ColdFusion MX Professional Projects

MIDlets are undeniably cool-Java code that runs on a small device, and HTTP network connectivity, as well. But once you start thinking about the possibilities, you realize that a lot of applications just aren't possible without some form of data security. What if you were going to buy something? You shouldn't send credit card numbers over the Internet without some kind of protection. You shouldn't be sending sensitive corporate information over the Internet to small devices. Many applications, then, need something else-something that keeps sensitive data from being stolen. The answer in the MIDP world is no different than the answer anywhere else: cryptography.

Cryptography Review

Cryptography is a branch of mathematics. It's based on the idea that certain kinds of mathematical problems are hard to solve. Using cryptography is a bit speculative; as research in mathematics continues, it's very possible that someone will discover a way to solve (or "break") most of the modern cryptographic algorithms. Nevertheless, for today at least, cryptography provides protection for sensitive data, and there aren't many acceptable alternatives in the everything-connects-to-everything modern world.

The Internet Is a Big Room

There are many aspects to the security of a system. We'll focus on the data your MIDlet sends and receives over the network. This data travels over some infrastructure we know nothing about (provided by your mobile carrier) and probably over the Internet, as well. The Internet is not a secure network, for sure, and your carrier's mobile infrastructure probably isn't either. If you're passing sensitive data around, it's very possible that eavesdroppers at various points in the network can listen in on the data. They may even be able to change parts of it. If your MIDP application involves passing around credit card numbers or sensitive corporate data, you should be concerned.

Think of the Internet as a big room. You can talk to anyone else in the room, but everyone else can listen in on the conversation. Furthermore, you may be talking to someone on the other side of the room through intermediaries, like the children's game of "telephone." Any one of the intermediaries might be changing the conversation, and they can all hear what you're saying.

Data Security Needs and Cryptographic Solutions

Your applications will have some or all of the following data security needs:

• Integrity. At the simplest level, you'd like to be sure that the data you're sending is not getting changed or corrupted in any way. This is data integrity.

• Authentication. It's often important to verify the identity of the machine or person on the other end of your network connection. Authentication is the process of proving identity.

• Confidentiality. If you're sending sensitive data over the network, other people shouldn't be able to see that information. This is confidentiality.

Cryptography provides solutions for each of these needs:

• Message digests. A message digest smushes a large piece of data into a small piece of data. You might, for example, run an entire file through a message digest to end up with a 160-bit digest value. If you change even 1 bit of the file and run it through the message digest again, you'll get an entirely different digest value. A message digest value is sometimes called a digital fingerprint.

• Digital signatures. A digital signature is like a message digest except it is produced by a particular person, the signer. The signer must have a private key that is used to create the signature. A corresponding public key can be used by anyone to verify that the signature came from the signer. The private key and public key together are called a key pair. Keys are really just data-think of an array of bytes. Certificates are really just an extension of digital signatures. A certificate is a document, signed by some authority like the U.S. Postal Service, that proves your identity. It's like a driver's license, except it's based on digital signatures.

• Ciphers. Ciphers can either encrypt data or decrypt it. An encrypting cipher accepts your data, called plaintext, and produces an unreadable mess, called ciphertext. A decrypting cipher takes ciphertext and converts it back to plaintext. Ciphers use keys; if you encrypt the same plaintext with two different keys, you'll get two different sets of ciphertext. A symmetric cipher uses the same key for encryption and decryption. An asymmetric cipher operates with a key pair-one key is used for encrypting, while the matching key is used for decrypting.

  Ciphers operate in different modes that determine how plaintext is encrypted into ciphertext. This, in turn, affects the use and security of the cipher.