

Public Key Security
Public key security provides two capabilities that make endtoend digital signing and data encryption possible:
In addition, messagebased encryption protects the confidentiality of messages by ensuring that only designated recipients can decrypt and read them.
PKCS7 Compliant
Informal but recognized industry standards for public key software have been issued by a group of leading communications companies, led by RSA Laboratories. These standards are called "PublicKey Cryptography Standards," or PKCS. BEA Tuxedo public key software complies with the PKCS7 standard.
PKCS7 is a hybrid cryptosystem architecture. A symmetric key algorithm with a random session key is used to encrypt a message, and a public key algorithm is used to encrypt the random session key. A random number generator creates a new session key for each communication, which makes it difficult for a wouldbe attacker to reuse previous communications.
Supported Algorithms for Public Key Security
All the algorithms on which public key security is based are well known and commercially available. To select the algorithms that will best serve your application, consider the following factors: speed, degree of security, and licensing restrictions (for example, the United States government restricts the algorithms that it allows to be exported to other countries).
Public Key Algorithms
BEA Tuxedo public key security supports any public key algorithms supported by the underlying plugins, including RSA, ElGamal, and Rabin. (RSA stands for Rivest, Shamir, and Adelman, the inventors of the RSA algorithm.) All these algorithms can be used for digital signatures and encryption.
Public key (or asymmetric key) algorithms such as RSA are implemented through a pair of different but mathematically related keys:
BEA Tuxedo public key security supports any digital signature algorithms supported by the underlying plugins, including RSA, ElGamal, Rabin, and Digital Signature Algorithm (DSA). With the exception of DSA, all these algorithms can be used for digital signatures and encryption. DSA can be used for digital signatures but not for encryption.
Digital signature algorithms are simply public key algorithms used to provide digital signatures. DSA is also a public key algorithm (implemented through publicprivate key pairs), but it can only be used to provide digital signatures, not encryption.
Symmetric Key Algorithms
Public key security supports the following three symmetric key algorithms:
DESCBC is a 64bit block cipher run in Cipher Block Chaining (CBC) mode. It provides 56bit keys (8 parity bits are stripped from the full 64bit key) and is exportable outside the United States.
Twokey tripleDES is a 128bit block cipher run in EncryptDecryptEncrypt (EDE) mode. Twokey tripleDES provides two 56bit keys (in effect, a 112bit key) and is not exportable outside the United States.
For some time it has been common practice to protect and transport a key for DES encryption with tripleDES, which means that the input data (in this case the singleDES key) is encrypted, decrypted, and then encrypted again (an encryptdecryptencrypt process). The same key is used for the two encryption operations.
RC2 is a variable keysize block cipher with a key size range of 40 to 128 bits. It is faster than DES and is exportable with a key size of 40 bits. A 56bit key size is allowed for foreign subsidiaries and overseas offices of United States companies. In the United States, RC2 can be used with keys of virtually unlimited length, although BEA Tuxedo public key security restricts the key length to 128 bits.
BEA Tuxedo customers cannot expand or modify this list of algorithms.
In symmetric key algorithms, the same key is used to encrypt and decrypt a message. The public key encryption system uses symmetric key encryption to encrypt a message sent between two communicating entities. Symmetric key encryption operates at least 1000 times faster than public key cryptography.
A block cipher is a type of symmetric key algorithm that transforms a fixedlength block of plaintext (unencrypted text) data into a block of ciphertext (encrypted text) data of the same length. This transformation takes place in accordance with the value of a randomly generated session key. The fixed length is called the block size.
Message Digest Algorithms
Public key security supports any message digest algorithms supported by the underlying plugins, including MD5, SHA1 (Secure Hash Algorithm 1), and many others. Both MD5 and SHA1 are well known, oneway hash algorithms. A oneway hash algorithm takes a message and converts it into a fixed string of digits, which is referred to as a message digest or hash value.
MD5 is a highspeed, 128bit hash; it is intended for use with 32bit machines. SHA1 offers more security by using a 160bit hash, but is slower than MD5.
Public Key Installation and Licensing
As part of the BEA Tuxedo system, the software for messagebased digital signature and messagebased encryption is delivered on the BEA Tuxedo CDROM, but cannot be used without a separate license. All BEA Tuxedo licenses are in the $TUXDIR/udataobj/lic.txt file on a UNIX host machine, or in the %TUXDIR%\udataobj\lic.txt file on a Windows NT host machine.
The following listing is an excerpt from a sample license file for messagebased digital signature and messagebased encryption.
[BEA Tuxedo]
VERSION=7.1
LICENSEE=ACME CORPORATION
SERIAL=155566678
ORDERID=
USERS=1000
EXPIRATION=20000131
SIGNATURE=TXmtx+AhQdJgr3sjjznBqRB7SP9Jgr3UzAKctjz+e6RmsFSAhUAhStj
znBQdL9n=
.
.
.
[PK ENCRYPTION]
VERSION=7.1
LICENSEE=ACME CORPORATION
SERIAL=155566678
ORDERID=
USERS=1000
STRENGTH=128
EXPIRATION=20000131
SIGNATURE=TX0CFHkaBpKpAlXGEtQqi+/jJvMo1VB9AhUAUAkizwsgYefRwQJDNTF
0205b1ik=
[PK SIGNATURE]
VERSION=7.1
LICENSEE=ACME CORPORATION
SERIAL=155566678
ORDERID=
USERS=1000
STRENGTH=128
EXPIRATION=20000131
SIGNATURE=TX0CiqA5FCAXJFXUEGvAki+gL+i09eRep9hYdshS/8a70MIJQChUAk9
zIAhUIH4=
See Also

Copyright © 2000 BEA Systems, Inc. All rights reserved.
