As commonly done in security literature, I describe different scenarios using a set of human characters. These characters are the players in each of the security interactions I discuss. Here is the cast of characters for this article:
- Alice. Alice is an innocent participant in communication. She generally is the sender, and she runs a secure Web server on a site called alice.com.
- Bob. Bob is another innocent participant who generally is the receiver.
- Celie. Celie is a certification authority who will be signing some certificates.
- Mallet. Mallet wants to impersonate Alice and send bogus Web pages to Bob. He has set up a fake version of alice.com with phony data. He stuck it on the Internet, hoping that people looking for alice.com instead would visit his machine, mallet.com.
In a typical scenario, Alice sends a piece of data to Bob; both entities want to hide their communication from Eve (the eavesdropper), and they definitely don't want to mess with Mallet, a generally malicious attacker.
You'll have to set up three of these entities: Alice, Bob, and Celie. First, you'll have to set up Celie, the certification authority. Then, you'll set up Alice, who will use Celie to authenticate her certificates. Finally, you'll present the certificates to Bob, who will install them in his browser.
You'll need some tools to complete these tasks. To manage keystores, you'll need the keytool program that comes with the JDK. If you have installed your JDK correctly, you should be able to just run keytool at the command prompt. Because the software included with the JDK can create only self-signed certificates, you'll also need to incorporate additional software that can sign certificates. OpenSSL is an excellent package for this purpose, so you'll be using it in this article's examples.
Celie, the Certification Authority
The instructions for setting up Celie assume that you have installed OpenSSL on your machine but haven't changed its configuration. You'll need to configure OpenSSL to allow Celie and Alice to belong to different organizations, which you can do by editing the configuration file openssl.cnf. Change the following line:
policy = policy_match
policy = policy_anything
Once OpenSSL is set up, create the following directory structure:
The file index.txt should be empty, and the file serial should contain only the string '01'. (Note to Windows/DOS users: this file must not have a newline at the end.)
Next, you need to generate a self-signed certificate. This is a certificate that attests to Celie's identity, and which she signs herself. You do this with the following command:
openssl req -x509 -newkey rsa:512-keyout demoCA/private/cakey.pem -out
demoCA/cacert.pem -passout pass:capass
Author Note: Many of these commands will be too long to fit on one line. Don't be fooled by the fact that they take up multiple lines.
When you run this command, it will ask you for some personal information. Assume the role of Celie and enter her information:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) :New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Celie's Security Services
Organizational Unit Name (eg, section) :Authentication Department
Common Name (eg, YOUR name) :Celie
Email Address :email@example.com
This creates a file called demoCA/private/cakey.pem, which contains Celie's private key. Keeping this file secure is crucial to the success of Celie's businessif it gets out, all the certificates she has issued become worthless. Thus, a password protects this file. You specify the password on the command-line using the pass option. You also could have the program prompt for the passwordwhich is saferby leaving it off the command line. For this exercise, use the password capass.
The command above also creates a file called demoCA/cacert.pem, which is Celie's self-signed certificate. More precisely, it is a copy of her public key that has been signed by her private key. This way, anyone can verify that she signed it herself. Youll use this certificate in the next few sections.