Java Security Model Lab#1 I. Omaima Al-Matrafi
Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic) Automatic garbage collection Array bounds checking Checking references for null (Accessing or modifying null obj.)
Java Sandbox It is the bounds of program play (run) area. Java software programs can run safely, without potential risk to systems or users. 3
The Security Model (JDK 1.0) The Java Security Model is made up of three primary pieces: ▫The Bytecode Verifier ▫The Class Loader ▫The Security Manager 4
These components serve the following purpose: The classes are in the correct format. Only the collect classes are loaded. Untrusted classes will not execute dangerous instructions. Untrusted classes are not allowed to access protected system resources.
Java security Java security technology includes a large set of APIs, tools, and implementations of commonly used security algorithms, mechanisms, and protocols. The Java security APIs span a wide range of areas, including cryptography, public key infrastructure, secure communication, authentication, and access control.
Java SE Security Features Platform Security ▫Strong data typing ▫Automatic memory management ▫Bytecode verification ▫Secure class loading
Cryptography ▫Comprehensive API with support for a wide range of cryptographic services including: digital signatures, message digests, ciphers (symmetric, asymmetric, stream & block), message authentication codes, key generators. ▫Support for a wide range of standard algorithms including RSA, DSA, AES, Triple DES, SHA, PKCS#5, RC2, and RC4.
Authentication and Access Control ▫Abstract authentication APIs that can incorporate a wide range of login mechanisms ▫A comprehensive policy and permissions API that allows the developer to create and administer applications
Secure Communications ▫APIs and implementations for the following standards-based secure communications protocols: Transport Layer Security (TLS), Secure Sockets Layer (SSL), ▫Full support for HTTPS over SSL/TLS is also included. ▫Authenticates peers over an untrusted network and protects the integrity and privacy of data transmitted between them.
Public Key Infrastructure (PKI) ▫Tools for managing keys and certificates.
New in 1.4 Separate packages that are now included as part of JDK ▫JCE - Java Cryptography classes ▫JSSE - Java Secure Sockets Extension ▫JAAS - Java Authentication and Authorization Services ▫More.. 12
JCE – Java Cryptography Extensions JCE covers ▫encryption and decryption symmetric bulk encryption, such as DES, RC2, and IDEA Asymmetric encryption, such as RSA Password-based encryption (PBE) ▫key agreement ▫Message Authentication Code (MAC) 13
JSSE – Java Secure Sockets Extensions JSSE is a Java package that enables secure Internet communications. The Java platform provides protocols that includes functionality for data encryption, message integrity, server authentication, and optional client authentication. 14
JAAS - Java Authentication and Authorization Services JAAS can be used for two purposes: ▫for authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet. ▫for authorization of users to ensure they have the access control rights (permissions) required to do the actions performed. 15
Sample Program.. This program demonstrates how to encrypt/decrypt input using the Blowfish Cipher with the Java Cryptograhpy.
Lab work Read from the user (using Scanner) at least 10 words and write your name and ID then save it in a txt file “lab1.txt”.
HomeWork1 Write a program “wordOccurrence” that reads a word from the user and search for it in a text file ”HW1.txt”. Then, display the number of occurrence for that word. Enter the word: and The number of occurrence is: 5 Write a text file “HW1.txt” with at least 30 words, and write your name and ID at the end. What to submit: wordOccurrence.java The text file “HW1.txt” printout of the output of this program