Security via Java

Security via Java By Bahaa Zaid bzaid@arxict.com 2009-01-13

Agenda • Introduction to Security • Java Security • XML Security • WS-Security

Introduction to Security • Cryptography • Symmetric-Key Cryptography • Public-Key Cryptography • Public Key Infrastructure • Cryptographic Hash Function • Digital Signature

Cryptography • Is the practice and study of hiding information • Encryption is the process of transforming information (plaintext) using an algorithm (cipher) to make it unreadable to anyone (ciphertext) except those possessing special knowledge (key). • Decryption is to make the encrypted information readable again.

Symmetric-Key Cryptography • Symmetric-key cryptography refers to encryption methods in which both the sender and receiver share the same key. This was the only kind of encryption publicly known until June 1976. • Examples are DES, 3DES, Blowfish, RC4…

Symmetric-Key Cryptography Cipher Plaintext Ciphertext Cipher Ciphertext Plaintext

Public-Key Cryptography • Public-Key Cryptography, also known as Asymmetric Cryptography, is a form of cryptography in which the key used to encrypt a message differs from the key used to decrypt it. In public key cryptography, a user has a pair of cryptographic keys—a Public Key and a Private Key. • Examples are RSA and ElGamal.

Public-Key Cryptography • A big random number is used to create a key pair. When the keys have been made the big random number is thrown away. Without knowledge of the random number it should be "impossible" to create the private key from the public key.

Public-Key Cryptography • A message encrypted with a recipient's public key cannot be decrypted by anyone except the recipient possessing the corresponding private key.

Public Key Infrastructure • Public Key Infrastructure (PKI) is an arrangement that binds public keys with respective user identities by means of a Certificate Authority (CA). • CA is an example of Trusted Third Party (TTP). • A CA is an entity which issues Public Key Certificate for use by other parties.

Public Key Infrastructure • The most common certificate standard is the ITU-T X.509. • A Public Key Certificate is an electronic document which incorporates a Digital Signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. • A Public Key Certificate is the Public Key of an individual added to it his/her Identity and signed by a CA. • The certificate can be used to verify that a Public Key belongs to an individual .

Public Key Infrastructure • A Certificate Chain is a sequence of certificates, where each certificate in the chain is signed by the subsequent certificate. The last certificate in the chain is normally a self-signed Certificate - a certificate that signs itself (Root Certificate). • It’s an example of Chain Of Trust. signs CA Cert (Root Cert) Company CA App Cert signs signs

Cryptographic Hash Function • A Cryptographic Hash Function is an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the Hash Value or Message Digest, such that an accidental or intentional change to the data will almost certainly change the Hash Value. • Examples are MD5, SHA-1 and SHA-256. • Applications are Message Integrity Verification, Digital Signatures, …

Cryptographic Hash Function • The ideal hash function has four main properties: • It is easy to compute the hash for any given data, • It is extremely difficult to construct a text that has a given hash, • It is extremely difficult to modify a given text without changing its hash, and • It is extremely unlikely that two different messages will have the same hash.

Digital Signature • For messages sent through an insecure channel, a properly implemented Digital Signature gives the receiver reason to believe the message was sent by the claimed sender. • Digital Signature gives both Authentication and Integrity.

Digital Signature

Java Security • Sun’s website says:“Java security technology includes a large set of APIs, tools, and implementations of commonly used security algorithms, mechanisms, and protocols. The Java security APIs span a wide range of areas, including cryptography, public key infrastructure, secure communication, authentication, and access control.” • Platform Security is built-in language security features enforced by the Java compiler and virtual machine for example Bytecode verification, Secure class loading .

Java Security • Access Control is a comprehensive policy and permissions API that allows the developer to create and administer applications requiring fine-grained access to security-sensitive resources. • Java includes APIs for Cryptography , Secure Communications (e.g. TLS) and PKI. • Java Security is Extensible i.e. Java provide the interfaces and the implementation is provided by a Security Provider, JRE has a default provider (SUN provider).

Unlimited Strength Policy Files • By default, JRE is restricted to a particular Encryption Algorithms and Key Lengths (Strong Encryption). • This restriction is in place so that the JRE and Java Applications that use Encryption can be freely imported by countries whose government restrict the use of Cryptography. • There are no restrictions in Egypt. So, you can download the Unlimited Strength Policy Files from Sun’s website and install it to enable unlimited encryption.

Example: Computing The Hash of a byte[] MessageDigest msgDigest = MessageDigest.getInstance("MD5"); msgDigest.update(plainText); //byte[] byte[] digest = msgDigest.digest();

Example: Private Key Crypto KeyGeneratorkeyGen = KeyGenerator.getInstance("DES"); keyGen.init(56); Key key = keyGen.generateKey(); … Ciphercipher = Cipher.getInstance("DES/ECB/PKCS5Padding"); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] cipherText = cipher.doFinal(plainText); … cipher.init(Cipher.DECRYPT_MODE, key); byte[] newPlainText = cipher.doFinal(cipherText);

Example: Public Key Crypto KeyPairGeneratorkeyGen = KeyPairGenerator.getInstance("RSA"); keyGen.initialize(1024); KeyPair key = keyGen.generateKeyPair(); … Ciphercipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); cipher.init(Cipher.ENCRYPT_MODE, key.getPublic()); byte[] cipherText = cipher.doFinal(plainText); … cipher.init(Cipher.DECRYPT_MODE, key.getPrivate()); byte[] newPlainText = cipher.doFinal(cipherText);

Example: Digital Signature KeyPairGeneratorkeyGen= KeyPairGenerator.getInstance("RSA"); keyGen.initialize(1024); KeyPair key =keyGen.generateKeyPair(); … Signature sig =Signature.getInstance("MD5WithRSA"); sig.initSign(key.getPrivate()); sig.update(plainText); byte[] signature =sig.sign(); … sig.initVerify(key.getPublic()); sig.update(plainText); if(sig.verify(signature)){…}

Example: Accessing Key Stores // Creating new one KeyStorekeyStore=KeyStore.getInstance("PKCS12"); keyStore.load(null,null); … // Opening Existing one KeyStorekeyStore=KeyStore.getInstance("PKCS12"); keyStore.load(newFileInputStream(filename), "password".toCharArray()); … // Adding Entry keyStore.setKeyEntry( "somealias",privateKey, "password".toCharArray(), new Certificate[]{myCert,caCert}); …

Example: Accessing Key Stores // Get entries X509Certificate cert =(X509Certificate)keyStore.getCertificate(“alias"); PrivateKey key =(PrivateKey)keyStore.getKey( “alias", “password".toCharArray()); … // Saving to file keyStore.store(newFileOutputStream(filename), “password”.toCharArray());

Serializing a Key Key key= …;// PrivateKey or PublicKey byte[]encodedKey=key.getEncoded(); … X509EncodedKeySpec keySpec= new X509EncodedKeySpec(encodedKey); KeyFactorykeyFactory= KeyFactory.getInstance("RSA"); PublicKeytheKey= keyFactory.generatePublic(keySpec); // or PrivateKeytheKey= keyFactory.generatePrivate(keySpec);

Serializing a Certificate X509Certificate cert = …; byte[]encCert=cert.getEncoded(); … ByteArrayInputStreaminputStream= newByteArrayInputStream(encCert); CertificateFactory factory = CertificateFactory.getInstance("X.509"); X509Certificate theCert=(X509Certificate) factory.generateCertificate(inputStream);

Example: Generating a Certificate • Standard Java does not have an X509Certificate generation API • BouncyCastle has a class for generating X509Certificate instance org.bouncycastle.x509.X509V3CertificateGenerator

Example: Generating a Certificate X509V3CertificateGenerator certGen=new X509V3CertificateGenerator(); X500Principal myPrincipal=new X500Principal("CN=Duke, OU=ArxICT, O=Arx, C=EG"); certGen.setSubjectDN(myPrincipal); certGen.setIssuerDN(myPrincipal);// Self signed certGen.setNotBefore(new Date(…)); certGen.setNotAfter(new Date(…)); certGen.setPublicKey(publicKey);// Cert Public Key certGen.setSignatureAlgorithm("SHA1withRSA"); certGen.setSerialNumber(generateMySerialNumber()); X509Certificate cert = certGen.generateX509Certificate(privateKey);

XML Signature • XML Signature (also called XMLDsig, XML-DSig, XML-Sig) is a W3C recommendation that defines an XML syntax for digital signatures. • An XML signature used to sign a resource outside its containing XML document is called a detached signature; • If it is used to sign some part of its containing document, it is called an enveloped signature; • If it contains the signed data within itself it is called an enveloping signature.

XML Signature XML Resource XML Resource XML Resource XML Signature XML Signature XML Signature 1 Signed XML Element XML Signature 2 Signed XML Element Signed Data Detached Enveloping Enveloped

XML Signature • Implementation: • Apache XML Security (santuario) • Standard XML Digital Signature API (JDK 6), also implemented in Apache XML Security for pre-6 JDKs

XML Signature <Signaturexmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfoxmlns="http://www.w3.org/2000/09/xmldsig#"> <CanonicalizationMethodAlgorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ReferenceURI="#MsgBody"> <DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>W3aSreOicBECRBLSJnchq448fjU=</DigestValue></Reference> </SignedInfo> <SignatureValue>hG…=</SignatureValue> <KeyInfo><SecurityTokenReferencexmlns="http://schemas.xmlsoap.org/ws/2002/04/secext"> <ReferenceURI="X509Token"/> </SecurityTokenReference> </KeyInfo> </Signature>

XML Signature // Init the factory String providerName=System.getProperty("jsr105Provider","org.jcp.xml.dsig.internal.dom.XMLDSigRI"); XMLSignatureFactoryfac= XMLSignatureFactory.getInstance("DOM“, (Provider)Class.forName(providerName).newInstance()); DOMValidateContextvalContext=newDOMValidateContext(newSimpleKeySelector(merchantPublicKey),nodeList.item(0)); XMLSignature signature =fac.unmarshalXMLSignature(valContext); booleancoreValidity=signature.validate(valContext);

XML Signature classSimpleKeySelectorextendsKeySelector{ privatePublicKeypublicKey; publicSimpleKeySelector(PublicKeypublicKey){ this.publicKey=publicKey; } publicKeySelectorResult select(KeyInfokeyInfo, Purpose purpose, AlgorithmMethod method,XMLCryptoContext context) throwsKeySelectorException{ returnnewSimpleKeySelectorResult(publicKey); } privatestaticclassSimpleKeySelectorResultimplementsKeySelectorResult{ privatePublicKeypublicKey; SimpleKeySelectorResult(PublicKeypk){ this.publicKey=pk; } public Key getKey(){ returnpublicKey; } } }

References • http://www.wikipedia.org • http://java.sun.com/javase/technologies/security/ • http://java.sun.com/security/reference/docs/index.html

More Resources • http://www.ibm.com/developerworks/edu/j-dw-javasec1-i.html • http://www.ibm.com/developerworks/edu/j-dw-javasec2-i.html

Security via Java

Security via Java

Presentation Transcript

Java Security

Java SE Security

Java Applet Security

Java Security

Java Applet Security

Java Security

Java Security

Java Security Model

Java Security

Java and Security

Java Security

Security in Java

Java Security

Java Security

Java Security

Java EE Security

Java Security

Java Security

Java Security

Java Security

Java Security cont’d