Chapter 8
Improvement and implementation of public key authentication system using open source software package EJBCA
The content of this chapter introduces the open source software package EJBCA, a software package that allows the deployment of a complete and fully functional PKI system. In order to take advantage of the superior properties of this software package as well as control the development process and security of the system, the topic has analyzed, improved and deployed a test of a centralized authentication system according to a simple hierarchical PKI architecture, which can be used immediately in practice.
8.1 EJBCA Open Source Software Package
8.1.1 Introduction
Enterprise Java Beans (EJB) architecture is a specification developed by Sun Microsystems. EJB describes a component-based architecture for developing and deploying distributed applications, enabling scalable, secure, and transactional enterprise applications.
EJBs are components that execute within an “EJB container”, under the supervision of an application server (such as JBOSS 19 ). The application server and EJB container provide system services to EJBs such as data persistence, transactions, security, and resource management. EJBs are the core of a J2EE application 20 . The EJB container maintains shared data connections as well as shared EJB entities that are provided to users when needed.
19 Most widely used J2EE application servers today.
20 J2EE (Java 2 Enterprise Edition) is a programming platform, part of the Java platform, for developing and running multi-architecture distributed Java applications, largely based on modular software components running on an application server.
EJBCA is a full-featured CA built on Java. Because it is based on J2EE technology, EJBCA constitutes a powerful, high-performance, component-based CA. With its flexibility and platform independence, EJBCA can be used independently or integrated into J2EE applications. EJBCA is a product of PrimeKey, one of the world's leading open source PKI companies, founded in 2002 in Stockholm, Sweden. PrimeKey provides PKI and smart card products, related solutions, and professional services.
EJBCA went through the following stages of development:
Version 1.x started as a beta on SourceForge in November 2001. The idea of EJBCA is to implement a CA inside a J2EE application server. Versions 1.0-1.4 provide support for Jboss, WebLogic, CRL, LDAP, MySQL, PostgreSQL, Oracle.
Version 2.x builds on version 1.x and was launched in March 2003. This version provides support for magnetic cards, PIN/PUK, key recovery, certificate status, OCSP, SCEP, special features for AD and Outlook, OpenLDAP.
Version 3.x starting June 2004, provides support for virtual CAs, JUnit testing, HSM support (nCipher, Luna/Eracom/SafeNet), languages (Spanish, French, Italian, Chinese, Swedish, German), external OCSP Responder, Infomix, OpenVPN, external RA API, CMP, XKMSv2, monitoring services, ECDSA, custom certificate extensions, DN and altName OIDs.
EJBCA is an open source software, supporting a wide range of functions. As of October 6, 2008, version 3.x has had more than 47,600 downloads 21 . EJBCA has truly become a comprehensive product for PKI/CA solutions to replace all other product applications.
21 Source http://sourceforge.net
8.1.2 Architecture
The EJBCA architecture consists of the following components:
Data Tier: The data tier stores certificates, CRLs, and end entities. EJBCA uses a default database to store end entities. Certificates are stored in an LDAP (Lightweight Directory Access Protocol) repository.
Client Web Tier EJB Tier Data Tier
Local database
LDAP repository
EJB Container
RA UserDataBean component
UserAdminSession
CA Components Auth Components
CRL component Sign component Store component
Admin Client
Web Container
Apply CertReqServlet component
WebDist CertDistServlet component
Batch client
Browser
Java Application
Figure 8.1. EJBCA architecture
CA component: The component that creates root CAs, child CAs, certificates, CRLs, and communicates with the LDAP repository to store certificate information.
RA component: The component has the function of creating, deleting and destroying users. It communicates with the local database to store user information.
Web layer: This is the interface (typically a graphical human-machine interface) for the client to interact with the EJBCA system, and also specifies different levels and scopes of information access for the end entity.
Client: A client is an end entity or user such as an email client, web server, web browser or VPN gateway. End entities are not allowed to issue certificates to other entities, in other words they are leaf nodes in the PKI.
8.1.3 Functions
EJBCA is a very popular certificate authority currently in use, one of the preferred CAs today. The basic features of this CA include the choice of algorithms we need such as the option to choose between SHA1 or SHA- 256 algorithms with RSA and with different key sizes such as 1024, 2048 and 4096.
EJBCA provides some outstanding features in terms of language selection during system configuration. In addition, we can also choose the type of publisher we want such as LDAP, dynamic directory (AD – Active Directory) or a custom publisher connection.
The issuance of the certificate is always in the X509 standard. There is also an option provided to choose the type of signing key – soft or hard. The certificate signing can be self-signed, external CA or admin CA.
The root CA has a default RSA key length of 2048 bits and is valid for 10 years. Enrolling a certificate in EJBCA provides the user with many options like the user can choose the Cryptographic Service Provider (CSP 22 ) they prefer and can choose different key sizes provided like 512, 1024 and 2048. It also provides the user with the option of adding the certificate to the Electronic Identity Card.
8.1.4 Comparison with other software packages
In addition to EJBCA, there are other products that can deploy a complete PKI system such as OpenCA and Windows 2003 Server CA. Because Windows 2003 Server CA is not an open source product, it cannot be freely developed and controlled in terms of development and security, so it is not of interest to learn about.
EJBCA and OpenCA are both strong open source PKI projects and there is a lot of development going on on both of them.
22 A Cryptographic Service Provider (CSP) is a software library that implements Cryptographic Application Programming Interface (CAPI).
Below is a comparison table of some features between these two software packages [23, p.12].
Table 8.1. Comparison of features of EJBCA and OpenCA
EJBCA | OpenCA | |
Difficulty in configuration | Very complicated | Complicated |
Confidentiality | Yes (using encryption) | Yes (using encryption) |
Integrity | Yes (using encryption) | Yes (using encryption) |
Authenticity | Yes (using digital signature) | Yes (using digital signature) |
Irrefutable | Have | Have |
Ability Choose the algorithm to use | Have | Have |
OCSP 23 | Have | Are not |
CSP selection capability | Have | Are not |
Update CRL | Automatic | By hand |
Smart card support | Have | Are not |
Expense | Free of charge | Free of charge |
The extensions | Have | Have |
Background environment | Java J2EE (platform independent) | Perl CGI on Unix |
Database | Hyperpersoniq, PostegreSQL, MySQL, MS SQL, Oracle, Sybase, Informix, DB2 | MySQL |
LDAP support | Have | Have |
Module | EJB | Perl |
Based on ingredients | Have | Have |
Scalability | Well designed and openable wide | Scaling is difficult with complexity increased a lot |
Independent component | PKI can be fully administered all via command line | There is only one way to manage PKI. is through the web interface |
Supported browsers | Much | Much |
Maybe you are interested!
-
Compare Annual Expenditures for Education Based on Purchasing Power Parity -
Computer Architecture Course - 10 -
Study on Some Clinical and Paraclinical Features of Appendiceal Abscess -
The influence of Indian culture on Chinese Buddhist architecture and sculpture - 14 -
Compare Listed and Trading Bond Values at Hanoi Stock Exchange
8.1.5 Reasons for choosing the EJBCA open source software package
In order to control the development process, safety and continue to develop the system, the topic has chosen open source software to focus on research instead of closed software such as the CA system of Windows Server 2003/2008.
23 The Online Certificate Status Protocol (OCSP) is an Internet standard used to obtain the revocation status of X.509 digital certificates.
Two popular open source software packages today, EJBCA and OpenCA, are both capable of deploying a complete PKI system, serving different users including individuals and businesses. The decisive criteria of a PKI system are that it must be reliable, secure, flexible and cost-effective. As compared in section 8.1.4, OpenCA only ensures reliability and security while EJBCA ensures all of the above criteria.
EJBCA is a CA and a complete PKI management system, which is a very powerful, environment-independent, high-performance, scalable and component-based PKI solution. In addition, EJBCA is very flexible in providing optional ways of operating as a standalone CA or fully integrated into any commercial application. Furthermore, although the configuration of the EJBCA system is much more complex than OpenCA, the EJBCA system once put into operation brings a lot of convenience and simplicity to users in generating and managing certificates. In addition, unlike OpenCA, CRL updates in EJBCA are completely automatic.
In addition, EJBCA is developed and provided by PrimeKey, a leading open source PKI company in the world, so by using EJBCA we can inherit the company's development capacity and be completely assured of the security always present in the source code.
8.2 EJBCA open source software package enhancements
8.2.1 Needs
As introduced and analyzed above, EJBCA is a well-known software package, fully supporting the functions to deploy a reliable, secure, flexible and scalable PKI system. However, in order to control the development process as well as the security of the system when put into practical use, this software package needs to be surveyed, analyzed and improved if possible to suit the needs of the organization while achieving the necessary security and efficiency.
The next section will present analysis to improve the security of EJBCA, especially in digital signature with RSA public key cryptosystem.
8.2.2 EJBCA RSA key generator improvements
EJBCA uses the Bouncy Castle (BC) open source cryptographic library package in all of its cryptographic processes and protocols to provide confidentiality, integrity, authentication, and non-repudiation. The cryptographic library package is a Java implementation of cryptographic algorithms, developed by the Legion of the Bouncy Castle. The library package is organized to provide a “light-weight” Application Program Interface (API) suitable for use in any environment (including the latest versions of J2EE) with additional infrastructure for algorithms to conform to the Java Cryptography Extension (JCE).
The Bouncy Castle Cryptography API for Java consists of the following parts:
A lightweight cryptography API for Java and C#.
A provider for JCE and the Java Cryptography Architecture (JCA).
A library for reading and writing encoded ASN.1 objects.
A “lightweight” client-side TLS 24 API .
Generators for X.509 version 1 and 3 certificates, version 2 CRLs and PKCS #12 files.
Generators for X.509 version 2 attribute certificates.
Generators/processors for S/MIME and CMS (PKCS #7/RFC 3852).
Generators/processors for OCSP (RFC 2560).
Generators/processors for TSP (RFC 3161).
Generators/processors for OpenPGP (RFC 2440).
A signed jar version suitable for JDK 1.4-1.6 and Sun JCE.
The compact API works with everything from J2ME to JDK 1.6 and there is also an API in C# that provides most of the same functionality as above.
As presented in Chapter 2, this topic is concerned with the RSA public key cryptosystem and its applications in encryption and digital signatures, so the functions related to the cryptosystem are
24 TLS (Transport Layer Security) is a cryptographic protocol that provides secure communications on the Internet such as for web browsing, email, instant messaging, data exchange, etc. The predecessor of TLS is the SSL (Secure Sockets Layer) protocol.
RSA is given special attention. The EJBCA genKeys key generation function in the KeyTool class
belongs to the org.ejbca.util package as follows:
public static KeyPair genKeys(String keySpec, String keyAlg)
throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException {
…
KeyPairGenerator keygen = KeyPairGenerator.getInstance(keyAlg, "BC");
…
// RSA keys
int keysize = Integer.parseInt(keySpec); keygen.initialize(keysize);
…
KeyPair keys = keygen.generateKeyPair();
…
return keys;
}
Figure 8.2. EJBCA RSA key generation function
We see that the keygen variable has the type KeyPairGenerator (in the java.security package ) and will get the BC provider instance if possible. If this BC library package is not installed, it will get the default Java instance. This is a check in case the user forgets to install this BC library package.
The keygen.generateKeyPair command is used to generate a key pair. When the algorithm selected is RSA, the BC RSAKeyPairGenerator function ( RSAKeyPairGenerator class in the org.bouncycastle.crypto.generators package ) is executed. The RSA key pair generation algorithm used by this function is as follows:
RSAKeyPairGenerator(e, strength)
Input:integer 𝑒 is the public exponent, 𝑠𝑡𝑟𝑒𝑛𝑔𝑡 is the key length.
Output:public key pair 𝑛, 𝑒 and secret key 𝑛, 𝑑 .
(1) 𝑝𝐵𝑖𝑡𝐿𝑒𝑛𝑔𝑡 ← (𝑠𝑡𝑟𝑒𝑛𝑔𝑡 + 1)/2 . (2) 𝑞𝐵𝑖𝑡𝐿𝑒𝑛𝑔𝑡 ← 𝑠𝑡𝑟𝑒𝑛𝑔𝑡 − 𝑝𝐵𝑖𝑡𝐿𝑒𝑛𝑔𝑡 . (3) Choose a random integer 𝑝 , length 𝑝𝐵𝑖𝑡𝐿𝑒𝑛𝑔𝑡 . (4) If 𝑝 is not a prime number or 𝑔𝑐𝑑(𝑒, 𝑝) ≠ 1 then return to step (3). (5) Choose a random integer 𝑞 , length 𝑞𝐵𝑖𝑡𝐿𝑒𝑛𝑔𝑡 . (6) If 𝑞 is not a prime number or 𝑔𝑐𝑑(𝑒, 𝑞) ≠ 1 or the length of 𝑝 × 𝑞 is different If 𝑠𝑡𝑟𝑒𝑛𝑔𝑡 then go back to step (5). (7) 𝑛 ← 𝑝 × 𝑞 . (8) 𝑝𝑖 ← 𝑝 − 1 × (𝑞 − 1) . (9) 𝑑 ← 𝑒 − 1 𝑚𝑜𝑑 𝑝𝑖 . (10) Returns (𝑛, 𝑒) and (𝑛, 𝑑) . |
Algorithm 8.1. Generating RSA key pair in Bouncy Castle