The most common approach of identifying user identity, i.e., system identity, is the use of passwords. If a user-supplied password matches a password stored in a system, then that user is considered as authorized to use some set of system resources and data. The main problem with using passwords is the difficulty in keeping the password secret.
Public key encryption of variable data is a more secure method of maintaining system security. A form of public key encryption known as digital signature is available in the Java® programming language. A digital signature is created using a private key to encrypt a message. The message originator then sends the digital signature and the clear text message. The message receiver then uses the originator's public key, received in an earlier exchange, to prove that the message came from the same source as the public key.
The use of digital signature methods requires persistence of key pairs by the key owners, as well as an exchange of public keys with processes that will be performing authentication with the key owner. By taking advantage of built-in system file-access controls, the persisted keys can be protected against unauthorized use, i.e., the key files can only be read or written by processes owned by the key owner. Providing access to authorization keys to non-owner users while maintaining security is problematic, e.g., a private key is owned by root and is not readable or writeable by any other user, but a process that is owned by user ‘sydney’, where ‘sydney’ has passed some authorization criteria, must be allowed to read the private key in order to perform a task. The root user is a user that has permission to read, write and execute any file (e.g., a system administrator).