Java Security
Download
Report
Transcript Java Security
Java Security
Pingping Ma
Nov 2nd, 2006
Overview
Platform Security
Cryptography
Authentication and Access Control
Public Key Infrastructure (PKI)
Platform Security
Built-in language security features enforced by
the Java compiler and virtual machine:
Strong data typing
Automatic memory management and
garbage collection
Bytecode verification
Secure class loading
It defines a local name space to ensure that an
untrusted applet cannot interfere with the
running of other programs.
Cryptography overview
Support for a wide range of cryptographic
services
Digital signatures
Message digests
Encryption and decryption
Key generators and key factories
Support for a variety of standard algorithms
RSA, DSA, AES
DES, SHA
PKCS#5, RC2, RC4
Major concepts
Engine class: define a cryptographic service in an abstract
fashion (without a concrete implementation). Some examples
as follows:
MessageDigest: used to calculate the message digest (hash) of
specified data.
Signature: used to sign data and verify digital signatures
KeyPairGenerator: used to generate a pair of public and private
keys suitable for a specified algorithm.
KeyStore: a database used to manage keys and certificates
Service provider: a package or set of packages that implement
one or more cryptographic services, such as digital signature
algorithms, message digest algorithms.
Design principle
The Java Cryptography is designed
around these principles:
Implementation independence and
interoperability
Algorithm independence and extensibility
Design principle
Implementation independence means that
different providers can implement the same
engine class in different ways.
A user may request an implementation from
a specific provider or specify a preference
order of the providers in which providers are
searched for requested services when no
specific provider is requested.
Implementation interoperability means that
various implementations can work with each
other, use each other's keys, or verify each
other's signatures.
Authentication and access
control
Sandbox Model
Protection mechanism
Protection domain: a set of classes whose instances are
granted the same set of permissions. It is a fundamental
concept and building block of system security.
Protection domains generally fall into two distinct categories:
system domain and application domain.
Protection mechanism
The Java application environment maintains a
mapping from code (classes and instances) to their
protection domains and then to their permissions.
Protection mechanism
Problem: Two domains may interact
with each other by method calling
Basic rule: a less "powerful" domain
cannot gain additional permissions as
a result of calling or being called by a
more powerful domain.
Protection mechanism
Problem: A thread of execution may occur
completely within a single protection domain
or may involve multiple protection domains.
The general rule for calculating permissions
is the following:
The permission set of an execution thread is
considered to be the intersection of the
permissions of all protection domains traversed
by the execution thread.
Permission class
The permission classes represent access to system
resources. The java.security.Permission class is an
abstract class and is subclassed, as appropriate, to
represent specific accesses.
perm = new java.io.FilePermission("/tmp/abc",
"read");
The implies method: a crucial abstract method that
needs to be implemented for each new class of
permission. Basically, "a implies b" means that if
one is granted permission "a", one is naturally
granted permission "b". This is important when
making access control decisions.
Policy class
The system security policy for a Java
application environment, specifying which
permissions are available for code from
various sources, is represented by a Policy
object.
There could be multiple instances of the
Policy object, although only one is "in effect"
at any time.
The policy can be specified within one or
more policy configuration files.
Policy class
A policy configuration file essentially contains a list
of entries. It may contain a "keystore" entry, and
contains zero or more "grant" entries.
Each grant entry in a policy file essentially consists
of a CodeSource and its permissions.
The following grants a FilePermission to all
code:
grant { permission java.io.FilePermission ".tmp",
"read"; };
Public Key Infrastructure (PKI)
Tools for managing keys and certificates
and comprehensive, abstract APIs with
support for the following features and
algorithms:
Certificates and Certificate Revocation Lists
(CRLs): X.509
Certification Path Validators and Builders:
PKIX (RFC 3280), On-line Certificate Status
Protocol (OCSP)
Certificate Stores (Repositories): LDAP,
java.util.Collection
Basic concept
A public key (or identity) certificate is a binding of
a public key to an identity, which is digitally signed
by the private key of another entity, often called a
Certification Authority (CA).
The X.509 standard defines what information can
go into a certificate, and describes how to write it
down (the data format).
a public key infrastructure (PKI) is an
arrangement that provides for trusted third party
vouching for user identities.
Public Key Infrastructure (PKI)
The Certificate API, in the java.security.cert
package, includes the following:
The CertificateFactory class is used to generate
certificate and certificate revocation list (CRL) objects.
the Certificate class is an abstract class for managing a
variety of certificates. It is an abstraction for certificates
that have different formats but important common uses.
the CRL class is an abstract class for managing a variety
of Certificate Revocation Lists (CRLs).
Specific X. 509 classes: X509Certificate, X509Extension
and X509CRL
Certification path
The JavaTM Certification Path API consists of
classes and interfaces for handling certification
paths (also known as "certificate chains").
If the user does not have a trusted copy of the
public key of the CA that signed the subject's public
key certificate, then another public key certificate
vouching for the signing CA is required. This logic
can be applied recursively, until a chain of
certificates (or a certification path) is discovered
from a trust anchor or a most-trusted CA to the
target subject
Certification path
The figure illustrates a certification path from a
most-trusted CA's public key (CA 1) to the target
subject (Alice). The certification path establishes
trust in Alice's public key through an intermediate
CA named CA2.
Certification path class
Java.security.cert package is used to handle
certificates.
The core classes can be broken up into 4 class
categories: Basic, Validation, Building, and Storage:
Basic Certification path classes
Certification Path Validation Classes
CertPathValidator, CertPathValidatorResult
Certification Path Building Classes
CertPath, CertificateFactory, CertPathParameters
CertPathBuilder, CertPathBuilderResult
Certificate/CRL Storage Classes
CertStore, CertStoreParameters, CertSelector,
CRLSelector