Login | Register   
LinkedIn
Google+
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Implementing Secure Automatic Authentication in ColdFusion  : Page 2

Don't just set a plain-text cookie to match users with stored server data; let users log on automatically and securely by taking advantage of CF's ability to interact with Java.


advertisement

Creating a Shell Java Encryption Class
The first step is to create a shell class to handle the encryption. For lack of imagination I'll call this class "Encryption." You need to import the Java Security API package, which implements many different types of encryption. In this example, you'll use public/private key encryption and create two private variables to store our public and private keys. Here's the code for the Encryption class.

   import java.security.*;
   
   public class Encryption
   {
   private PublicKey publicKey = null;
   private PrivateKey privateKey = null;
   }
Generating a Key Pair
With the shell class in place you can get right down to implementation. Next, you need to generate a key pair. The key pair lets you create signatures with your private key and verify them with your public key. It is perfectly secure to share the public key with third parties to verify the signatures. Sharing your public key with partners or other applications is one common way to share authentication information. If you are going to share your public key with third parties, they need to be able to ensure or "trust" that your public key is valid, but because this example is only concerned with internal use of the public key, I won't address trust in this article. You will need to create only a single key pair for all of the example's encryption needs. While the public key can be shared, the private key needs to be secured. The JDK contains a program to manage your keys securely named keyring. For simplicity however, this example just stores the keys in the CF application server file system, under the assumption that only authorized people can access them.

You need a method to generate the keys. I'll call this method generateKeys. The generateKeys method needs to create a key pair generator instance. To do that, you must tell it which encryption algorithm to use—the example uses DSA for simplicity. Optionally, you can also specify a security provider. For simplicity, the example doesn't specify a provider; instead, it lets the key pair generator pick the provider based on the security properties setup of the Java Runtime Environment (JRE). The following line instantiates a new key pair generator.

      KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DSA");
The preceding code sets the keyGen variable to a new KeyPairGenerator instance using the Digital Signature Algorithm (DSA). The next step is to initialize the key pair generator. The initialize method takes two parameters: bit length, and an instance of a random object. The bit length has a major effect on the strength of the encryption. Shorter bit lengths are less secure while longer bit lengths can lead to performance problems. The example uses a 1024-bit key, which should be sufficiently secure but is short enough to avoid major performance problems. Again, for simplicity, the example uses the default secure random object—for DSA that's the Secure Hash Algorithm (SHA1). After initializing the key pair generator you can call the generateKeyPair method to create a KeyPair instance.



      keyGen.initialize(1024, new SecureRandom());
      KeyPair pair = keyGen.generateKeyPair();
      this.privateKey = pair.getPrivate();
      this.publicKey = pair.getPublic();
The preceding code initializes the key pair generator, generates a new key pair, and calls the getPrivate and getPublic methods to set the two private variables. Now that you have a key pair you're ready to create and verify signatures. However, because you don't want to generate a new key pair each time you create or verify signatures you need some way of persisting the keys. The easiest solution is to write the keys to the file system. Luckily, the National Institute of Standards and Technology (NIST) has defined standards on how to store public and private keys. These standards are known as Private-key Information Syntax Standard (PKCS8) for private keys and X.509 for public keys.


Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap
Thanks for your registration, follow us on our social networks to keep up-to-date