User Guide
Public Key Infrastructure in an Oracle Environment
Configuring Secure Sockets Layer Authentication 7-5
Public Key Infrastructure in an Oracle Environment
A public key infrastructure (PKI) is a substrate of network components that provide
a security underpinning, based on trust assertions, for an entire organization. A PKI
exists so that disparate network entities can access its security services, which use
public-key cryptography, on an as-needed basis. Oracle provides a complete PKI
that is based on RSA Security, Inc., Public-Key Cryptography Standards, and which
interoperates with Oracle servers and clients.
About Public Key Cryptography
Traditional private-key or symmetric-key cryptography requires a single, secret key
that is shared by two or more parties to a secure communication. This key is used to
both encrypt and decrypt secure messages sent between the parties, requiring prior,
secure distribution of the key to each party. The problem with this method is that it
is difficult to securely transmit and store the key.
Public-key cryptography provides a solution to this problem, by employing public
and private key pairs and a secure method for key distribution. The freely available
public key is used to encrypt messages that can only be decrypted by the holder of
the associated private key. The private key is securely stored, together with other
security credentials, in an encrypted container called a wallet.
Public-key algorithms can guarantee the secrecy of a message, but they don't
necessarily guarantee secure communications because they don't verify the
identities of the communicating parties. In order to establish secure
communications, it is important to verify that the public key used to encrypt a
message does in fact belong to the target recipient. Otherwise, a third party can
potentially eavesdrop on the communication and intercept public key requests,
substituting its own public key for a legitimate key (the man-in-the-middle attack).
In order to avoid such an attack, it is necessary to verify the owner of the public key,
a process called authentication. Authentication can be accomplished through a
certificate authority (CA), which is a third party that is trusted by both of the
communicating parties.
The CA issues public key certificates that contain an entity's name, public key, and
certain other security credentials. Such credentials typically include the CA name,
the CA signature, and the certificate effective dates (From Date, To Date).
The CA uses its private key to encrypt a message, while the public key is used to
decrypt it, thus verifying that the message was encrypted by the CA. The CA public
key is well known, and does not have to be authenticated each time it is accessed.
Such CA public keys are stored in wallets.










