Private Keys, the KeyStore and Encryption
In my last post I covered the topic of digital signatures. And I wrote a servlet that used the certificate form the trust store to verify them. In this post I will cover encryption. And the private keys stored in the key store used to decrypt data.
If you recall, Jane was sending Deepti signed messages. But Jane is busy. So she signs her messages, and asks Jay they intern to send them. The signatures ensure that Jay will not be able to change the message. And prove to Deepti that it originated with Jane. But Jay is nosy and he likes to read those messages. How do you ensure privacy? A problem that dates back to ancient Egypt.
The concept is simple. You scramble the message such that it becomes gibberish. Except to the person who knows how to unscramble it. That is the person "with the key". It could be a simple cipher like ROT-13. Or a symmetric key algorithm where both parties share the same key. Or in the case I will be talking about, asymmetric cryptography with private & public key pairs.
When signing messages, Jane generates a hash of the file. And then encrypts the hash. On the receiving end, Deepti decrypts the signature using Jane's public key. And then verifies the hash.
Encryption is the opposite of that signature process. Jane is still sending the message. But the contents of the message are now encrypted with Deepti's public key.
Deepti needs to generate a private/public key pair.
Deepti will distribute the key via an x509 certificate.
Jane will verify the validity of the certificate.
Jane encrypts messages with it.
Only Deepti will have the private key to decrypt them.
We will build upon the servlet that verifies signatures to decrypt data. In the same way the SAML handler would decrypt SAML responses.
Create a Public & Private Key Pair
First, Deepti needs to create a public/private key pair. It would be nice if she could create a CSR and get that signed by a CA. But like Jane she is on a budget. Self-signed certificates it is!
Deepti gets prompted for a password to protect the private key. And then she will send the certificate deepti_certificate.pem to Jane.
Encrypt Messages With The Public Key
Once Jane has created and signed the message, she will now encrypt the message before sending it.
Like before, Jane will send the signature. Instead of the clear-text message, she will send the encrypted one. Or ask Jay to send it for her. Jay will never have access to the clear-text message.
Add Private Key to Key Store
Deepti needs to upload her private key to a secure place where her code can get at it. Her code will need it to decrypt messages encrypted with the public key.
In AEM, this would be in a key store. And key stores belong to users. In the case of the SAML handler, the key store belongs to the authentication-service user.
Up until now the private key has been password protected. Now Deepti needs to export the private key and certificate into a PKCS#12 file.
You will get prompted for the password that is protecting the authentication-service key. And a new password to protect the PKCS#12 export. Use the same password. Now you can safely transport the key and certificate as needed.
Navigate to Tools -> Security -> Users. Locate the authentication-service account. Click on the Keystore tab and generate a keystore if you have not done so already.
Use the second option ADD PRIVATE KEY FROM KEYSTORE FILE. Upload the PKCS#12 file containing the private key and certificate. Here you will be able to create a new alias i.e. message.receiver. AEM will take the private key and certificate from the uploaded PKCS#12. Then add them to the user's own keystore.
Receive, Decrypt & Verify
Like before, Deepti's endpoint will receive the message and verify the signature. Now she needs to update the servlet to decrypt the message before verification.
I am using Groovy here because its more fun 😊. If it piques your interest, check out my post on how to set it up in your AEM project.
The decrypt method is new here. The verification process relied on the Trust Store. The decryption relies on the Key Store, and the private key Deepti had stored in it. To get it, you will need its alias and password.
Signatures and encryption go hand-in-hand. They make up the basic building blocks of SAML 2.0 and OAuth 2.0, HTTPS. Understanding signatures and encryption will help you understand these protocols. And how they help authenticate and authorize users on the web.