuss this tutorial. Printable version (PDF).
Go to Contents page. Go to previous page. Go up a level. Go to next page.
E-mail this page
Printer View Printer View
Oracle Is The Information Company About Oracle | Oracle RSS Feeds | Careers | Contact Us | Site Maps | Legal Notices | Terms of Use | Privacy