1 / 42

COMP201 Java Programming Part III: Advanced Features

COMP201 Java Programming Part III: Advanced Features. Topic 17: Security Volume II,Chapter 9 http://www.securingjava.com/chapter-three/chapter-three-7.html. Objective and Outline. Objective: Introduction to java security mechanisms (in relation to applets) How to use and how do they work

devi
Download Presentation

COMP201 Java Programming Part III: Advanced Features

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMP201 Java Programming Part III: Advanced Features Topic 17: Security Volume II,Chapter 9 http://www.securingjava.com/chapter-three/chapter-three-7.html

  2. Objective and Outline • Objective: • Introduction to java security mechanisms (in relation to applets) • How to use and how do they work • Outline • Using java security mechanisms • Security policy files • Code signing • How do java security mechanisms work • Security enforcement • SecureClassLoader and SecurityManager • Supporting technologies • Message digest, digital signatures, authentication

  3. Using java security mechanisms • Applets are restricted to the sandbox by default: • Can only phone home and create pop-up window with warning • Cannot read/write/delete local files, run another program, connecting to a server other than its home server, … • More permissions can be granted with • Security policy file • Code signing • Try examples from Topic 11 and Topic 17

  4. Security Policy Files • Consist of a sequence of grant entries. • Each gives some specific permissions to applets from a specific location and/or signed by a specific person • A grant entry has the following general form: grant signedBy “name”, codeBase “file source” { permission1; permission2; … } • signedBypart omitted if signatures not required for this entry. • codeBase part omitted if the entry applies to code from all sources

  5. Security Policy Files • codeBase examples: grant codeBase “http://www.cs.ust.hk/~liao/comp201/”{ } //premission entry for all classes under the directory grant codeBase “http://www.cs.ust.hk/~liao/comp201/tmp.jar”{ } // permission entry for tmp.jar grant codeBase “file:C:/dir/tmp” { } grant codeBase “file:/C:/dir/tmp” { } grant codeBase “file://C:/dir/tmp” { } /* permission entry for tmp on local machine */ Note: Forward slash even for the Windows OS Code signing will be discussed later.

  6. Security Policy Files • General form for permissions: permissionclassName tagetName, actionList; className must be fully qualified. • Examples: permissionjava.io.FilePermission "D:\\-","read, write"; // permission to read and write all files in D drive permissionjava.awt.AWTPermission "showWindowWithoutWarningBanner"; // permission to create pop-up window without warning permissionjava.net.SocketPermission “*:8000-8999",“connect"; //permission to connect to any host via port 8000 - 8999.

  7. Security Policy Files • Permission classes: java.io.FilePermission java.awt.AWTPermission java.net.SocketPermission java.net.NetPermission java.util.PropertyPermission java.lang.RuntimePermission java.security.AllPermission …. • See page 712 for details

  8. Security Policy Files • java.io.FilePermission • Targets: File a file Directory a directory Directory/* all files in the directory * all files in current directory Directory/- all files in this and all its subdirectories - all files in current directory and all its subs <<ALL FILES>> all files in the file system In Windows OS, use \\ as file separator • Actions read, write, delete, execute

  9. Security Policy Files • java.net.SocketPermission • Targets: (hostRange:portRange) HostName or IPAddreses a single host localhost or empty local host *.domainSuffix all hosts whose domain names end with the suffix . E.g. *.com * all hosts :n single port :n1-n2 all ports in the range • Actions: accept, connect, listen, resolve

  10. Security Policy Files An example policy file grant codeBase "http://www.cs.ust.hk/~liao/comp201/codes/secu/awt/" { permission java.awt.AWTPermission "showWindowWithoutWarningBanner"; }; grant codeBase "http://www.cs.ust.hk/~liao/comp201/codes/secu/file/" { permission java.awt.AWTPermission "showWindowWithoutWarningBanner"; permission java.io.FilePermission "<<ALL FILES>>", "read, write"; }; grant codeBase "http://www.cs.ust.hk/~liao/comp201/codes/secu/socket/" { permission java.net.SocketPermission "*", "connect"; };

  11. Security Policy Files • policytool: a utility for creating policy files

  12. Security Policy Files Location of policy file: On client machine • Method 1: ${user.home}/.java.policy On XP: C:\Documents and Settings\liao\.java.policy ${java.home}/lib/security/java.policy on my machine: C:\Program Files\j2sdk1.4.0\jre\lib\security • Method 2: place a policy file on the internet or on local machine, add to the master security properties file: ${java.home}/jre/lib/security/java.security the a link to the policy file. E.g.: policy.url.3=http://www.cs.ust.hk/~liao/comp201/codes/secu/applet.policy Manage the policy file at a single location. Good for intranet.

  13. Permission Granting Examples • AWT Permission example: (check code page) • Normally, pop-up windows created by applets come with warning banners. • However, the pop-up window created by the applet from http://www.cs.ust.hk/~liao/comp201/codes/secu/awt/ has no warning banner if one includes the following entry into the policy file grant codeBase "http://www.cs.ust.hk/~liao/comp201/codes/secu/awt/" { permission java.awt.AWTPermission "showWindowWithoutWarningBanner"; };

  14. Permission Granting Examples • File Permission example: • Normally, applets cannot read and write local files. • However, FileIOApplet from http://www.cs.ust.hk/~liao/comp201/codes/secu/file/ can read and write local files if one includes the following grant entry in the policy file: grant codeBase "http://www.cs.ust.hk/~liao/comp201/codes/secu/file/" { permission java.io.FilePermission “<<ALL FILES>>", "read,write"; permission java.awt.AWTPermission "showWindowWithoutWarningBanner"; };

  15. Permission Granting Examples • Socket Permission example: • Normally, applets cannot connect to a server other than its home server. • However, SocketApplet from http://www.cs.ust.hk/~liao/comp201/codes/secu/socket/ can connect to other http servers if one includes the following grant entry in the policy file: grant codeBase “http://www.cs.ust.hk/~liao/comp201/codes/secu/socket/” { permission java.net.SocketPermission "*", "connect"; };

  16. Outline • Using java security mechanisms • Security policy files • Code signing • How do java security mechanisms work • Security enforcement • SecureClassLoader and SecurityManager • Supporting technologies • Message digest, digital signatures, authentication

  17. Code Signing • Developer • Generates a certificate, which contains a pair of keys, a public key and a private key. • Send the public key to its users. • Sign applets with the private key. • Client • Gets public key from the developer • Adds the public key to his/her own public key collection • Modify its own security policy file to given more permissions to applets signed by THE developer.

  18. Code Signing/Developer • Java comes with the keytool program for managing keystore – database of certificates. • To generate a keystore liao.store and generate a pair of keys with alias liao use the command: keytool –genkey –keystore liao.store –alias liao • A dialog follows and liao.store created. • Keep liao.store at a safe location!

  19. Code Signing/Developer Enter keystore password: 123456 What is your first and last name? [Unknown]: Renlan Liao What is the name of your organizational unit? [Unknown]: Computer Science What is the name of your organization? [Unknown]: Hong Kong University of Science and Technology What is the name of your City or Locality? [Unknown]: Hong Kong What is the name of your State or Province? [Unknown]: Hong Kong What is the two-letter country code for this unit? [Unknown]: CN Is <CN=Renlan Liao, OU=Computer Science, O=Hong Kong University of Science and Technology, L=Hong Kong, ST=Hong Kong, C=CN> correct? [no]: yes Enter key password for <Renlan> (RETURN if same as keystore password):

  20. Code Signing/Developer • Export the public key to a certificate file and sent it to user. keytool –export –keystore liao.store –alias liao –file liao.cert • What is inside? D:\Users\public_html\COMP201\codes\secu>keytool -printcert -file liao.cert Owner: CN=Renlan Liao, OU=Computer Science, O=Hong Kong University of Science and Technology, L=Hong Kong, ST=Hong Kong, C=cn Issuer: CN=Renlan Liao, OU=Computer Science, O=Hong Kong University of Science and Technology, L=Hong Kong, ST=Hong Kong, C=cn Serial number: 40a08a25 Valid from: Tue May 11 16:09:09 GMT+08:00 2004 until: Mon Aug 09 16:09:09 GMT+08:00 2004 Certificate fingerprints: MD5: A0:60:35:22:28:42:3B:18:77:12:EB:43:13:B1:D7:C6 SHA1: 9:34:84:4C:F0:32:B5:B1:17:55:3B:0C:03:FC:87:FE:EC:69:A0:6F

  21. Code Signing/Developer • Sign applets • Create a jar file jar cvf MyApplet.jar *.class • Run thejarsigner tool jarsigner –keystore Liao.store MyApplet.jar Liao Keystore containing private key Alias of private key

  22. Code Signing/Client • Add public key received to his/her store of public keys keytool –import –keystore certs.store –alias liao –file liao.cert • Include location of public key store to policy file Keystore “keystoreURL”, “keystoreType”; Ex: keystore “file:C:\Windows\cert.store”, "JKS"; keystore "http://www.cs.ust.hk/~liao/comp201/codes/secu/certs.store", "JKS"; JKS: type of keystore generated bykeytool

  23. Code Signing/User • Add signedBy “alias” to grant clauses in policy file grant signedBy “liao" { permission java.awt.AWTPermission "showWindowWithoutWarningBanner"; }; • Examples: see code page • What if client’s policy file does not grant permissions to signed applets • Browser will ask for permissions when loading the applets • Example: http://www.cs.ust.hk/~liao/comp201/codes/secu/sign2/

  24. Outline • Using java security mechanisms • Security policy files • Code signing • How do java security mechanisms work • Security enforcement • SecureClassLoader and SecurityManager • Supporting technologies • Message digest, digital signatures, authentication

  25. Security Enforcement • Policy files loaded into the VM at startup • Represented using a java.Security.Policy object • SecureClassLoader tracks the code source and signatures of each class, and hence assigns classes to protection domains. • SecurityManager checks for permissions at run time.

  26. Security Enforcement • SecureClassLoader • Codeidentity: origin and signature • A principal: an individual, a corporation, and a login id. • SecureClassLoader checks code identity against the entries of a policy object to determine what permission(s) a piece of code should be given

  27. Security Enforcement • Protection domains: • A bunch of classes that should be treated alike because they came from the same place and were signed by the same people • Permissions are granted to protection domains and not directly to classes and objects .

  28. Security Enforcement • The Security Manager • Performs runtime checks on dangerous methods. • Code in the Java library consults the Security Manager whenever a potentially dangerous operation is attempted. • The Security Manager can veto the operation by generating a SecurityException. • Built-in classes are usually given more privilege than classes loaded across the Net.

  29. Security Enforcement • More details • A Java program makes a call to a potentially dangerous operation in the Java API. • The Java API code asks the Security Manager whether the operation should be allowed. • The Security Manager throws a SecurityException back to the Java API if the operation is denied. This exception propagates back to the Java program. • If the operation is permitted, the Security Manager call returns without throwing an exception, and the Java API performs the requested dangerous operation and returns normally.

  30. Outline • Using java security mechanisms • Security policy files • Code signing • How do java security mechanisms work • Security enforcement • SecureClassLoader and SecurityManager • Supporting technologies • Message digest, digital signatures, authentication

  31. Supporting Technologies • So far, we have discussed what programmer and user should do in order to give more permissions to trusted applets. • However, we haven’t not discussed • How does keytool generate keys? • How does jarsigner sign codes? • How does Java verify certificates? • Why is it secure?

  32. Supporting Technologies/Message Digest • A message digest is a digital fingerprint of a block of data such that it is VERY VERY unlikely for two different blocks data to have the same digest. • If you send a message and its digest separately, recipient can verify whether the message has been modified during transmission. Compute the fingerprint of the message received and compare it with the fingerprint received. • Of course, you need to make sure that not both the message and its digest are intercepted. Message Message MessageDigest MessageDigest MessageDigest =?

  33. Supporting Technologies/Message Digest • Two best known algorithms for computing message digests: SHA1 (Secure hash algorithm #1), MD5. (Less reliable). • Java supports both algorithms.

  34. Supporting Technologies/Message Digest • Compute a fingerprint using SHA1: • Get a MessageDigest object MessageDigest alg = MessageDigest.getInstance(“SHA-1”); • Feed all bytes of message to the object FileInputStream in = new FileInputStream( fileName ); int ch; While ( (ch = in.read() != -1 ) alg.update( ((byte) ch ); • Get fingerprint using the digest method Byte[] hash = alg.digest(); MessageDigest.java

  35. Supporting Technologies/Digital Signatures • Public key cryptography • A pair of keys: one public (given to every one) and one private. • It is VERY VERY hard to compute the private key from the public key and vice versa. • But it is easy to tell whether a public key and a private key match

  36. Supporting Technologies/Digital Signatures • When sending a message to a friend • You sign it with your private key • Recipient verifies the message with you public key • If verification passes, receiver can be sure that The message is from you and not altered during transmission • When a friend sending a message to your • He/She signs it with his/her own private key • You verify the message with his/her public key • If verification passed, you can be sure that The message is singed with your friend’s private key and not altered during transmission

  37. Message DigitalSig. Private Key MessageDigest DigitalSig. Supporting Technologies/Digital Signatures Sending message Message HashFunction

  38. Message Message Digital Signature DigitalSig. HashFunction Public Key Matched? MessageDigest’ DigitalSig. MessageDigest Supporting Technologies/Digital Signatures Verify message

  39. Supporting Technologies/Digital Signatures • Algorithms for generating keys, signing messages, and verifying signatures: • DSA (Digital signature algorithm), supported by Java • RSA, commercial package. • Generating key pairs // get a KeyPairGenerator object KeyPairGenerator keygen = KeyPairGenerator.getInstance(“DSA); // initialize it with a truly random number SecureRandom secrand = new SecureRandom(); keygen.initialize(512,secrand); //512 length of a block in key // generate key pair KeyPair keys = keygen.generateKeyPair(); PublicKey pubkey = keys.getPublic(); PrivatKey privkey = keys.getPrivate();

  40. Supporting Technologies/Digital Signatures Signing a message // get a Signature object Signature signalg = Signature.getInstance(“DSA); // initialize it with private key using initSign signalg.initSign(privkey); // feed all bytes of message to the object one by one While ( (ch = in.read() != -1) signalg.update( (byte) ch ); // get signature using the sing method Bye[] signature = signalg.sign();

  41. Supporting Technologies/Digital Signatures Verifying a message //get a Signature object Signature verifyalg = Signature.getInstance(“DSA); //initialize it with private key using initVerify signalg.initVerify(pubkey); //feed all bytes of message to the object one by one While ( (ch = in.read() != -1) verifyalg.update( (byte) ch ); //Finally, verify signature Boolean check = verifyalg.verify(signature); SingatureTest.java

  42. Supporting Technologies/Authentication Any one can send you his/her public key and ask you to accept applets signed by him/her. Authentication problem: How to determine the identity of the sender. Sender can have his/her certificate authenticated by a trusted(?) body, such as Hong Kong Central Post Office (http://www.hongkongpost.gov.hk/product/ecert/usage/index.html ), Thawte, Versign, United States Postal Service, If you trust the authentication authorities, you can trust the certificates they signed. Software developer certificates are created this way.

More Related