Channels ▼
RSS

Security

Java Cryptography & Attribute Certificate Management

Source Code Accompanies This Article. Download It Now.


Snezana is a researcher at Belgrade's Institute Mihailo Pupin and can be contacted at snezana@impcs.com. Zoran is director of the Belgrade University Computing Center.


X.509 is an ITU recommendation for defining digital certificates (www.ietf.org/html.charters/pkix-charter.html). Originally, X.509 certificates were meant to provide nonforgeable evidence of a person's identity. Consequently, X.509 certificates contain information about certificate owners, such as their name and public key, signed by Certificate Authority (CA). However, it quickly became evident that in many situations, information about a person's privileges or attributes can be much more important than that of their identity. Thus, for example, on an e-commerce B2B site, entrance may be restricted to those who are members of a certain commercial organization, or who have paid a certain membership to a professional association. In such contexts, the authorization process is not based on identity, but rather on attributes.

This led to the addition of a new field in the third edition of X.509 (1997)—extensions that could hold any data. Many systems have taken advantage of this to introduce additional information (such as privileges) in private extension fields. However, the somewhat haphazard manner in which this occurred has led to a fragmented system, which lacks some interoperability, jurisdiction, and revocation functionality. If revocation of one privilege is needed, the whole certificate must be revoked. Furthermore, it is more appropriate that attributes (privileges) are assigned by organizations that are "direct owners" of this information—universities for registered students, medical associations for health professionals, and so on—than that CAs assign it.

Therefore, in the fourth edition of the X.509 Standard (2000), the definition of an attribute certificate (AC) was introduced to distinguish it from public-key certificates (PKC) from previous versions of the X.509 Standard. Attribute Authority (AA) provides AC and signs it using its own private key. AC is bounded to PKC because the field holder in an attribute certificate contains a serial number and the X500 name of the public-key certificate's issuer; see Tables 1 and 2.

Field Value
Version V1
Holder: Issuer CN=Certificate Authority, O=IMP C=SCG
Holder: SerialNumber 123456789
Issuer CN=Attribute Authority, O=IMP, C=SCG
Signature dsaWithMD5
SerialNumber 987654321
ValidityPeriod January 1, 2005-January 1, 2007
Attributes Type 2.5.4.72 (role)
Value Manager
SignatureValue A765 E543 ...

Table 1: Attribute certificate.

Field Value
Version V3
serialNumber 123456789
Signature dsaWithMD5
Issuer CN=Attribute Authority, O=IMP, C=SCG
ValidityPeriod January 1, 2005-January 1, 2007
SubjectPublicKeyInfo DSA Encryption
A765 E543 ...
...

Table 2: Public-key certificate.

X.509 supports discretionary, mandatory, and role-based access control (MAC, DAC, and RBAC). X.509 supports RBAC by defining role specification ACs (RSAC) that hold permissions granted to each role, and role assignment ACs (RAAC) that assign various roles to the users. In role specification ACs, the holder is the role and the privilege attributes are permissions granted to the role.

Java 2 SDK supports:

  • Public/private key creation and management.
  • Digital signature generation and verification.
  • Public key certificate generation and management.
  • Keystore management.

However, Java doesn't support attribute certificate generation and management. Therefore, we've implemented a provider named IMPCS ("Institute Mihailo Pupin Computer Systems") that works with attribute certificates.


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Video