1. LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi

2. From first lab  Java security technology includes a large set of APIs, tools, and implementations of commonly used security algorithms, mechanisms, and protocols.  The Java security APIs span a wide range of areas, including cryptography, public key infrastructure, secure communication, authentication, and access control.

3. Java Sandbox  The Java security model is based on a customizable "sandbox" in which Java software programs can run safely, without potential risk to systems or users.

4. Java Sandbox  The name comes from the fact that applets are restricted to act only inside their "sandbox", a safe playing area.  It provides a very restricted environment in which to run untrusted code obtained from the open network.  The downloaded remote code (an applet) is not trusted and can access only the limited resources provided inside the sandbox.  The local code is trusted to have full access to vital system resources (such as the file system).  The sandbox is not a one-size-fits-all model

5. Elements of Java Sandbox  The sandbox is composed of five elements: 1. Permissions 2. Keystores 3. Code sources 4. Protection domain 5. Policy files

6. Elements of Java Sandbox 1. Permissions : A permission is a specific action that code is allowed to perform.  Permissions are composed of three elements : 1- Type of the permission 2- Name 3- Action e.x: permission java.security.Allpermission; permission java.lang.RuntimePermission “stopThread”; permission java.io.FilePermission “/tmp/abc”, “read” ;

7. Elements of Java Sandbox 2. Keystores:  Code signing is one way which code can be granted more latitude. Signed code depends on public key certificates, they held in a location called a keystore.  Remember that public/private keys come in pairs. As we know, code can be digitally signed by a person or organizatin. The key used to actually sign the code is the signer's private key. The key used to check the signature for validity is the signer's public key.

8. Elements of Java Sandbox 3. Code sources:  They are the location from which a class has been loaded along with information about who signed the class if applicable.  The location specified by a URL : From the file system (file-based URL) or from network (network-based URL).  java.security.CodeSource

9. Elements of Java Sandbox 4. Protection domain: are the basic concept of the default sandbox, Ex:  code loaded from www.oreilly.com allowed to read file from my disk  code loaded from www.sun.com allowed to initiate print jobs  java.security.ProtectionDomain

10. Elements of Java Sandbox 5. Policy files :  Policy files are the administrative element that controls the sandbox.  Policy files are simple files that can be created and modified by text editor. The policy is represented by a policy object as instantiated from the class java.security.Policy grant [signedBy “signer_names”,] [codebase “URL”] { permission permission_class_name “target_name”, [“action”] [, signedBy “signer_names”]; Ex. grant signedBy “ACME Software” codebase http://www.acme.com/- { permission java.io.FilePermission “c:\\autoexec.bat”,”read”; permission java.lang.RunTimePermission “queuePrintJob”; }

11. Java Security Model  The class loader  The Byte code verifier  The security manager

12. The class loader  One or more class loaders load classes that are not found on the CLASSPATH  Built-in classes are considered to be “trusted” and are always run in preference of a downloaded class of the same name.

13. The bytecode Verifier  Ensures that Java class files follow the rules of the Java language  helps enforce memory protections for all Java programs  not all files are subject to bytecode verification

14. The security manager  It is the primary interface between the core API and the operating system  It has the ultimate responsibility for allowing or preventing access to all system resources  Each application can have an individual security policy  Security policies are defined in external files that are accessible by the security manager  The security manager enforces the specified security policy

15. Java Security APIs  Separate packages that are now included as part of JDK 1.4  JCE - Java Cryptography classes  JSSE - Java Secure Sockets Extension  JAAS - Java Authentication and Authorization Services  More..

16. JCE - Java Cryptography Extension  It is an extension of the JCA  JCE provides a framework and implementations for:  encryption and decryption symmetric bulk encryption, such as DES, RC2, and IDEA Symmetric stream encryption, such as RC4 Asymmetric encryption, such as RSA Password-based encryption (PBE)  Key generation and key agreement  Message Authentication Code (MAC) algorithms.

17. JSSE - Java Secure Socket Extension  It enables secure Internet communications.  It provides a framework and an implementation for a Java version of the Secure Sockets Layer (SSL), and Transport Layer Security (TLS) protocols.  It includes functionality for data encryption, server authentication, message integrity, and optional client authentication.

18. JAAS - Java Authentication and Authorization Service  It is a framework for user-based authentication and authorization.  It can be used for two purposes:  authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application or an applet  authorization of users to ensure they have the access control rights (permissions) required to do the actions performed.

19. Lab work  Create any txt file (e.g :massage.txt) which contains at least 10 lines  Then write a program that reads this file and prints out the frequency of each alphapatic letter ( The frequency of letter ‘a’ =…., The frequency of letter ‘b’ =….", etc). Your output should be easily readable - maybe in tabular format in text file.  Write at the end of txt file your name and ID.