ebook img

Java Security PDF

552 Pages·2000·1.86 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Java Security

006021 FM 8/29/00 7:36 AM Page i Java Security Handbook Jamie Jaworski Paul Perrone Venkata S. R. Krishna Chaganti 800 East 96th St.,Indianapolis,Indiana,46240 USA 006021 FM 8/29/00 7:36 AM Page ii Java Security Handbook ASSOCIATEPUBLISHER Michael Stephens Copyright2000 by Sams Publishing ACQUISITIONSEDITOR Steve Anglin All rights reserved. No part of this book shall be reproduced, stored in a retrieval system,or transmitted by any means,elec- DEVELOPMENTEDITOR tronic,mechanical,photocopying,recording,or otherwise, Tiffany Taylor without written permission from the publisher. No patent lia- MANAGINGEDITORS bility is assumed with respect to the use of the information Matt Purcell contained herein. Although every precaution has been taken in Lisa Wilson the preparation of this book,the publisher and author assume PROJECTEDITOR no responsibility for errors or omissions. Nor is any liability Natalie F. Harris assumed for damages resulting from the use of the information COPYEDITOR contained herein. Mary Lagu International Standard Book Number:0-672-31602-1 INDEXER Sandy Henselmeier Library of Congress Catalog Card Number:99-62250 PROOFREADERS Printed in the United States of America Candice Hightower Jill Mazurczyk First Printing:September,2000 Tony Reitz Andrew Simmons 02 01 00 4 3 2 1 Matt Wynalda TECHNICALEDITOR Trademarks Krishna Sankar All terms mentioned in this book that are known to be trade- TEAMCOORDINATORS marks or service marks have been appropriately capitalized. Pamalee Nelsen Karen Opal Sams Publishing cannot attest to the accuracy of this informa- tion. Use of a term in this book should not be regarded as MEDIADEVELOPER Adam Swetnam affecting the validity of any trademark or service mark. INTERIORDESIGNER Warning and Disclaimer Dan Armstrong COVERDESIGNER Every effort has been made to make this book as complete and Alan Clements as accurate as possible,but no warranty or fitness is implied. PRODUCTION The information provided is on an “as is”basis. The author Darin Crone and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book. 006021 FM 8/29/00 7:36 AM Page iii Contents at a Glance Introduction Part I The Foundations of Java Security 1 Security Basics 2 Java Security Overview 3 Java Application Security Access Control 4 Applet Security Part II Cryptographic Security 5 Introduction to Cryptography 6 Key Management and Digital Certificates 7 Message Digests and Digital Signatures 8 The Java Cryptography Extension 9 SSL and JSSE Part III Distributed System Security 10 Distributed Enterprise Security Overview 11 Databases and Database Security 12 The Java Authentication and Authorization Service 13 CORBA Security 14 Enterprise JavaBeans Security 15 Java Servlet and JSP Security Part IV Appendixes A Past Java Security Flaws B The Mathematics of RSA C Downloading and Installing the JCE D The Java 2 Security API E Downloading and Installing the Cryptix JCE 1.2 F Using the Keytool G Using the jarsignerTool Index 006021 FM 8/29/00 7:36 AM Page iv 006021 FM 8/29/00 7:36 AM Page v Table of Contents Introduction 1 Part I The Foundations of Java Security 7 1 Security Basics 9 The Basic Security Model ....................................................................10 Cryptography ........................................................................................11 Classes of Cryptography..................................................................11 Message Digests ..............................................................................14 Symmetric Keys ..............................................................................14 Asymmetric Keys ............................................................................15 Authentication and Nonrepudiation......................................................15 Authentication Types........................................................................16 Nonrepudiation ................................................................................19 Access Control ......................................................................................19 Discretionary Access Control ..........................................................20 Role-Based Access Control..............................................................20 Mandatory Access Control ..............................................................20 Firewall Access Control ..................................................................21 Domains ................................................................................................21 Auditing ................................................................................................22 Policies and Administration ..................................................................22 Summary................................................................................................23 2 Java Security Overview 25 The History of Security in Java ............................................................26 Java Security Architecture ....................................................................28 Core Java 2 Security Architecture....................................................29 Java Cryptography Architecture ......................................................30 Java Cryptography Extension ..........................................................31 Java Secure Socket Extension..........................................................31 Java Authentication and Authorization Service................................31 Byte Code Verifier ................................................................................31 Class Loader..........................................................................................33 Class Loader Architecture and Security ..........................................33 Class-Loader Interfaces....................................................................34 Security Manager ..................................................................................37 Security Manager Interfaces............................................................38 Custom Security Managers..............................................................40 006021 FM 8/29/00 7:36 AM Page vi vi JAVASECURITYHANDBOOK Java Cryptography Architecture............................................................41 The Architecture of JCA..................................................................42 Cryptographic Engines ....................................................................43 Cryptographic Service Providers......................................................44 Summary................................................................................................46 3 Java Application Security Access Control 47 Permissions............................................................................................47 Permissions Architecture..................................................................48 Permission Types..............................................................................49 Custom Permission Types................................................................58 Security Policies....................................................................................58 Security Policy File Format..............................................................59 Referencing Properties in Policy Files ............................................60 Using Security Policy Files..............................................................60 Security Policy Tool ........................................................................61 Security Policy APIs........................................................................62 Java Access Control ..............................................................................63 Access Control Architecture............................................................64 Guarded Objects ..............................................................................66 SecurityManager-to-Access Control Mapping................................67 Fine-Grained and Configurable Access Control Example ..............72 Summary................................................................................................73 4 Applet Security 75 Extending the Sandbox..........................................................................76 The JDK 1.0 Sandbox......................................................................76 The JDK 1.1 Sandbox......................................................................78 JDK 1.2 Least Privilege....................................................................79 Specifying an Applet Security Policy....................................................80 The Contents of the Security Policy File ........................................81 The Syntax of Grant Entries............................................................81 Using Signed Applets............................................................................82 Creating the JAR file........................................................................82 Signing the JAR File........................................................................83 Specifying a Signed Applet Policy..................................................84 Obtaining a Signing Certificate ............................................................84 Working with Different Browsers..........................................................85 Summary................................................................................................85 006021 FM 8/29/00 7:36 AM Page vii vii CONTENTS Part II Cryptographic Security 87 5 Introduction to Cryptography 89 A Short History of Secret Writing........................................................89 Cryptography,Cryptanalysis,and Cryptology......................................93 Ciphers ..................................................................................................94 The Caesar Cipher............................................................................94 A Simple Substitution Cipher........................................................100 Secret-Key Cryptography....................................................................115 The Data Encryption Standard (DES)............................................115 DESede ..........................................................................................131 Blowfish..........................................................................................133 Rivest Ciphers................................................................................137 Public Key Cryptography....................................................................137 The Rivest,Shamir,Adleman (RSA) Algorithm............................138 The ElGamal Algorithm ................................................................141 Message Digests..................................................................................142 MD5................................................................................................144 SHA-1 ............................................................................................146 Base 64 Encoding ..........................................................................148 Digital Signatures................................................................................156 The Digital Signature Algorithm....................................................157 Digital Certificates ..............................................................................159 Summary..............................................................................................161 6 Key Management and Digital Certificates 163 Importance of Key Management ........................................................163 Key Representation..............................................................................165 Key Generation....................................................................................166 TheKeyPairGeneratorClass ........................................................167 TheKeyGeneratorClass................................................................169 TheKeyGeneratorAppProgram......................................................170 Secure Random Numbers and Key Generation..............................172 Key Translation..............................................................................175 Key Agreement....................................................................................179 Simple Key Management for Internet Protocols (SKIP) ..............181 JCE Support for Key Agreement....................................................181 Key Storage and Password-Based Encryption....................................187 Key Management Differences Between JDK 1.1 and the Java 2 Platform (version JDK 1.2)..............................................................198 JDK 1.1 Key Management ............................................................198 JDK 1.2 Key Management ............................................................200 The Keytool ........................................................................................203 Summary..............................................................................................205 006021 FM 8/29/00 7:36 AM Page viii viii JAVASECURITYHANDBOOK 7 Message Digests and Digital Signatures 207 Message Digest Classes and Interfaces ..............................................207 MessageDigestSpi......................................................................208 MessageDigest............................................................................209 DigestInputStreamandDigestOutputStream ....................212 Working with Digest Streams........................................................214 DigestException........................................................................215 Message Authentication Codes............................................................216 MacSpi............................................................................................217 Mac ................................................................................................217 MACs in Action..............................................................................219 Signature Classes and Interfaces ........................................................220 SignatureSpi..............................................................................220 Signature ....................................................................................221 SignedObject..............................................................................225 Signer ..........................................................................................228 SignatureException..................................................................228 Summary..............................................................................................228 8 The Java Cryptography Extension 229 Inside the JCE......................................................................................229 The Cryptix JCE..................................................................................232 Security Providers and Algorithm Independence................................232 How a Security Provider Is Organized................................................233 Engine Classes................................................................................233 SPI Classes ....................................................................................234 Provider Classes ............................................................................234 Creating a New Provider ....................................................................234 Extending the SPI Class ................................................................235 Extending the Provider Class ........................................................238 Installing Provider Classes ............................................................238 Using the Provider ..............................................................................239 Summary..............................................................................................241 9 SSL and JSSE 243 SSL Overview......................................................................................244 Java Secure Socket Extension Overview ............................................246 JSSE Package and Class Overview................................................246 JSSE Providers....................................................................................248 JSSE SSL Server Sockets....................................................................249 Obtaining an SSL Server Socket Factory......................................249 Creating SSL Server Sockets ........................................................253 006021 FM 8/29/00 7:36 AM Page ix ix CONTENTS SSL Server Socket Listening..........................................................253 Client Authentication......................................................................255 JSSE SSL Client Sockets....................................................................256 Obtaining an SSL Socket Factory..................................................256 Creating SSL Client Sockets..........................................................257 JSSE SSL Sessions..............................................................................258 Summary..............................................................................................259 Part II Distributed System Security 261 10 Distributed Enterprise Security Overview 263 Distributed Enterprise System Technology ........................................264 Enterprise Database Connectivity..................................................264 Enterprise Communications ..........................................................265 Enterprise Communication Services..............................................266 Enterprise Container-Based Components......................................267 Enterprise Database Connectivity Security ........................................268 Enterprise Communications Security..................................................269 Basic Network Security..................................................................269 RMI Security..................................................................................272 CORBA Security............................................................................273 Enterprise Communications Service Security ....................................273 JNDI Security ................................................................................274 Jini Security....................................................................................275 JMS Security..................................................................................276 JavaMail Security ..........................................................................277 Enterprise Container-Based Component Security ..............................278 Web Component Security..............................................................278 EJB Security ..................................................................................279 Summary..............................................................................................279 11 Databases and Database Security 281 What Is a Database?............................................................................281 Relational Databases............................................................................282 Working with Keys ........................................................................283 Structured Query Language ................................................................283 Remote Database Access ....................................................................283 ODBC and JDBC Drivers..............................................................284 Connecting to Databases with the java.sqlPackage......................287 Setting Up a Database Connection................................................287 Executing SQL Statements............................................................290 TheStatementAppProgram........................................................291 006021 FM 8/29/00 7:36 AM Page x x JAVASECURITYHANDBOOK Database Security Issues......................................................................295 Securing Database Connections ....................................................296 Securing the User Connection........................................................304 Auditing..........................................................................................309 Database Scanning..........................................................................309 Summary..............................................................................................310 12 The Java Authentication and Authorization Service 311 JAAS Overview ..................................................................................311 JAAS Subjects......................................................................................313 Subject Relationships ....................................................................313 Creating Subjects............................................................................314 Manipulating Subject Attributes....................................................315 Specializing Subject Credentials....................................................317 Authentication with JAAS ..................................................................317 Login Module Configuration and Initialization ............................317 The Authentication Process............................................................322 Callback Handling..........................................................................324 Authorization with JAAS....................................................................328 JAAS Security Policy File Format ................................................328 Using JAAS Security Policy Files..................................................329 Performing Security-Critical Actions ............................................330 JAAS Security Authorization Abstractions....................................331 Standard Java Security Policies with JAAS Permissions..............334 Summary..............................................................................................335 13 CORBA Security 337 CORBA Security Overview................................................................338 CORBA Security Packages............................................................339 CORBA Security Architecture ......................................................340 Core CORBA Security Interfacing................................................342 Authentication......................................................................................346 Delegation............................................................................................350 Authorization ......................................................................................352 Auditing ..............................................................................................353 Nonrepudiation....................................................................................355 Encryption............................................................................................358 Security Policies..................................................................................360 Security Administration ......................................................................362 Summary..............................................................................................362

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.