Java Security Session 19. Java Security / 2 of 23 Objectives Discuss Java cryptography Explain the...
-
Upload
geraldine-parks -
Category
Documents
-
view
223 -
download
0
Transcript of Java Security Session 19. Java Security / 2 of 23 Objectives Discuss Java cryptography Explain the...
Java Security
Session 19
Java Security / 2 of 23
Objectives
Discuss Java cryptography
Explain the Java Security Model
Discuss each of the components that comprise the JSM
Describe the security tools available as part of the Java platform
Java Security / 3 of 23
Introduction
Security on the Internet is a big issue today Corruption of data Denial of access to services Attacks that simply annoy users
Security model in Java2 has been enhanced to enable digitally signed applets to be run on the web
Security of precious goods is only as good as the defense mechanism employed to guard it
Java Security / 4 of 23
Java2 security model
Byte code verifier
Class Loader
Security Manager
Java Security / 5 of 23
Byte Code Verifier
This verifies: Byte code represent legal JVM operations Possibilities of stack overflow or underflow Byte code does not compromise the type safety of
operands Class methods observe all access specifiers such
as public, private, etc.
Examines the byte codes of a class before executing it
Java Security / 6 of 23
Class Loader
The functions of a Class Loader include: Preventing conflict between any running programs
that may have identical class names Ensures that users do not load system classes
Byte code in this stage is assumed to be valid
Applet SecurityManager
Checks Applets
Java Security / 7 of 23
Java Security Manager (JSM)
Applets have to be downloaded and hence can cause potential attacks
Applets can only manipulate data within a specified area (sandbox) of the hard disk
Security Manager provides a sandbox as well as allows one to create a sandbox
JSM also controls access to important resources, operations and access to files
Standalone applications are trusted by default
Java Security / 8 of 23
Java Security Model
Applications(Trusted by default)
Applets(Untrusted by default)
System and Network Resources
Access Denied
Applications(Trusted by default)
Unsigned Applets(Untrusted by default)
System and Network Resources
Access Denied
Signed Applets(Trusted)
JDK
1.0
JDK
1.1
Java Security / 9 of 23
java.policy file
Security policy file is located at JAVA_HOME\lib\security\java.policy where JAVA_HOME indicates location of JDK
It is possible to specify a security policy that determines the access type an application or an applet is allowed
Java Security / 10 of 23
Safe environment in JSM
Java Code
Java Compiler
Class Files(byte code)
Byte code verifier
Class Loader
Java Interpreter
Security Manager(if present)
Executed program
Transmission over Network or local
file system
Java Security / 11 of 23
JDK security tools
Authentication is an important and vital issue A digital signature solves two vital security
concerns Authentication Integrity
Sun offers three tools to digitally sign applets -jar, jarsigner and keytool
A system on the Internet should lookout for components that lay the system open to intruders
Java Security / 12 of 23
The keytool utility (1)
In private cryptography, a process takes a piece of data and uses a special key such as password to produce an encrypted password
Only with the help of the key, one can decrypt the original message
Data Encryption Standard is a widely used cryptographic system
Used to create and manage public keys, private keys and security certificates
Java Security / 13 of 23
The keytool utility (2)
Two keys that are mathematically related are created
One for encryption and the other for decryption Used for:
Managing public/private key pairs Storing public keys of people and groups Authentication of ones identity Verifying the source and integrity of data
Public key cryptography is based on mathematical algorithms
Java Security / 14 of 23
The keytool utility (3)
One can check the existence of keystore by: keytool –list keytool –list –keystore C:\myfolder\mystore
-genkey option of keytool creates a public/private key pair
keytool –genkey –alias aliasname
While adding a key to a new keystore, a password has to be given
Information managed by keytool is stored in a database called keystore
Java Security / 15 of 23
Creating a key pair (1)
Example:Alias: aptechkey
Organizational unit: Software Dev
Organization: Gates Corp.
City: Palo Alto, CA.
State: CA (for California)
County code:CA
Key password: aptECH2k01
keytool utility asks a number of questions when we create a new key pair
Java Security / 16 of 23
Creating a key pair (2) The command –keytool –list –v –alias
aptechkey give the following output:
Java Security / 17 of 23
Working with certificates (1)
Indicates that the public key of a person has important value
Digital certificates associate an identity with a public key Identity is called subject Authority that signs is called signer
Statement signed by an authority
Java Security / 18 of 23
Working with certificates (2)
Certificates follow the X.509 standard When we create a new public/private keypair,
a self-signed certificate signed by the same entity that created the key pair is obtained keytool –alias aptechkey –certreq –file
aptechreq.txt
keytool utility can display, import and export certificates in addition to key pairs
Java Security / 19 of 23
jar tool and jarsigner tool
jarsigner then digitally signs a java archive jarsigner MyApplet.jar aptechkey
The key must have gone through a verification process before use
Before java program can be digitally signed, it must be packaged into an archive form consisting of all class files and other files with the help of jar tool
Java Security / 20 of 23
Java Cryptography
It also provides passwords to secure access Java.security file should include the following line:
policy.url.2=file:${user.home}/.java.policy
Java Cryptography classes enable us to encrypt and decrypt programs
Java Security / 21 of 23
Example (1)
Java Security / 22 of 23
Example (2)
Java Security / 23 of 23
Output