Java Security Session 19

Java Security / 2 of 23 Objectives Discuss Java cryptography Explain the Java Security Model Discuss each of the components that comprise the JSM Describe the security tools available as part of the Java platform

Java Security / 3 of 23 Introduction Security on the Internet is a big issue today Corruption of data Denial of access to services Attacks that simply annoy users Security model in Java2 has been enhanced to enable digitally signed applets to be run on the web Security of precious goods is only as good as the defense mechanism employed to guard it

Java Security / 4 of 23 Java2 security model Byte code verifier Class Loader Security Manager

Java Security / 5 of 23 Byte Code Verifier This verifies: Byte code represent legal JVM operations Possibilities of stack overflow or underflow Byte code does not compromise the type safety of operands Class methods observe all access specifiers such as public, private, etc. Examines the byte codes of a class before executing it

Java Security / 6 of 23 Class Loader The functions of a Class Loader include: Preventing conflict between any running programs that may have identical class names Ensures that users do not load system classes Byte code in this stage is assumed to be valid Applet Security Manager Checks Applets

Java Security / 7 of 23 Java Security Manager (JSM) Applets have to be downloaded and hence can cause potential attacks Applets can only manipulate data within a specified area (sandbox) of the hard disk Security Manager provides a sandbox as well as allows one to create a sandbox JSM also controls access to important resources, operations and access to files Standalone applications are trusted by default

Java Security / 8 of 23 Java Security Model Applications (Trusted by default) Applets (Untrusted by default) System and Network Resources Access Denied Applications (Trusted by default) Unsigned Applets (Untrusted by default) System and Network Resources Access Denied Signed Applets (Trusted) JDK 1.0 JDK 1.1

Java Security / 9 of 23 java.policy file Security policy file is located at JAVA_HOME\lib\security\java.policy where JAVA_HOME indicates location of JDK It is possible to specify a security policy that determines the access type an application or an applet is allowed

Java Security / 10 of 23 Safe environment in JSM Java Code Java Compiler Class Files (byte code) Byte code verifier Class Loader Java Interpreter Security Manager (if present) Executed program Transmission over Network or local file system

Java Security / 11 of 23 JDK security tools Authentication is an important and vital issue A digital signature solves two vital security concerns Authentication Integrity Sun offers three tools to digitally sign applets -jar, jarsigner and keytool A system on the Internet should lookout for components that lay the system open to intruders

Java Security / 12 of 23 The keytool utility (1) In private cryptography, a process takes a piece of data and uses a special key such as password to produce an encrypted password Only with the help of the key, one can decrypt the original message Data Encryption Standard is a widely used cryptographic system Used to create and manage public keys, private keys and security certificates

Java Security / 13 of 23 The keytool utility (2) Two keys that are mathematically related are created One for encryption and the other for decryption Used for: Managing public/private key pairs Storing public keys of people and groups Authentication of ones identity Verifying the source and integrity of data Public key cryptography is based on mathematical algorithms

Java Security / 14 of 23 The keytool utility (3) One can check the existence of keystore by: keytool –list keytool –list –keystore C:\myfolder\mystore -genkey option of keytool creates a public/private key pair keytool –genkey –alias aliasname While adding a key to a new keystore, a password has to be given Information managed by keytool is stored in a database called keystore

Java Security / 15 of 23 Creating a key pair (1) Example: Alias: aptechkey Organizational unit: Software Dev Organization: Gates Corp. City: Palo Alto, CA. State: CA (for California) County code:CA Key password: aptECH2k01 keytool utility asks a number of questions when we create a new key pair

Java Security / 16 of 23 Creating a key pair (2) The command –keytool –list –v –alias aptechkey give the following output:

Java Security / 17 of 23 Working with certificates (1) Indicates that the public key of a person has important value Digital certificates associate an identity with a public key Identity is called subject Authority that signs is called signer Statement signed by an authority

Java Security / 18 of 23 Working with certificates (2) Certificates follow the X.509 standard When we create a new public/private keypair, a self-signed certificate signed by the same entity that created the key pair is obtained keytool –alias aptechkey –certreq –file aptechreq.txt keytool utility can display, import and export certificates in addition to key pairs

Java Security / 19 of 23 jar tool and jarsigner tool jarsigner then digitally signs a java archive jarsigner MyApplet.jar aptechkey The key must have gone through a verification process before use Before java program can be digitally signed, it must be packaged into an archive form consisting of all class files and other files with the help of jar tool

Java Security / 20 of 23 Java Cryptography It also provides passwords to secure access Java.security file should include the following line: policy.url.2=file:${user.home}/.java.policy Java Cryptography classes enable us to encrypt and decrypt programs

Java Security / 21 of 23 Example (1)

Java Security / 22 of 23 Example (2)

Java Security / 23 of 23 Output