Public Key Infrastructure (PKI) package with Java Source

What does it cost?

You should not  bother with Cycom's PKI since the free open source Java PKI at http://www.bouncycastle.org/  is much better.

If you want CA functionality then try http://ejbca.sourceforge.net/
If you really insist on Cycoms source it will cost 57 USD, 65 Euro, or 40 GBP every 2 years. There are no royalties, or commercial restrictions other than confidentiality.  If you have already developed to a competitor's interface then please ask if Cycom can emulate this interface.

What is a public key?

A public key is a key used for encrypting or decrypting information. This key is made publicly known to the world with no restrictions. The key cannot be used to decrypt information that the same key encrypted. The operation is a one-way function that cannot be reversed armed only with the public key. Neither is the encryption algorithm secret; it too is openly published. The public key is one key of a pair of keys.

What is a private key?

The other key in a keypair is called the private key or secret key. It is never published, never revealed to anyone except it's owner and does not need to be communicated to 3rd parties. The private key might never leave the machine or hardware token that generated the keypair originally. The private key can encrypt information that can later be decrypted by using the public key. Also the private key can be used to decrypt information that was previously encrypted using the public key.

How can I prove my identity to someone else?

You can let the other party encrypt some random data using your public key and they can challenge you to decrypt it. If you know the private key then you will be able to perform this feat. If you don't know the private key then you won't be able to do it. If you succeed, then the other party will believe that you know the private key. You do not need to tell them what the private key is; they will still believe that you know it since they trust that the algorithm has been inspected by many worthy researchers and no flaws have been found. So now they know that you have the other key in the keypair, they then have the problem of trusting that the public key that they have is associated with you. This requires a leap of faith, eyeball to eyeball exchange of public keys, or a long history of previous mutually beneficial transactions, or you delegate trust to a trust broker such a Certificate Authority.

What is a Certificate Authority?

A Certificate Authority or CA is an organization that you trust to associate public keys with real world entities such as individuals. Why would you trust a CA?; because their business would collapse if they lost that trust and so they try hard to keep up standards. They publish their standards on their websites. (but then again, they also publish legal disclaimers which might reduce their incentive to keep up standards).

What is a PKI?

Public Key Infrastructure is all the stuff, tools, libraries, management procedures and protocols needed to generate keypairs and digital certificates and pass around the keys and digital certificates securely to those who need to use them. And to manage what happens if the system fails.

How can the PKI system fail?

First, be assured that PKI is a lot better than any alternative system. All security systems require you to trust something or someone. PKI requires you to trust things a fewer number of times and it scales well to a larger number of participants. Here are some ways it can fail.

  1. The private key is revealed to a 3rd party. To prevent this, you must trust the hardware and user interface to your private key store. If your PC has been hacked or infected (easy with many default Microsoft platforms) then the attacker can read your keystrokes and screen so all trust is gone. Ideally, you should have a platform that has a client-side firewall and does not readily execute mail attachments and has pure Java clients (to prevent buffer-overrun attacks). A Linux system with IPTABLES firewall configured and running Club Cycom pure Java software is suitable.

  2. A 3rd party masquerades as you or someone false using his own keypair. To prevent this, you must trust that your partners have the correct public key associated with you (and that you have their true public key). The CA is useful here in certifying the association between identity and public key but you must first have the true public key of the CA (usually pre-installed in most software).

  3. A 3rd party masquerades as you to the CA and fools the CA into certifying the 3rd party's public key as associated with you. E.g an imposter has obtained a code signing certificate from VeriSign certifying that the imposter is MicroSoft! (it really happened). The level of security here varies with CA. Most will call you back on the telephone and ask you if you are you (please don't lie!).

  4. Man-in-the-middle , replay and chosen text attacks. To prevent this you must use secure protocols that consider these attacks. E.g make sure that when you are challenged to use your private key to encrypt or decrypt data, that data was truely random and could not have been specially chosen by the attacker.

What is Cycom's PKI?

Cycom's PKI with Java source is a small subset of PKI just big enough to be useful, that leverages Sun's JCA. In particular it will allow a user application to generate digital certificates and certificate requests and allow the user to act as a CA, if only for other local users. This allows you to tailor the standards of trust (and hence cost) to match your needs. Certificates from a real CA cost hundreds of dollars each and yet that CA may be easier to fool. It's ASN1 parsing library only supports X509 certificates and is based on, and documented by  the free open source  Java  project http://sourceforge.net/projects/cryptix-asn1/
You should not  bother with Cycom's PKI since the free open source Java PKI at http://www.bouncycastle.org/  is much better.

How do obtain Cycom's PKI Java source code?

You should not  bother with Cycom's PKI since the free open source Java PKI at http://www.bouncycastle.org/  is much better.

If you want free Java CA functionality then try http://ejbca.sourceforge.net/
If you really want Cycoms source, then take out a 2 year subscription to Club Cycom and then ask me for the source. http://club.cycom.co.uk/

Are there any royalties to pay if I distribute the binaries with my application?

No.

What if Cycom goes bust?

Doh! You got me! That's why I give you the source. Cycom has been trading for 14 years and is not funded by stockmarket investors. Maybe you would be safer with a big company like WorldCom or Enron or Marconi. Maybe you would prefer to obtain your security advice from experts such as Microsoft. The fact that millions of PC's running Microsoft software have been infected or hacked should have made Microsoft review it's historical design choices.

Example usage of Cycom's PKI package

This example creates a keypair (using Sun's packages), then creates a self-signed certificate (using Cycom's packages) and then puts the keypair and certificate into a keystore (using Sun's packages).

            KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
System.out.println("got keypair gen instance"+(System.currentTimeMillis()-start));
kpg.initialize(1024);
System.out.println("initialized keypair gen instance"+(System.currentTimeMillis()-start));
KeyPair kp = kpg.generateKeyPair();
System.out.println("generated keypair"+(System.currentTimeMillis()-start));
PublicKey pubK = kp.getPublic();
System.out.println("pubK.format="+pubK.getFormat());
System.out.println("pubK.algorithm="+pubK.getAlgorithm());
//byte [] pubKba = pubK.getEncoded();
//FileOutputStream fos = new FileOutputStream("/tmp/genPubK.der");
//fos.write(pubKba);
//fos.close();

PrivateKey privK = kp.getPrivate();

X509CertGen certGen = null;
if(pubK.getAlgorithm().equals("RSA")){
certGen = new X509CertGen(privK,"MD5withRSA",null,null);
} else {
certGen = new X509CertGen(privK,"SHA1withDSA",null,null);
}
certGen.setPublicKey(pubK);
// certGen.setIssuerCommonName("CYCOM LIMITED");
certGen.setSubjectCommonName(nuc.getUserName());
certGen.setSubjectOrganization("Club Cycom Member");

X509Certificate generatedCert = certGen.generateCertificate();
System.out.println("generatedCert="+generatedCert);
X509Certificate [] generatedCertArr = new X509Certificate [] {
generatedCert
};
KeyStore keyStore = nuc.getKeyStore();
keyStore.setKeyEntry(nuc.getUserName(),privK,passwd,generatedCertArr);

KeyStoreHelper ksh = nuc.getKeyStoreHelper();
FileOutputStream kfos = new FileOutputStream(ksh.getKeyStoreFile());
keyStore.store(kfos,passwd); //TODO should use different passwd for keystore and keyentry.
kfos.close();
nuc.setKeyPair(kp);



This software is available to long term members of Club Cycom.