Posts

Showing posts from June, 2011

Best Practice: to Include the Complete Certificate Chain in the KeyStore

Let's start from an example. Considering the following certification path, TrustAnchor issues IntermediateCert, and IntermediateCert issues EndEntiryCert.
TrustAnchor | Subject: CN=TrustAnchor, OU=Example.COM V Issuer : CN=TrustAnchor, OU=Example.COM IntermediateCert | Subject: CN=Intermediate, OU=Example.COM V Issuer : CN=TrustAnchor, OU=Example.COM EndEntiryCert Subject: CN=EndEntiry, OU=Example.COM Issuer : CN=Intermediate, OU=Example.COM
In practice, I noticed that some smart card vendor may only import the end entity certificate into the store [1]. That is to say, for this example, the smart card only store EndEntiryCert. To build a certification path, the application will have to find a way to retrieve the intermediate certificate. It's not always easy for the application programmers. Yes, I have to say, it is possible, but it does not sound like the worthwhile effor…

Java Approach to Lightweight Servers

My presentation about NIO.2 and JSSE in JavaOne Beijing 2010.

The time has come for Web servers to handle tens of thousands of clients simultaneously. Using NIO.2, one of the major features of JDK 7, will prove to be a reliable approach to solving the C10K problem (the inability of most Web servers to handle more than 10,000 clients simultaneously). This session introduced NIO.2’s asynchronous I/O APIs and illustrated a simple framework for building a reliable, lightweight, secure server.

The Standard Algorithm Name of KeyManagerFactory

In JDK 7, "PKIX" was defined as the standard algorithm name of KeyManagerFactory. It's a factory for X509ExtendedKeyManagers that manages X.509 certificate-based key pairs for local side authentication according to the rules defined by the IETF PKIX working group in RFC 3280 or its successor. The KeyManagerFactory must support initialization using the class javax.net.ssl.KeyStoreBuilderParameters.Please refer to Java Security Standard Names.

Java SE Disables MD2 Algorithm in Certification Path Building and Validation

The MD2 Message-Digest Algorithm is no longer considered secure [1][2][3][4], Java SE disables MD2 algorithm in certification path building and validation from Java SE 1.6.0_17 (6u17) [JavaSE 6u17] and Java SE 1.5.0_22 (5u22) [JavaSE 5u22].However, even as of 2011, the MD2 algorithm remains in use in Public Key Infrastructures (PKI) as part of certificates generated with MD2 and RSA. It is recommended to request or renew a new certificate with stronger cryptographic algorithm from the Certificate Authority (CA).
[1]: Søren S. Thomsen (2008). An improved preimage attack on MD2
[2]: Knudsen, L., Mathiassen, J., Muller, F., and Thomsen, S., "Cryptanalysis of MD2", Journal of Cryptology, 23(1):72-90, 2010.
[3]: CVE-2009-2409
[4]: S. Turner, L. Chen, "MD2 to Historic Status", RFC 6149, March 2011
[JavaSE 6u17]: Java SE 6 update 17
[JavaSE 5u22]: Java SE 1.5.0 update 22