tags:

views:

45

answers:

1
+1  Q: 

Certificate Authority vs Stored public key

Hello,

I'm developing a J2ME app which securely connects to a server to login. I'm having a lot of difficulty in setting up the SSL between the two so I thought of a simpler solution and I'm hoping you can give your views on it.

The J2ME Midlet is shipped WITH the server's public key, on connect a message (username, password hash and random) is encrypted using that public key and sent to the server. The server then decrypts it and uses it to authenticate the client.

The main idea of the certificate authority is to say who is who, if the two parties know that already and agree that it won't change (unless through an already authenticated connection), then don't I bypass the need for one?

Thanks, Vladimir

A: 

if the two parties know that already and agree that it won't change ... then don't I bypass the need for one?

Yes, but I think you are missing the point. The program is shipped with the key, but there is no way of the user knowing that the program they're downloading actually came from you, and not some malicious hacker intercepting/rewriting the communication; all the user sees is bits coming in from a wire on the wall.

Typically what you'll do then is sign the jar with your key, and ship the key with your program. Now we have a chicken-and-egg problem: how do they know that the key came from you?

This is where the certificate authority comes in; the CA's key is already on their computer, so they leave it up to the CA to verify who you are and sign your public key. Then when the user gets the public key, verifies that it was signed by the CA, and verifies that the jar was signed by the key, they know the key is yours and thus the jar must have come from you, since you are the only one who could have signed it with the private key.

Now, if your key were on their computer ahead of time (for instance, inside of a company where the keys are physically placed on the computers when they're being set up), they yes, you absolutely don't need to have the key signed.

BlueRaja - Danny Pflughoeft  2010-01-27 18:25:05

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL