1 / 176

Java™ Security Overview

Java™ Security Overview. Tools to securely manage applications. Java SE Security. Java security technology includes: a set of APIs , tools , implementations security algorithms , mechanisms , protocols. Java SE Security.

schultzg
Download Presentation

Java™ Security Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Java™ Security Overview Tools to securely manage applications

  2. Java SE Security • Java security technology includes: • a set of APIs, • tools, • implementations security algorithms, • mechanisms, • protocols.

  3. Java SE Security • The Java security APIs span a wide range of areas, including: • platform Security, • cryptography, • authentication and access control, • secure communication, • public key infrastructure.

  4. Java SE Security • Java security technology provides the developer with a comprehensive security framework for writing applications, • and also provides the user or administrator with a set of tools to securely manage applications.

  5. 1 Introduction • Java SE Security Documentation J2SE 1.4.2 | J2SE 5.0 | Java SE 6

  6. Note • There are three security extensions for use with J2SE 1.3.1. • They are Java Authentication and Authorization Service, Java Cryptography Extension, and Java Secure Socket Extension. • These three extensions have been integrated into J2SE 1.4.

  7. Java SE Security Overview • Platform Security • Cryptography • Authentication and Access Control • Secure Communications • Public Key Infrastructure (PKI)

  8. 3 Basic Security Architecture http://java.sun.com/javase/6/docs/technotes/guides/security/overview/jsoverview.html

  9. 3 Basic Security Architecture • The Java platform defines a set of APIs spanning major security areas, including cryptography, public key infrastructure, authentication, secure communication, and access control.

  10. 3 Basic Security Architecture • These APIs allow developers to easily integrate security into their application code. They were designed around the following principles:

  11. 3 Basic Security Architecture • Implementation independence Applications do not need to implement security themselves. Rather, they can request security services from the Java platform.

  12. Implementation independence Security services are implemented in providers (see below), which are plugged into the Java platform via a standard interface. An application may rely on multiple independent providers for security functionality.

  13. 3 Basic Security Architecture • Implementation interoperability Providers are interoperable across applications. Specifically, an application is not bound to a specific provider, and a provider is not bound to a specific application.

  14. 3 Basic Security Architecture • Algorithm extensibility The Java platform includes a number of built-in providers that implement a basic set of security services that are widely used today. However, some applications may rely on emerging standards not yet implemented, or on proprietary services. The Java platform supports the installation of custom providers that implement such services.

  15. 3 Basic Security Architecture • Security Providers • The java.security.Providerclass encapsulates the notion of a security provider in the Java platform. • It specifies the provider's name and lists the security services it implements.

  16. 3 Basic Security Architecture • Security Providers • Multiple providers may be configured at the same time, and are listed in order of preference. • When a security service is requested, the highest priority provider that implements that service is selected.

  17. 3 Basic Security Architecture • Applications rely on the relevant getInstance method to obtain a security service from an underlying provider. • For example, message digest creation represents one type of service available from providers.

  18. 3 Basic Security Architecture • An application invokes the getInstance method in the java.security.MessageDigest class to obtain an implementation of a specific message digest algorithm, such as MD5. MessageDigest md = MessageDigest.getInstance("MD5");

  19. 3 Basic Security Architecture • The program may optionally request an implementation from a specific provider, by indicating the provider name, as in the following: MessageDigest md = MessageDigest.getInstance("MD5", "ProviderC");

  20. 3 Basic Security Architecture • Figures 1 and 2 illustrate these options for requesting an MD5 message digest implementation.

  21. 3 Basic Security Architecture • Both figures show three providers that implement message digest algorithms. The providers are ordered by preference from left to right (1-3).

  22. 3 Basic Security Architecture • In Figure 1, an application requests an MD5 algorithm implementation without specifying a provider name.

  23. 3 Basic Security Architecture • The providers are searched in preference order and the implementation from the first provider supplying that particular algorithm, ProviderB, is returned.

  24. Figure 1 Provider searching

  25. 3 Basic Security Architecture • In Figure 2, the application requests the MD5 algorithm implementation from a specific provider, ProviderC.

  26. 3 Basic Security Architecture • This time the implementation from that provider is returned, even though a provider with a higher preference order, ProviderB, also supplies an MD5 implementation.

  27. Figure 2 Specific provider requested

  28. 3 Basic Security Architecture • The Java platform implementation from Sun Microsystems includes a number of pre-configured default providers that implement a basic set of security services that can be used by applications.

  29. 3 Basic Security Architecture • Note that other vendor implementations of the Java platform may include different sets of providers that encapsulate vendor-specific sets of security services.

  30. 3 Basic Security Architecture • When this paper mentions built-in default providers, it is referencing those available in Sun's implementation.

  31. 3 Basic Security Architecture • The sections below on the various security areas (cryptography, authentication, ... .) each include descriptions of the relevant services supplied by the default providers. • A table in Appendix C summarizes all of the default providers.

  32. 3 Basic Security Architecture • File Locations • Certain aspects of Java security mentioned in this paper, including the configuration of providers, may be customized by setting security properties.

  33. 3 Basic Security Architecture • You may set security properties statically in the security properties file, which by default is the java.security file in the lib/security directory of the directory where the Java™ Runtime Environment (JRE) is installed.

  34. 3 Basic Security Architecture • Security properties may also be set dynamically by calling appropriate methods of the Security class (in the java.security package).

  35. 3 Basic Security Architecture • The tools and commands mentioned in this paper are all in the ~jre/bin directory, where ~jre stands for the directory in which the JRE is installed.

  36. 3 Basic Security Architecture • The cacerts file mentioned in Section 5 is in: ~jre/lib/security.

  37. 4 Cryptography

  38. 4 Cryptography • The Java cryptography architecture is a framework for accessing and developing cryptographic functionality for the Java platform. • It includes APIs for a large variety of cryptographic services, including: ... ...

  39. 4 Cryptography • Message digest algorithms • Digital signature algorithms • Symmetric bulk encryption • Symmetric stream encryption • Asymmetric encryption • Password-based encryption (PBE) • Elliptic Curve Cryptography (ECC) • Key agreement algorithms • Key generators • Message Authentication Codes (MACs) • (Pseudo-) random number generators

  40. 4 Cryptography • For historical (export control) reasons, the cryptography APIs are organized into two distinct packages as follow: • The java.security package contains classes that are not subject to export controls (like Signature and MessageDigest).

  41. 4 Cryptography • The javax.cryptopackage contains classes that are subject to export controls (like Cipher and KeyAgreement).

  42. 4 Cryptography • The cryptographic interfaces are provider-based, allowing for multiple and interoperable cryptography implementations.

  43. 4 Cryptography • Some providers may perform cryptographic operations in software; • Others may perform the operations on a hardware token (for example, on a smartcard device or on a hardware cryptographic accelerator).

  44. 4 Cryptography • Providers that implement export-controlled services must be digitally signed. • The Java platform includes built-in providers for many of the most commonly used cryptographic algorithms, including:

  45. 4 Cryptography • RSA, • DSA signature algorithms, • DES, AES, • ARCFOUR encryption algorithms, • MD5 and SHA-1 message digest algorithms, • Diffie-Hellman key agreement algorithm.

  46. PKCS – Public Key Cryptography Standards • In cryptography, PKCS refers to a group of Public Key Cryptography Standards devised and published by RSA Security.

  47. PKCS • RSA Data Security Inc was assigned the licensing rights for the patent on the RSAasymmetric key algorithm and acquired the licensing rights to several other key patents as well (e.g., the Schnorr patent).

  48. PKCS • As such, RSA Security, and its research division, RSA Labs, were interested in promoting and facilitating the use of public-key techniques. To that end, they developed the PKCS standards.

  49. PKCS • The several PKCS standards can be viewed at: http://en.wikipedia.org/wiki/PKCS

  50. PKCS #5 • 2.0 • Password-based Encryption Standard • See RFC 2898 and PBKDF2.

More Related