1. Field of the Invention
The present invention relates generally to an improved data processing system, and in particular, to a computer implemented method for managing security in a data processing system. Still more particularly, the present invention relates to a computer implemented method, system, and computer usable program code for certificate distribution using a secure handshake.
2. Description of the Related Art
Applications executing on different data processing systems communicate with each other over data networks. Some of these data communications may have to include certain security mechanisms, such as encryption or digital signatures, to ensure that the data contained in the communication is hidden or not readable while in transit.
Encryption is the process of transforming information referred to as plaintext, using an algorithm called cipher, to make the plaintext unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of this process is encrypted information, which, in cryptography, is referred to as ciphertext. The detailed operation of a cipher is controlled both by the algorithm and the key.
In some other data communications, security mechanisms based on encryption may prevent repudiation of the communication by one or both parties, such as by using digital signatures. A digital signature provides a method of authenticating the author of a message or communication based on the digital signature of that message, in a manner analogous to a handwritten signature. A digital signature may also be used to prove that a message has not been modified since it was initially signed.
In some data communications, the security mechanism is designed to ensure the identity of the data processing systems on each end of the data communication. The security mechanism may also include and encrypting the data communication between the two communicating systems. Solutions based on public key cryptography are commonly used for these purposes in data communications.
A public key cryptography solution uses two “keys”, a public key and a private key, referred to as a “key pair”, as a part of the mathematical transformation applied to a message. These keys are related in a manner such that when a ciphertext message created with a particular algorithm and one of the keys is processed with the corresponding algorithms and the other key of the key pair, the original message is revealed.
Further, in solutions for secured data communications, a “digital certificate” is used to associate an identity, such as an identity of the user, or of a data process system, with one half of the key pair—the “public” key. In this process, a message is signed with a “private” key that is known only to the entity signing the message. The signed message is then transmitted, optionally with the digital certificate, so that the recipient can validate the signature. Using the signature in this manner, the recipient verifies that the message was signed by the entity identified in the digital certificate.
A digital certificate is also known simply as a certificate. Usually, a certificate is “signed” by a trusted third party, such as the issuer of the certificate called a certificate authority (CA). By signing a certificate, a certificate authority attests to the identity of the holder of the certificate to some degree.
Certificates can be assigned to software applications as well as data processing systems. Software applications and data processing systems can use the certificates and the keys bound to the certificates for authentication, encryption, non-repudiation, and other uses.
One use of public key cryptography and certificates is in secure sockets layer (SSL) communication and transport layer security (TLS). SSL communication is a secure method of communicating private information over public networks, such as over the Internet. In SSL communication, one system, called the client, requests a secure communication with another system, called the server. The client and the server negotiate a cipher to use for the communication. The server then signs a message using this cipher and presents its certificate together with this message, which authenticates the server and provides the server's public key to the client. The client generates a random number to be used as a key for the secure communication session. The random number is called a session key. The client encrypts the session key using the server's public key from the server's certificate and sends to the server. The server decrypts the encrypted session key using its private key and obtains the session key to use in the secure communication session with the client.
This and other similar approaches can be used to validate the identity of communicating parties, based on the encryption of messages or information, and subsequent message communication or information exchange together with the certificate. In some implementations, this overall process may be modified by not exchanging the digital certificate with every message/information exchange, instead relying on the receiving party having a copy of the certificate, or having the ability to retrieve the certificate.