1 / 30

Security in Java

Security in Java. TWO DISTINCT TOPICS Support for security in java.security.* API Building your own sandbox using java.lang.SecurityManager. Security API. The Java Security API in JDK 1.1 is incomplete and will change in future releases.

Download Presentation

Security in Java

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security in Java • TWO DISTINCT TOPICS • Support for security in java.security.* API • Building your own sandbox using java.lang.SecurityManager

  2. Security API • The Java Security API in JDK 1.1 is incomplete and will change in future releases. • It is not possible to import or export public or private keys used to generate and verify digital signatures. • A separate release (Java Cryptography Extensions) provides API and algorithms relating to encryption and decryption.

  3. Security • Support for specific certificate formats is also not available. • Use the JDK 1.1 Java Security API interfaces and classes at your own risk and in full knowledge that some will be modified, expanded, replaced, or eliminated in future releases.

  4. Vocabulary • Public Key • A number that is advertised by an entity that together with a private key can be used for secure messages. To send an encrypted message I encode it with the public key of the sender. • Private Key • A number known only to an entity participating in encryption

  5. Vocabulary • Digital Signature • A string of bits that is computed from some data (the data being "signed") and the private key of an entity. The signature can be used to verify that the data came from the entity. • Message Digest • A one way hash function • Message digest algorithms produce unique and reliable identifiers of data. The digests are sometimes called "digital fingerprints" of data.

  6. Vocabulary • Certificate • A digitally signed statement from one entity, saying that the public key of some other entity has some particular value. If you trust the entity that signed a certificate, you trust that the association in the certificate between the specified public key and another particular entity is authentic.

  7. Vocabulary • Encryption • The process of taking data (called cleartext) and a short string (a key) and producing ciphertext, which is data meaningless to a third-party who does not know the key • Decryption • The inverse of encryption; the process of taking ciphertext and a short key string, and producing cleartext.

  8. Java Security API • defines classes that provide functionality for a type of cryptography algorithm • MessageDigest class • Signature class • KeyPairGenerator class • Instances of the classes are used to carry out the operations

  9. Security Bridges • The classes only provide access to the functionality of a type of algorithm. • The algorithms come from “providers”

  10. Default Algorithms • JDK default provider “SUN” supplies implementations of the DSA algorithm for digital signatures • MD5 and SHA-1 for message digests • No default key management is provided.

  11. Encryption and Decryption • APIs for data encryption and decryption, together with some default algorithm implementations, will be released separately in a "Java Cryptography Extension" (JCE); an add-on package to JDK, in accordance with U.S. export control regulations.

  12. Signature Class • The Signature class is an designed to provide the functionality of a digital signature algorithm such as DSA or RSA with MD5. A signature algorithm takes arbitrary-sized input and a private key and generates a relatively short (often fixed-size) string of bytes, called the signature, with the following properties:

  13. Signature Properties • Given the public key corresponding to the private key used to generate the signature, it is possible to verify the authenticity and integrity of the input. • The signature and the public key do not reveal anything about the private key.

  14. Signature Objects • A Signature object can be used to generate a digital signature for data. It can also be used to verify whether or not an alleged signature is in fact the authentic signature of the data associated with it.

  15. The MessageDigest Class • The MessageDigest class provide the functionalitys of cryptographically secure Message Digest Algorithms message such as SHA-1 or MD5. A cryptographically secure message digest takes arbitrary-sized input (a byte array), and generates a fixed-size output, called a digest. A digest has the following properties:

  16. MessageDigest Properties • It is computationally infeasible to find another input string that will generate the same digest. • The digest does not reveal anything about the input that was used to generate it.

  17. MessageDigest Objects • Message digest objects are used to produce the unique and reliable identifiers of data sometimes called the "digital fingerprints" of data

  18. Key Interfaces • The Key interface is the top-level interface for all keys. It defines the functionality shared by all key objects. All keys have three characteristics

  19. Key Characteristics • An Algorithm • An Encoded Form (a representation for use outside of Java) • A Format (the name of the Encoded Form)

  20. Key objects • Keys are generally obtained through key generators, certificates, or various Identity classes used to manage keys

  21. The PublicKey and PrivateKey Interfaces • The PublicKey and PrivateKey interfaces are method-less interfaces, used for type-safety and type-identification for public keys and private keys

  22. The KeyPair Class • The KeyPair class is a simple holder for a key pair (a public key and a private key). It has two public methods, one for returning the private key, and the other for returning the public key

  23. The KeyPairGenerator Class • The KeyPairGenerator class is used to generate pairs of public and private keys

  24. Security Managers • A security manager is an object that determines whether potentially threatening operations should be allowed. The System class is used to get and set a security Manager. • Each java application can have its own security manager objects that acts as a security guard..

  25. Security Manager Class • The Security Manager Class is an abstract class that provides a programming interface and partial implementation for security managers. • By default applications have no security manager. • Browsers and applet viewers do create a security manager.

  26. Application Security Managers • Programmer must write a security manager • Applications must install a security manager

  27. Writing a Security Manager • create a subclass of the SecurityManager class • override methods to customize the verifications and approvals needed by your application.

  28. Overriding • All of SecurityManager's checkXXX() methods operate in the same way: • If access is allowed, the method returns. • If access is not allowed, the method throws a SecurityException.

  29. Default • The default implementation provided by the SecurityManager class is public void checkXXX(...) { //disallow throw new SecurityException(); } • So you probably have to override a lot of methods.

  30. Installing • To install a security manager the setSecurityManager method of the class System is used System.setSecurityManager( new MySecurityManager());

More Related