1. Field of the Invention
The present invention relates generally to an improved data processing system, and in particular, to a computer implemented method for determining the security of interactions between data processing systems. Still more particularly, the present invention relates to a computer implemented method, system, and computer usable program code for verifying certificate use by an application in a data processing system.
2. Description of the Related Art
Applications executing on different data processing systems communicate with each other over data networks. Some of these data communications may have to include certain security mechanisms, such as encryption, to ensure that the data contained in the communication is not intercepted or manipulated. Encryption is the process of converting data from one form to another form, called cipher text, in such a way that it is difficult for someone to derive the original data from the cipher text without knowing the method and tools used for the encryption.
In some other data communications, the security mechanism may prevent repudiation of the communication by one or both parties, such as by using digital signatures. A digital signature is a method of authenticating the holder of the digital signature in a manner analogous to a handwritten signature. A digital signature may include a pair of strings of characters, which when processed through well known algorithms provide authenticating information about the holder of that digital signature.
In some data communications, the security mechanism is designed to ensure the identity of the data processing systems on each end of the data communication, and encrypting the data communication between the two communicating systems. Digital certificates are commonly used for these purposes in data communications. A digital certificate, or simply a certificate, includes strings of characters, such that the strings correspond to each other when processed through certain algorithms. Digital certificates can also be used for digital signature purposes. Usually, a certificate is “signed” by a trusted third party, such as the issuer of the certificate called a certificate authority (CA), who can attest to the identity of the holder of the certificate to some degree.
A well known technique for verification and encryption is called public key cryptography. A certificate used in public key cryptography uses two strings of characters known as keys—a public key and a private key. The public key can be distributed to anyone and can be used to encrypt data such that the encrypted data can be decrypted only by using a private key that corresponds to the public key in conjunction with an algorithm called the cipher. Similarly, the holder of a certificate can sign a message using the private key. Anyone with the corresponding public key can verify the signature, such as from the certificate authority.
Certificates can be assigned to software applications as well as data processing systems. Software applications and data processing systems can use the certificates for authentication, encryption, non-repudiation, and other uses. One use of certificates is in secure sockets layer (SSL) communication. SSL communication is a secure method of communicating private information over public networks, such as over the Internet. In SSL communication, one system, called the client, requests a secure communication with another system, called the server. The client and the server negotiate a cipher to use for the communication. The server presents its certificate, which authenticates the server and provides the server's public key to the client. The client generates a random number to be used as a key for the secure communication session. The random number is called the session key. The client encrypts the session key using the server's public key from the server's certificate and sends to the server. The server decrypts the encrypted session key using its private key and obtains the session key to use in the secure communication session with the client.