Continuing our interview question and answer series, today's questions are based on network security.

Q1 What is "private key"/"symmetric"/"secret key" cryptography?
A1. A private key cryptography algorithm uses the same key for encryption and decryption. Since the key is the only data required to decrypt the ciphertext, it must be kept private/secret.
Encryption; creating cipher text from plain text with a specific encryption algorithm and an encryption key
Decryption; recovering plain text from cipher text using a specific encryption algorithm and a decryption key

Q2 What is "public key"/"asymmetric" cryptography?
A2. A public key cryptography algorithm uses two different (but related) keys for encryption and decryption. The key used for decryption is kept secret (Private) whereas the encryption key can be distributed openly (Public). Thus, anyone in possession of the public encryption key may encrypt and send a message to the holder of the private decryption key. However,
only the holder of the private decryption key may decipher the message. Both keys must be created and used in conjunction, and are often referred to as a key pair.

Q3 What is hybrid cryptography?
A3. A Combination of public and private key cryptography, where the exchange of an encrypted session key is done using public key cryptography. The following encrypted session is then pursued with private/symmetric key cryptography. The main reason is that private key cryptography is generally much quicker than public key cryptography.

Q4 What is a Message Digest?
A4. A Message Digest is a digitally created hash (fingerprint) created from a plain text block. All the information of the message is used to construct the Message Digest hash, but the message cannot be recovered from the hash. For this reason, Message Digests are also known as one way hash functions.
The size of a Message Digest is always the same, independent of the size or content of the message from which it was created. Generally, the size of a Message Digest is fairly short ( 1024 bits). The ideal Message Digest algorithm would possibly alter 50% of the bits in the resulting hash if one bit was altered in the plain text message.

Q5 What is a Digital Signature?
A5. Digital Signatures are used to ensure the identity of a sender. In conjunction with Message Digests, Digital Signatures prevents someone from altering a message and falsely claiming you wrote the altered message. Digital Signatures are a byproduct of public key cryptography, as demonstrated below. (Believe me, it is simpler to describe the concept of a Digital Signature by taking an example)

Q6 What is SSL?
A6. SSL stands for Secure Socket Layer. It is a protocol developed by Netscape for encrypting information sent between processes over TCP/IP sockets. It sits between application software and the TCP/IP sockets. You'll find it frequently used between web browsers and web servers using the https URL prefix, providing encryption, integrity, authentication, and non-repudiation.

Q7. How can I support HTTPS (SSL) in a servlet?
A7. The servlet technology by design already supports https (SSL). However, the way this works is not through the servlet technology but through the Web Server. The web server controls whether information is done securely (https) versus non-securely (http).
One way to force servlets to go down the https path is to define your web server to only allow secure connections when accessing servlets. In IIS this can be accomplished through the definition if ISAPI filters. The ISAPI filter can instruct the web server to route all requests that end with a pre-defined prefix to the servlet engine. The trick is to then define files, with the predefined extension, in the web servers directory. For example, if the servlet's name is MyServlet a file with the name MyServlet.xxx would be placed on the web server. All calls to this file would be routed to the servlet engine. And IIS would be used to force all calls to the MyServlet.xxx file to go through https. The JRun servlet engine has examples of how to do this documented on their web page.

Other useful tips


Del.icio.us Digg! My StumbleUpon Page