SL303 - Implementing Java Security - Oh - 0498

Sun Educational Services
Check Your Progress

• Draft an outline of items to address when developing a
policy for Java security.
• Distinguish between the two classes of security
problems—nuisances and security breaches and assess
the risks posed by each.
• Evaluate the benefits of using Java, applets and Java-
enabled browsers, against the risks and potential costs.
• Compile a list of reputable security Web sites,
newsgroups, and mailing lists to monitor for the latest
in security-related information.
Implementing Java Security Module 15, slide 8 of 8

Copyright 1998 Sun Microsystems, Inc. All Rights Reserved. SunService April 1998
Other Security Considerations

• Isolating vital machines
• Use of auditing and logging
• System (hardware) security
• Protection from environment
• Physical access

Outlining a Java Security Policy

• List of newsgroups and sites to monitor
• Web browser policy for applets
• Encryption, algorithms to use
• Digital signatures, who creates certificates for you
• Controlling access to system resources, files, and data

Monitoring CERT and Other Security

Groups
• Security plan should include:
• Newsgroups to join
• Sites to monitor
• Time set aside to monitor sites and newsgroup
information
• Security practices of your system administrator

Risks, Costs, and Benefits

• Nuisances and security breaches
• Risks and severity of each
• Summary of available Java features
• Browsers and applets
• Policy for Web use

Risks, Cost, and Benefits

• Determining and assessing risk
• What does loss of system functionality, performance,
data, and information mean to you?
• Costs of security
• Risk
• Cost to implement security
• Value of asset
• Cost to company if security breached

Module Overview
• Course map
• Relevance
• Objectives
• References

Module 15
Balanced Solutions
Implementing Java Security April 1998

Think Beyond
• What do you do, knowing environments are not totally
secure?
• How do you create a workable security plan?
• What is the trade off between security and usability?

Check Your Progress

• Identify and describe the four classes of security threats posed by
Java applets.
• Write a malicious applet that consumes resources on your system.
• Justify the discussion of Internet security problems in a Java
security class.
• Describe how each of the following has been exploited: sendmail,
telnet, berkley r commands.
• Use snoop to monitor remote logins and observe passwords in
transit.
• Use telnet and the sendmail port to forge an email message.

Exercise: Malicious Applets, False

Mail, Password Snooping
• Objective
• Preparation
• Tasks
• Malicious applets
• False mail
• Password snooping
• Exercise summary

Internal Risks
• Biggest threat
• Unintentional threats
• Social engineering
• Educating employees
• Intentional threats

Berkeley r Commands
• rexec
• rlogin and rsh commands
• rlogin
• rsh
• Trusted hosts and users – /etc/hosts.equiv and
$HOME/.rhosts
• r command conditions

Email
• Definition of SMTP
• UNIX implementation of SMTP – sendmail
• Accessing the SMTP port
• SMTP commands
• Weaknesses in SMTP – MAIL FROM, VRFY/EXPN
• Security options in Version 8 of sendmail

Passwords
• Importance of protecting passwords
• Password security problems
• Password cracking programs
• Crack and CrackJack
• Packet sniffers
• snoop, Sniffit, Network General Sniffer, Tcpdump
3.0, Gobbler, ethdump v1.03, Net Monitor
• Social engineering

Common Internet Security Problems

Analysis shows most common problems relate to:
• Passwords
• Email
• Trusted hosts

Security-Related WWW Sites

• Java-related
• JavaSoft
• RST Corp
• Princeton
• General
• COAST
• 8lgm
• L0pht
• Phrack

Security-Related Mailing Lists

• Bugtraq
• BOS
• CIAC-notes

cert-advisory Mailing List

• Subscribing
• Email to cert-advisory-request@cert.org.
• Subject line, type SUBSCRIBE your-email-address.
• Unsubscribing
• Email to cert-advisory-request@cert.org.
• Subject line, type UNSUBSCRIBE and the exact address
you gave when you subscribed.

CERT
• What it is
• What it does
• CERT advisories
• Where advisories are published
• Vendor-initiated bulletins

CLASSPATH and Security

• Built-in classes bypass verification
• Placing a class in CLASSPATH makes it built-in

Instead of suspend and resume

• Object.wait
• Object.notify

Example of Recommended
Programming
public void start() {
if (frozen) {
//Do nothing. The user has requested that we
//stop changing the image.
} else {
//Start animating!
if (animatorThread == null) {
animatorThread = new Thread(this);
}
animatorThread.start();
}
}
public void stop() { // applet’s stop method

animatorThread = null;
}
public void run() {

. . .
while (Thread.currentThread() == animatorThread) {
...//Display a frame of animation and then sleep.
}
}

Deprecation of Thread Methods

• Reasons for deprecation
• Proper construction of runnable applets

Denial of Service Applets

• Steps to creating
• Too many windows
• No untrusted window banner

Malicious Applets
• They exist
• What they can do
• Dealing with them
• Examples of annoying applets
• Moving dialog
• Sounds that will not stop

Attack Applets
• No reported security breaches
• Does not mean they have not occurred
• Research teams have shown they are possible
• Refer to Appendix C

Security Threats Posed by Java

Applets
• Types of threats
• Attacks that modify the system
• Attacks that invade a user’s privacy
• Attacks that deny legitimate use of system resources
• Attacks that antagonize or annoy a user
• Attack applets and malicious applets

Problems Still Exist

• Java technology and the Internet
• Focus of this module

Module Overview
• Course map
• Relevance
• Objectives
• References

Module 14
Applets and Common

Internet Security Problems

Think Beyond
• With the availability of security protocols, digital
signatures, certificates, access control mechanisms, and
so forth, how secure are your Java programs?
• How secure is the Internet?
• Can Java applets still cause problems?

Check Your Progress

• Compare and contrast the common security features of
most WebServers and those provided in the Java
WebServer.
• Describe the security features provided in the HotJava
browser.
• Configure the HotJava browser for security using the
Applet Security, Advanced Security, and SSL and
Certificate Settings options of the Edit ->Preferences
menu.

Exercise: Investigating Browser

Security Settings
• Objective
• Preparation
• Tasks

Java Card
• What it is
• Features and benefits
• Java Card specification

Firewalls and Browsers

• Blocking Java applets
• HTML parsing
• .class files and binaries
• HotJava browser and firewalls
• IP tunnelling
• SSL tunnelling through firewalls

Advanced Applet Security Settings

• Applies to signed applets
• Gives finer-grained control
• Uses certificates and Web sites

Applet Security Settings

• Untrusted
• High Security
• Medium Security
• Low Security

HotJava Security Settings

HotJava Browser Security Settings

• Accessing security settings
• Edit -> Preferences menu

Security Configuration in Browsers

• Java/applet security
• SSL and certificates
• Mail
• Security zones
• Web page encryption

What SSL Provides to Your Web Site

• Server authenticated to clients
• Requests to server are encrypted
• Data is protected from third-party tampering
• Clients can authenticate themselves to server

Java Web Server

Additional features of Java Web Server:
• Simple administration
• Secured administration
• Platform independence
• Servlet sandboxing

Web Servers
• Basic security features
• Basic authentication
• Digest authentication
• SSL server authentication
• SSL privacy protection
• Realms with users and groups
• ACLs to protect access to Web pages

Module Overview
• Course map
• Relevance
• Objectives
• References

Module 13
Java Security-Related
Software and Products

Think Beyond
• What are some of the Sun Java products and software
that support security protocols?
• What features do they provide?

Check Your Progress

• Describe the main packages and classes provided with
the SSL API.
• Write a Java program that uses encryption to protect

data in files or streams.

Exercise: Using Cryptography in Java

Programs
• Objective
• Preparation
• Tasks
• SSL Socket Application Layer
• Using the HTTPS Protocol
• Exercise Summary

Using the SSL Packages

HARD COPY HANDOUT

CertStore Class
• Purpose
• Information provided to CertStore
• Help option
• Example syntax use
> java sun.security.CertStore -keystore
%HOME%\keys -selfcert

Login Facility
• Purpose
• Using the Login class
> java -Duser.keystore=%HOME%\keys sun.security.Login
sun.security.AuthGUI MySSLApplication
• Login class main() method

Cipher Suites
• Definition
• Negotiation process
• Cipher suites names

Classes
• CACertificateStoreImpl
• CertFileManager
• Verisign
• AuthContext
• AuthGUI
• AuthTTY
• CertStore
• Login
• SimpleTrustDecider

Interfaces
• KeyStore
• CACertificateStore
• AliasChooser
• TrustDecider
• channel
• codesigning
• ExportControl

sun.security Package
Subclass
Interfaces Classes Implements
Object
CACertificateStoreImpl
Dictionary
CertFileManager
KeyStore final Login
AuthContext
CACertificateStore final Verisign
AliasChooser
AuthGUI AuthTTY
TrustDecider
final SimpleTrustDecider
ExportControl
final CertStore

Implementation Classes
• Functionality provided
• Packages provided
• sun.security
• sun.security.ssl
• sun.security.x509
• sun.security.jsafe

SSL Socket Factories

SocketFactory sf = SSLSocketFactory.getDefault ();// use SSL factories to
Socket s = sf.createSocket ("hostname", port);// overload normal sockets
ServerSocketFactory ssf = SSLServerSocketFactory.getDefault ();
ServerSocket ss = ssf.createServerSocket (port);

Standard Java Extension

javax.net javax.security.cert
Abstract classes: Abstract classes:
ServerSocketFactory Certificate
X509Certificate
SocketFactory
javax.net.ssl
Interfaces: Abstract classes: Classes:

SSLSession SSLServerSocket HandshakeCompletedEvent
SSLSessionContext SSLSocket SSLSessionBindingEvent
HandshakeCompletedListener SSLServerSocketFactory
SSLSessionBindingListener SSLSocketFactory

Secure Sockets Layer API

• Standard Java Extension
• Implementation classes

Module Overview
• Course map
• Relevance
• Objectives
• References

Module 12
Encryption and SSL

Think Beyond
• How can SSL be used in applications to encipher data
sent between client and servers?
• How is SSL used in client programs that use the HTTPS
protocol in accessing a URL?

Check Your Progress

• Explain the importance of the Secure Socket Layer (SSL)
protocol and identify products or technologies that are
using it.
• Describe Secure Key Internet Protocol (SKIP) and
identify products or technologies that are using it.
• Evaluate the necessity of secure multicast for secure
communications.
• Explain how SKIP can be used with secure multicast.
• Define, and provide examples of, covert channels.

Covert Channels
• What are they?
• What are the security issues?
• Examples of covert channels
• Java DNS security bug
• Concurrency control locks
• AIX PIDs
• Covert channel analysis

Secure Multicast
• Definition
• Why secure multicast is necessary
• SKIP and secure multicast
• Requirements

Comparison of SSL and SKIP

• Both
• Authentication
• Confidentiality
• Intregrity protection
• Only SSL
• Richer authentication infrastructure
• Algorithm flexibility
• Application flexibility

SKIP
• Definition
• Characteristics of SKIP
• SKIP and Java
• How does SKIP enhance security?
• Advantages of using SKIP
• Technologies using SKIP

JSAFE
• Developed by RSA Digital Security
• JSAFE feature summary

Products Implementing SSL and

S-HTTP
• Sun Microsystems: Java WebS erver, Java Server
Toolkit, HotJava browser
• Netscape: Netscape Navigator, Netscape SuiteSpot
family, other server products
• Open Market: Secure WebServer
• SPRY: SPRY SafetyWeb Server
• Terisa Systems: SecureWeb
• SSLava Toolkit
• Crypto

S-HTTP
• Creating an S-HTTP message
• Receiving an S-HTTP message
• Message protection

S-HTTP
• Characteristics of S-HTTP
OSI layers Function provided
Network applications such as file
Application transfer and terminal emulation
S-HTTP
Presentation Data formatting and encryption
Establishment and maintenance

Session (TCP) of sessions
SSL
Transport (TCP) Provision for end-to-end reliable
and unreliable delivery
SKIP Network (IP) Delivery of packets of information,

which includes routing
Transfer of units of information,
Data Link framing, and error checking
Physical Transmission of binary data of a medium

OSI model

Browser Authentication
Web Browser Web Server
COLD hot
Step 4:
DES
Step 5:
DES COLD
DES DES
COLD
COLD
Step 6:
hot
DES
COLD
DES
Step 7:
DES
DES
DES
Hello Hello Hello
Step 8:
DES
DES
Hello Hello

Server Authentication
Web Browser Web Server
RIGHT MD5
Step 1:
Request for SSL transaction Request for SSL transaction

List of usable ciphers List of usable ciphers
Step 2:
COLD Digital Digital
Certificate COLD Certificate
Server Server
Information Information
left
left
MD5
MD5
digest digest
COLD COLD
Server Server
Notice of strongest Notice of strongest

common cipher to use common cipher to use
Step 3:
MD5
MD5
digest
COLD COLD
Server Server
left
MD5
digest Compare
MD5
COLD digest
RIGHT COLD
Server
Information Server
Information

telnet Implementation Example

• Modify telnet daemon and telnet client to support
SSL
• Connect secure client to secured daemon to create a
secure connection.
• Connecting nonsecure client to secured daemon or
secure client to nonsecured daemon results in
nonsecure transmission.

Client Server
Client hello Initiated by client HTTPS

request to a secure server
Server hello
Sends digital certificate to
Certificate assure client of its identity
ServerkeyExchange
CertificateRequest*
ServerHelloDone
Certificate* Client authenticates server,

ClientKeyExchange creates session key, and
sends it, enciphered with
CertificateVerify* the server’s public key
[ChangeCipherSpec]
Finished
[ChangeCipherSpec] Server deciphers session

key and sends the requested
Finished object, enciphered with the
session key
ChangeCipherSpec is an independent SSL protocol content

type and is not really an SSL handshake message.
*Optional or situation-dependent messages that are not always sent.

Major Protocol Elements of SSL

• Record layer
• Handshake protocol
• Protocol version
• Session ID
• Cipher suite
• Compression method
• Alerts

Ciphers
• SSL 2.0 ciphers
• SSL 3.0 ciphers

SSL
• Characteristics of SSL
HTTP/HTTPS/FTP
Secure Sockets Layer (SSL)
TCP
• Three protocol capabilities

• Authentication, encryption, key exchange

Secure Communication Protocols

• Elements of secure communication
• Encrypting data sent between applications.
• Distributing the encryption keys.
• Authenticating the identity of the end systems.
• New security protocols
• SSL
• S-HTTP

Module Overview
• Course map
• Relevance
• Objectives
• References

Module 11
Secure Communications

Think Beyond
Secure communication has become an important topic with
the emergence of the World Wide Web and the growing
Internet.
• What are some of the main protocols being used in Web
Servers, browsers, and other applications that transmit
information, conduct transactions, and so forth?
• What makes these protocols secure?

Check Your Progress

• Explain the importance of access control lists with
regard to security.
• Identify the key classes in the java.security.acl
package and explain the purpose of each.
• Write a program that uses the java.security.acl
package to create access control lists for controlling
resources.

Exercise: Using Access Control Lists

• Objective
• Preparation
• Tasks

Enforcing Control
• Enforcing control of a resource using an ACL is
application specific.
• The lab exercise should make this clear.

71 // This should return false.

72 boolean b1 = acl.checkPermission(p1, write);
73 System.out.println("user1 has write permission: " + b1);
74
75 // This should all return true;
76 boolean b2 = acl.checkPermission(p1, read);
77 boolean b3 = acl.checkPermission(p2, read);
78 boolean b4 = acl.checkPermission(p2, write);
79 System.out.println("user1 has read permission: " + b2);
80 System.out.println("user2 has read permission: " + b3);
81 System.out.println("user2 has write permission: " + b4);
82 }
83 }

30 //
31 // Allow group all permissions
32 //
33 System.out.println("Creating a new Acl Entry in exampleAcl for
the group, ");
34 System.out.println(" with read & write permissions");
35 AclEntry entry1 = new AclEntryImpl(g);
36 entry1.addPermission(read);
37 entry1.addPermission(write);
38 acl.addEntry(owner, entry1); // ACL contains + entry for g with
39 // r,w permissions
40 //
41 // Take away WRITE permissions for
42 // user1. All others in groups still have
43 // WRITE privileges.
44 //
45 System.out.println("Creating a new Acl Entry in exampleAcl for
user1");
46 System.out.println(" without write permission");
47 AclEntry entry2 = new AclEntryImpl(p1);
48 entry2.addPermission(write);
49 entry2.setNegativePermissions();
50 acl.addEntry(owner, entry2); // ACL contains - entry for
51 // p1 with w permission denied
52 //
53 // This enumeration is an enumeration of
54 // Permission interfaces. It should return
55 // only "READ" permission.
56 Enumeration e1 = acl.getPermissions(p1);
57 System.out.println("Permissions for user1 are:");
58 while (e1.hasMoreElements()) {
59 System.out.println(" " + e1.nextElement());
60 };
61
62 //
63 // This enumeration should have "READ" and"WRITE"
64 // permissions.
65 Enumeration e2 = acl.getPermissions(p2);
66 System.out.println("Permissions for user2 are:");
67 while (e2.hasMoreElements()) {
68 System.out.println(" " + e2.nextElement());
69 };
70

ACL Code Example
1 import java.security.Principal;
2 import java.security.acl.*;
3 import sun.security.acl.*;
4 import java.util.Enumeration;
5
6 public class AclEx {
7
8 public static void main(String argv[])
9 throws Exception
10 {
11 //Create Principals and Permissions
12 Principal p1 = new PrincipalImpl("user1");
13 Principal p2 = new PrincipalImpl("user2");
14 Principal owner = new PrincipalImpl("owner");
15
16 Permission read = new PermissionImpl("READ");
17 Permission write = new PermissionImpl("WRITE");
18
19 System.out.println("Creating a new group with two members:
user1 and user2");
20 Group g = new GroupImpl("group1");
21 g.addMember(p1);
22 g.addMember(p2); // g contains p1 and p2
23
24 //
25 // create a new acl with the name "exampleAcl"
26 //
27 System.out.println("Creating a new Acl named 'exampleAcl'");
28 Acl acl = new AclImpl(owner, "exampleAcl");
29

ACL Interface Methods

Acl Interface extends Owner AclEntry Interface
setName(Principal, String) setPrincipal(Principal)

getName() getPrincipal()
addEntry(Principal, AclEntry)* setNegativePermissions()
removeEntry(Principal, AclEntry)* isNegative()
getPermissions(Principal) addPermission(Permission)
entries() removePermission(Permission)
checkPermission(Principal,Permission) checkPermission(Permission)
permissions()
Group Interface extends Owner Interface

Principal
isOwner(Principal)
addMember(Principal) addOwner(Principal, Principal)**
removeMember(Principal) deleteOwner(Principal, Principal)*
isMember(Principal)
* Only owners can modify ACL entries.
**Only owners can add other Principals to be owners or delete principals.

The initial owner is configured at ACL construction time.

Calculating Individual Principal

Permissions
Table 1 Example Permission Calculations
Group G1 Group G2 Union (G1, G2) Individual P Resulting P

Permissions Permissions Permissions Permissions Permissions
Positive Perm A B C
Negative Perm Null set Null set Null set
Positive Perm A B C
Negative Perm -C -A Null set
Positive Perm A B C
Negative Perm Null set Null set -A
Positive Perm A C B
Negative Perm -C -B -A

ACL Entries and Permissions

• Positive and negative entries
• ACL entry rules
• Rule 1 – Each principal has at most one positive and
one negative ACL entry.
• Rule 2 – Entries that grant permission X and deny
permission X cancel each other out.
• Rule 3 – Individual principal permissions override
group permissions.

How ACLs Work

ACL structure
aclEntry Principal or group X Permissions (+ or -)
aclEntry Principal or group Y Permissions (+ or -)
aclEntry Principal or group Z Permissions (+ or -)

Used to
guard
resource
Resource

ACL Interfaces
• java.security package
• Principal
• java.security.acl package
• Acl
• AclEntry
• Group
• Owner
• Permission

Why Use ACLs?

• AccessController and security policy
• ACLs

What Are Access Control Lists

• Definition
• Characteristics of ACLs

Module Overview
• Course map
• Relevance
• Objectives
• References

Module 10
Access Control Lists

Think Beyond
• Digital signatures provide authentication
• How do you control access to resources from within a
Java program?
• How does Java provide for authorization?
• Who is authorized to access what resources?
• What type of access is allowed?
• What Java classes and packages are provided?

Check Your Progress

• Define digital signatures and certificates.
• Compare and contrast digital signatures and
handwritten signatures.
• Use JDK 1.2 signing utilities, jarsigner and keytool,
to generate key pairs and digitally sign JAR files.
• Describe the keystore architecture used for key
management.
• Outline what information is provided in a certificate.
• Describe the purpose and services of a Certificate
Authority (CA).

Exercise: Working With Digital

Signatures
• Objective
• Preparation
• Tasks
• Creating and providing access to a signed JAR file
• Downloading a signed JAR file

Recap
1. Create a keystore with private/public key pair
2. Create CSR and submit to CA
3. Import a trusted certificate for the CA
4. Replace self-signed certificate with certificate reply
5. Create a JAR file
6. Sign the JAR file
7. Export your certificate
8. Make your signed JAR file and certificate available

Modifying the Security Policy

• Grant permissions to the signer of the JAR file
• Example
grant signedBy "mykey" {
permission java.util.PropertyPermission "user.dir", "read";
permission java.io.FilePermission "-", "read";
};

Verifying a JAR File

> jarsigner -verify -verbose myjar.jar
890 Thu Oct 09 15:01:44 EDT 1997 META-INF/MANIFEST.MF

891 Thu Oct 09 15:13:14 EDT 1997 META-INF/MYKEY.SF
1913 Thu Oct 09 15:13:14 EDT 1997 META-INF/MYKEY.DSA
smk 318487 Thu Oct 02 13:21:38 EDT 1997 MyClass.java
smk 72637 Mon Oct 06 11:05:50 EDT 1997 MyClass.class
smk 87714 Wed Oct 08 09:19:14 EDT 1997 example.gif
smk 77376 Wed Oct 08 07:04:18 EDT 1997 example.au
s = signature was verified

m = entry is listed in manifest
k = at least one certificate was found in keystore
jar verified.
>

Signing a JAR File

> jarsigner -verbose myjar.jar mykey
Enter Passphrase for keystore: d9u1k8e2
Enter key passphrase for mykey: dukekey
adding: META-INF/MANIFEST.MF
creating: META-INF/MYKEY.SF
creating: META-INF/MYKEY.DSA
signing: MyClass.java
signing: MyClass.class
signing: example.gif
signing: example.au

Content of the Signed JAR File

• Contents of the unsigned JAR file
• Signature file, .SF extension
• Signature block file, .DSA extension

jarsigner Option Value Defaults

• -keystore
• -signedjar
• -sigfile

jarsigner Tool Options
> jarsigner
Usage: jarsigner [options] jar-file alias
jarsigner -verify [options] jar-file
[-keystore <file>]keystore file location
[-storepass <passphrase>] passphrase for key store integrity
[-keypass <passphrase>]passphrase for private key (if different)
[-sigfile <file>]name of .SF/.DSA file
[-signedjar <file>] name of signed jar file
[-verify] verify a signed jar file
[-verbose]verbose output when signing/verifying
[-ids] display identities when verbose and verifying

jarsigner Utility
• Purposes
• Sign a JAR file
• Verify signatures and integrity of signed JAR files
• Algorithms used
• SHA-1/DSA
• MD5/RSA

Exporting Certificates
• Provide with your JAR file
• keytool -export -alias alias -file
filename.cert

Importing Certificates
• Importing a trusted certificate
• keytool -import -alias alias -file
CA_certificate_file
• Checking trusted certificates
• keytool -printcert -file cert_file
• Creating a Certificate Signing Request
• keytool -csr -file csr_file -alias alias
• Importing certificate reply
• keytool -import -alias alias -file
cert_reply
Importing Certificates
• Reasons for
• To add it to your list of trusted certificates
• To import a certificate reply

Deleting an Entry
• keytool -delete -alias alias

Displaying Data in the Keystore

• keytool
• keytool -v
• keytool -list -alias alias

Self-Signed Certificates
• One for which the issuer (signer) is the same as the
subject (the entity whose public key is being
authenticated by the certificate).

Generating or Adding Data to the

Keystore
> keytool -genkey
Enter keystore password: d9u1k8e2
What is your first and last name?
[Unknown]: duke
What is the name of your organizational unit?
[Unknown]: Sun Educational Service
What is the name of your organization?
[Unknown]: Sun Microsystems
What is the name of your City or Locality?
[Unknown]: Cupertino
What is the name of your State or Province?
[Unknown]: California
What is the two-letter country code for this unit?
[Unknown]: US
Is <CN=duke, OU=Sun Service, O=Sun Microsystems, L=Cupertino, S=California,
C=US> correct?
[no]: y
Enter key password for <mykey>
(RETURN if same as keystore password): dukekey

Option Defaults
• -alias
• -keyalg
• -keysize
• -sigalg
• -validity
• -keystore
• -file

Passwords
• Key password
• Store password
• Warning regarding passwords

> keytool -help

KeyTool usage:
-csr [-v] [-alias <alias>] [-sigalg <sigalg>]
[-file <csr_file>] [-keypass <keypass>]
[-keystore <keystore>] [-storepass <storepass>]
-delete [-v] -alias <alias>

-export [-v] [-alias <alias>] [-file <cert_file>]

-genkey [-v] [-alias <alias>] [-keyalg <keyalg>]

[-keysize <keysize>] [-sigalg <sigalg>]
[-dname <distinguished_name>] [-keypass <keypass>]
-help
-import [-v] [-alias <alias>] [-file <cert_file>]

[-keypass <keypass>] [-keystore <keystore>] [-storepass
<storepass>]
-keyclone [-v] [-alias <alias>] -dest <dest_alias>

[-keypass <keypass>] [-new <new_keypass>]
-keypasswd [-v] [-alias <alias>]

[-keypass <old_keypass>] [-new <new_keypass>]
[-list] [-v | -rfc] [-alias <alias>]

-printcert [-v] [-file <cert_file>]
-selfcert [-v] [-alias <alias>] [-sigalg <sigalg>]

[-dname <distinguished_name>] [-keypass <keypass>]
-storepasswd [-v] [-new <new_storepass>]


keytool Utility
• keytool functionality
• keytool commands and options

Keystore Architecture
• KeyStore class
• Default implementation of KeyStore
• Changing the keystore property
• Entry in %JAVA_HOME%\lib\security\
java.security for keystore property
• Keystore entries
• Key/certificate entries
• Trusted certificate entries

X.509 Versions
• Version 1
• Version 2
• Version 3

X.509 Certificates
• X.509 format
• Version
• Subject name
• Public key
• Issuer name
• Serial number
• Validity period

JDK Signing Utilities

• keytool
• jarsigner

Which Applications Use Certificates?

• Web browsers
• Secure electronic mail standards
• Electronic commerce protocols
• Code-signing schemes

Certificate Example
User (Web Server) Certification Authority
Step 1: COLD RIGHT

hot
Server left
COLD Information
Server Step 2:
Information MD5
digest
MD5
COLD
COLD
Server Server
Step 3:
left
MD5
digest
MD5
digest
COLD left COLD
Server Server
Step 4:
COLD Digital COLD Digital

Certificate Certificate
Server Server
left
left
MD5
MD5
digest digest
COLD COLD
Server Server

Certificate Example
Step 1 – Server information sent to CA
Step 2 – CA creates digest
Step 3 – Digital signature of CA created
Step 4 – Digital certificate sent back to server

What Are Certificates?

• Definition
• Who creates or issues certificates?
• Actions of CAs
• Use public key pairs themselves
• Perform background checks and create certificate for
an entity
• Distribute their own public key to clients

Comparing Handwritten and Digital

Signatures
• Notarized handwritten signature is considered official
• Digitally signed data is official when
• Private key is used for signing
• Certificate from trusted CA can verify signature
• Digital signatures can be verified, but not forged

What Are Digital Signatures?

• Digital signatures and message digests
• Authentication
Sender 1 Receiver
hot
RIGHT COLD DOWN
hot
Hello Hello
Which key will decipher?
Sender 2
left
left
left
Hello Hello Hello

What Are Digital Signatures?

• Definition
• Characteristics of digital signatures
• Authenticity can be verified
• Cannot be forged
• Is a function of the data signed
• Signed data cannot be changed

Module Overview
• Course map
• Relevance
• Objectives
• References

Module 9
Digital Signatures and

Certificates

Think Beyond
• How do you use cryptography and encryption
algorithms to digitally sign files or objects?
• Are message digests alone secure? How could they be
attacked?
• What is the difference between message digests and
digital signatures?
• Is there a relationship between message digests and
digital signatures?

Check Your Progress

• Define the purpose of message digests.
• Create a message digest using the Java Security API.
• Write a program that uses a message digest (digital
fingerprint) to validate a file.

Exercise: Creating Message Digests

• Objective
• Preparation
• Tasks

How to Use the Hash Value

• Web
• Email
• Ftp

Example for Computing a Digest

MessageDigest md5 = MessageDigest.getInstance("MD5");
...
File myDoc = new File("Document.ps");
FileInputStream in = new FileInputStream(myDoc);
byte [] document = new byte[(int)(myDoc.length())];
in.read(document);
// note that md5.digest(document) could replace the next

// two lines of code.
md5.update(document);
byte[] md5Digest = md5.digest();

Methods in the MessageDigest Class

• clone()
• Clone example
MessageDigest md = MessageDigest.getInstance("SHA");
if (md instanceof Cloneable) {
md.update(Chapter1);
MessageDigest tc1 = md.clone();
byte[] Chapter1Digest = tc1.digest();
md.update(Chapter2);
...
} else {
throw new DigestException("could not make digest of
partial content");
}

Methods in the MessageDigest Class

• getInstance()
• update()
• digest()
• reset()
• Overview of using the methods

MessageDigest Class
• Interface to the functionality for a digest algorithm
• Important components for message digests
• Message Digest API – MessageDigest class
• Message Digest SPI – MessageDigestSpi class

Message Authentication
Sender Receiver
COLD (public key)
MD5 MD5
COLD
hot (private key)
Step 1: MD5
Hello
MD5
Hello digest
hot
MD5
digest
Step 2:
hot
hot
MD5
MD5
digest digest Step 4:

MD5
MD5
Step 3: Hello digest
Hello Step 5:
COLD
hot
hot
MD5
MD5
MD5
digest digest digest
Step 6:
?
= digest
MD5
MD5
digest

Common Digest Algorithms

• MD5
• SHA and SHA-1
• HAVAL
• SNEFRU

Using Message Digests

• Publish a document and its digest
• Person downloading recalculates digest
• Matching digest values and verification of digest value
implies document integrity
• Message digest usage examples

• Email
• JAR files

About Hash Functions

• Inputs and outputs
• Typical uses

Terminology
• Message digest
• Message digest algorithm
• Properties of digests

Module Overview
• Course map
• Relevance
• Objectives
• References

Module 8
Message Digests

Think Beyond
The concept of a one-way function is considered a building
block for many security protocols and algorithms.
• What are one-way hash functions?
• What are popular uses of hash functions?
• What does the JDK provide in this area?

Check Your Progress

• Define cryptography, encryption, and decryption.
• List the common encryptions and algorithms, noting

which are used, and where, in the Java Security API.
• Outline the core classes provided in the Java

Cryptography Architecture API.

Java Cryptography Extension

• Extends JCA
• JCA and JCE provide complete, platform-independent
cryptography solution
• Not exportable outside U.S. and Canada

Signature Example
Signature dsa = Signature.getInstance("DSA"); // create Signature object
// Create key pair generator object

KeyPairGenerator keyGen = KeypairGenerator.getInstance("DSA");
// Initialize the key pair generator; strength is based on the modulus,
// here it is 1024
keyGen.initialize(1024, new SecureRandom(userSeed));
// Generate the pair of keys
KeyPair pair = keyGen.generateKeyPair();
// obtain the PrivateKey from the key pair generated
PrivateKey priv = pair.getPrivate();
//Initialize the Signature object for signing

dsa.initSign(priv);
// update the Signature object with the data to be signed
dsa.update(data);
//Sign the data
byte[] sig = dsa.sign();

Creating and Using a Signature

Object
• Signature getInstance(String algorithm)
• void initSign(PrivateKey privateKey)
• void update(byte x)
void update(byte[] data)
void update(byte[] data, int off, int len);
• byte[] sign()

Signature Class
• Components of the class
• Digital Signature API
• Digital Signature SPI
• Properties of the class

Key Interface
• Characteristics:
• Algorithm
• Encoded form
• Format

Engine Classes
• MessageDigest, Signature, KeyPairGenerator
• Referred to as Service Provider Interfaces (SPIs)
• Each provide a factory method –
getInstance(String algorithm)

Security Class
• Used to manage providers and security properties and
methods
• Methods include:
• getProviders()
• addProvider(Provider provider)
• removeProvider(String name)

Provider Class
• Methods for accessing provider name, version number,
and other information
• Provider packages include:
• Digital signature algorithms
• Message digest algorithms
• Encryption algorithms
• Padding schemes

Major Classes
• Provider
• Security
• Engine classes
• Signature
• Key

Java Cryptography Architecture

• What it is
• Design principles
• Implementation independence
• Implementation interoperability
• Algorithm independence
• Algorithm extensibility

Restrictions Elsewhere
• Cryptographic algorithms are available outside U.S.
• Import restrictions

World Legal Picture of Encryption

• U.S. restrictions
• All Sun products that are exported
• NSA charter
• What is affected: source products, binary products
(such as crypto with a hole), documentation
• Exportable software – Authentication

Algorithms at a Glance
.
Table 1 Common Algorithms
Algorithm Type Key Size Speed
DES symmetric 56-bit medium

3DES symmetric 168-bit key slow
RSA asymmetric variable modulus very slow
(usually 512-2048 bits)
Diffie-Hellman asymmetric variable modulus very slow
(usually 512-2048 bits)
RC2 symmetric up to 1024 very fast
(usually 40 or 128 bits)
RC4 symmetric up to 1024 very fast
(usually 40 or 128 bits)

Common Algorithms
• DES (Data Encryption Standard)
• RSA (authors: Rivest, Shamir, Adleman)
• DSA (Digital Signature Algorithm)
• Diffie-Hellman
• RC2 and RC4 (Rivest Cipher, designed by Ron Rivest)

Asymmetric Algorithms
Sender Receiver
COLD COLD
public key
Step 1:
hot private key
Step 2: COLD
COLD
COLD
Hello Hello Hello
Step 3:
hot
COLD
Hello
Hello

Symmetric Algorithms
Sender Receiver
Step 1:
key key
Secret transfer
Step 2:
key
Non-secret transfer
key
key
Hello Hello Hello
Step 3: key
key
Hello Hello

Cryptographic Algorithms
• Symmetric algorithm
• Public-key (asymmetric) algorithm

Benefits of Encryption
• Main benefit – confidentiality
• Other benefits
• Authentication of the data sender
• Integrity of the data sent
• Nonrepudiation

Definitions
• Cryptography
• Encryption
• plaintext or cleartext
• ciphertext
• Decryption
Hello Hello Hello

Encryption Decryption
Plaintext Ciphertext Original plaintext

Module Overview
• Course map
• Relevance
• Objectives
• References

Module 7
Cryptography

Think Beyond
The next several modules discuss the specific security
packages provided in the JDK for working with the following:
• Encryption and decryption
• Message digests
• Digital signatures and certificates
• Access control lists

Check Your Progress

• Describe the purpose of the following new security classes:
• java.security.Policy
• java.security.Permission
• java.security.AccessController
• java.security.SecureClassLoader
• java.security.GeneralSecurityException
• Explain how java.security.SecureClassLoader adds (in a transparent
way) to what the ClassLoader class provides.
• Create new types of permissions using the JDK Permissions classes.
• Create a security policy file for defining protection domains and define
permissions for newly created domains.
• Write Java programs that use the JDK 1.2 security classes to address
specific security issues.

Exercise: Permission Classes and Java

Security Policy
• Objective
• Preparation
• Tasks
• Working with different security policies
• Queuing a print job – Security requirements
• Granting queuing permission to specified entities

New Types of Permissions

// Possible code found in main program/applet WatchTV.java
TVPermission tv1 = new TVPermission("channel:5", "watch");

try {
AccessController.checkPermission(tv1);
System.out.println("Permission granted for = " + tv1 );
} catch (AccessControlException ace) {
System.out.println("Permission NOT granted for = " + tv1 );
}
abstract
java.security. subclass
Permission
xyzCorp.tv.TVPermission
java.io.
FilePermission java.net.
NetPermission

New Types of Permissions

Creating your own Permission class:
• Extend Permission or its subclasses
• Implement the implies method
• Provide a constructor (names, actions)
• Represent the permission in your security policy file
• Use AccessController’s checkPermission method
in your application

Using the Permission Classes

• Entries in the policy file
grant codeBase "http://www.xyz.com/Payroll" {
permission java.io.FilePermission "C:\\XYZ\\Confidential\\Payroll\\-",
"read,write";
};
• Checking access in your code

FilePermission perm = new
java.io.FilePermission("/XYZ/Confidential/Payroll/emp_salaries", "read");
AccessController.checkPermission(perm);

PropertyPermission Class Analysis

• Constructor and init() method
public PropertyPermission(String name, String actions)
{
super(name,actions);
init(getMask(actions));
}
• implies method
return ((this.mask & that.mask) == that.mask) &&
super.implies(that);
• Other methods
• NewPermissionCollection, writeObject,
readObject, equals, getActions

PropertyPermission Class Analysis

• Names
• Java property names
• Actions
• Read – System.getProperty()
• Write – System.setProperty()
• Implementation of actions
private final static int READ = 0x1;
private final static int WRITE = 0x2;
private final static int ALL = READ|WRITE;
private final static int NONE = 0x0;
private int mask;

Exceptions
• Two types associated with security
• java.lang.SecurityException
• java.security.GeneralSecurityException
java.lang.RuntimeException
java.lang.IllegalArgumentException java.lang.SecurityException
java.security.InvalidParameterException
java.security.ProviderException
java.security.AccessControlException
java.lang.Exception
java.security.GeneralSecurityException
All other exceptions in the java.security package

sun.misc.Launcher
• Used to run applications under a security manager
enforced by the security policy
• New class path variable, java.app.class.path
• Syntax
java -Djava.app.class.path=\untrusted_code_path
sun.misc.Launcher my_appl arg1 arg2

java.security.SecureClassLoader
• Extends java.lang.ClassLoader

java.security.AccessController
• Makes all access control decisions
• Bases decisions on the security policy
• Denies access by throwing AccessControlException
• Checks permissions
FilePermission perm = new FilePermission("/tmp/accessList",
"read");
AccessController.checkPermission(perm);
• Algorithm used
• Privileged code

java.security.ProtectionDomain
• Infrastructure – Encapsulates the characteristics of a
domain
• Signer
• CodeSource
• SecureClassLoader and protection domains
• Creates or assigns protection domain to a class
• Uses Policy object to determine permissions

Access Control
• ProtectionDomain
• AccessController
• SecureClassLoader
• sun.misc.Launcher

PermissionCollection and
Permissions
Object
(abstract) Permission (abstract) PermissionCollection
All Permission (final) Permissions

classes
contains
Permission objects

PermissionCollection and
Permissions
• PermissionCollection interface
• Used to group Permission objects (add, implies,
enumerate methods)
• newPermissionCollection() method
• Permissions class
• Heterogeneous collection of Permission objects

java.security.Permission
• Abstract class
• Subclassed to describe specific types of access (such as
files or sockets)
• Properly named subclasses
• Actions list
XXXPermission("name", "actions");
• implies method
• Example

java.security.CodeSource
• Extends the concept of a CODEBASE (used in HTML)
• Location URL
• Public keys for verifying signed code
• Equality of two CodeSource objects

java.security.Policy
• Represents the ASCII policy configuration file
• Protection domains use to initialize permissions:
policy = Policy.getPolicy();
Permissions perms = policy.evaluate(MyCodeSource)

Permissions and Security Policy

Relevant classes:
• java.security.Policy
• java.security.CodeSource
• java.security.Permission
• java.security.BasicPermission
• java.io.FilePermission
• java.net.NetPermission
• java.net.SocketPermission
• java.util.PropertyPermission
• java.security.PermissionCollection and
java.security.Permissions

Module Overview
• Course map
• Relevance
• Objectives
• References

Module 6
JDK Security Classes

Think Beyond
• What are the new classes that form the infrastructure of
the Protection Domains Security model?
• Can one create their own Permissions class and how

does that work?

Check Your Progress

• Compare and contrast the original Sandbox and the Java Protection
Domains Security models.
• Draw a diagram illustrating how the original Sandbox and the Java
Protection Domains Security models work.
• Explain the weaknesses of the original Sandbox model that necessitated an
extended security model.
• Distinguish between system domain and application domain.
• Describe how permissions are calculated when a thread of execution
accesses several protection domains.
• Describe the role of the Java security policy file in the Protection Domains
Security model.

Calculating Permissions Across

Domains
• Privileged code – beginPrivileged, endPrivileged
• General rule

Domains and Permissions

• Protection domains defined (indirectly) in the security
policy file (signer and codebase pairs)
Protection
Domain A Permissions
x.class
y.class
z.class
w.class Protection Permissions
Domain B
Running Security policy

classes

Matching Entries
• Algorithm used to “match” entries
• Permissions are additive

Policy File Example Entries

• Example 1
grant signedBy "Sun" {
permission java.io.FilePermission "C:\\tmp\\phones", "read";
};
• Example 2
grant signedBy "Sun,IBM", codeBase "http://java.sun.com/" {
permission java.io.FilePermission "C:\\tmp", "read";
permission java.io.SocketPermission "*", "connect";
}

Policy File Format

• Each entry:
grant [signedBy "signer_names"] [, codeBase "URL"] {
permission permission_class_name ["target_name"]
[, "action"] [, signedBy "signer_names"];
permission ...
};
• Target wildcards
• java.io.FilePermission and
java.net.SocketPermission

GUI Policy Tools –
policytool

Security Policy File

• User policy file – %JAVA_HOME%\.java.policy
• Policy naming conventions

Security Policy File

• System policy file – lib/security/java.policy
• Policy file in JDK
grant {
// allows anyone to listen on un-privileged ports
permission java.net.SocketPermission "localhost:1024-", "listen";
// "standard" properies that can be read by anyone
permission java.util.PropertyPermission "java.version", "read";

permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
};

Protection Domains
• Terminology
• Protection domain
• Signer
• Location (codebase)
• Examples of protection domains
• Categories of domains
• System
• Application

Java Protection Domains Model

• Extending the Java sandbox
Java Protection Domains
* Selectively
grant access
to network Java Sandbox
resources
* Unsigned code
* Fine-grained
control * No access
* Administrators
can tailor
security policies

Java Protection Domains Model

• Necessity of the new model
• Benefits of the new model
• Easily configurable security policy
• Pre-defined implementation of fine-grained access
control
• Easily extensible access control structure
• Extension of security check to applications

Applet Capabilities
• Sandbox model
• Digitally signed applets
• JDK 1.2 Applets

What the Sandbox Does Not Protect

The sandbox does not protect you from applets that:
• Consume CPU
• Display:
• Images
• Fake login prompts
• Nuisance behavior
• Requests for sensitive information
• Create numerous large windows
• Create numerous large fonts

Sandbox Security Model Review

• Local code is trusted; remote code is not
• Review of sandbox components: class loader,

verification process, security manager

Java Security Model Evolution

• JDK 1.0
• JDK 1.1
• JDK 1.2
Extend sandbox to
the file system
Introduce flexible
and scalable
Protection Domain
architecture
Java Protection Domains

Untrusted applets
trusted applets
JDK 1.1
Sandbox
JDK 1.0

Module Overview
• Course map
• Relevance
• Objectives
• References

Module 5
Extending the SandBox

Security Model

Think Beyond
• How does the new security model affect the role of the
security manager?
• How does the new model extend the sandbox security
model?
• What files are provided to enable easy administration of
a security policy without having to hard-code the policy
into your application?

Check Your Progress

• Describe the role a security manager plays in overall
Java security.
• Compare and contrast the responsibilities of a security
manager and those of a class loader.
• Describe the SecurityManager class and the methods
and checks done by a security manager.
• Write and implement a security manager for a Java
program.

Exercise: Creating a Security Manager

• Objective
• Preparation
• Tasks

After Installation
• Install security manager once
• Cannot reinstall or install a different one
• After installation, no other reference to it is required
• JVM calls security manager during specific
operations (such as read and write)

File Access
1 import java.io.*;
2
3 public class Copier implements Runnable {
4 public void run() {
5 try {
6 BufferedReader fis = new BufferedReader(new FileReader("inputtext.txt"));
7 BufferedWriter fos = new BufferedWriter(new FileWriter("outputtext.txt"));
8 char [] buffer = new char [4096];
9 int count;
10 while ((count = fis.read(buffer)) > -1) {
11 fos.write(buffer, 0, count);
12 }
13 fis.close();
14 fos.close();
15 } catch (Exception e) {
16 e.printStackTrace();
17 }
18 }
19 }

Installing a Security Manager

• Install using System.setSecurityManager
1 import java.io.*;
2
3 class SecurityManagerTest {
4 public static void main(String[] args) {
5 try {
6 System.setSecurityManager(new PasswordSecurityManager(
"PASSWORD"));
7 } catch (SecurityException se) {
8 System.err.println("SecurityManager already set!");
9 }
10
11 try {
12 ClassLoader cl = new SampleClassLoader(new File("try"));
13 Class c = cl.loadClass("Copier");
14 Runnable r = (Runnable)(c.newInstance());
15 r.run(); // do the reading and writing
16 } catch (Exception e) {
17 e.printStackTrace();
18 }
19 System.exit(0); // AWT holds us open otherwise
20 }
21 }

checkXXX Method Summary

• Override or add any number of checkXXX methods
• No need to override all methods of SecurityManager
class
• Override those necessary to control operations you
use
• Methods not overridden will disallow access

checkWrite Methods
public void checkWrite(String filename) {
System.out.println("checkWrite("+filename+")");
if (!accessOK()) {
throw new SecurityException("Not Even!");
}
}

checkWrite Methods
• Two default checkWrite methods:
• public void checkWrite(FileDescriptor fd)
• public void checkWrite(String file)
• Override to conform to your security policy, similar to
checkRead methods

checkAccess Method
• For threads:
public synchronized void checkAccess(Thread t)
• For thread groups:

public synchronized void checkAccess(ThreadGroup tg)

checkLink and
checkTopLevelWindow Methods
• checklink()
public void checkLink(String library){
//code for checking if remote or local;
}
• checkToplevelWindow() returns
• False
• True

Security Manager Methods
checkRead()
accessOK()
Calls 1–4 are called by the JVM to

new SecurePop() start a pop-up window.
No
1 checkLink() throw
SecurityException
No throw
2 checkTopLevelWindow() SecurityException
No throw
3 checkAccess(Thread)
SecurityException
No
4 checkAccess(ThreadGroup) throw
SecurityException
Type password
No
Is password correct? return false
ioPassword = true
return true

accessOK Method
• Determines if access is allowed based on entered
password
1 private boolean accessOK() {
2 boolean ok = true;
3 if (inClassLoader()) { // always trust an entirely local call stack
4 if (!ioPassword) {// this is set if validation has already occurred
5 if (sp.getPassword().equals(password)) {
6 ioPassword = true;
7 } else {
8 ok = false;
9 }
10 }
11 }
12 return ok;
13 }

Overriding the checkRead Method

1 public void checkRead(String filename) throws SecurityException {
2 System.out.println("checkRead(" + filename + ")");
3 if(!accessOK()){
4 throw new SecurityException("No Way");
5 }
6 }

Default checkRead Methods

• Default checkRead methods
• public void checkRead(FileDescriptor fd)
• public void checkRead(String file)
• public void checkRead(String file, Object
context)

Creating Your Own Security Manager

• Extending SecurityManager
• Policy flexibility
• Designing your security manager
• Which methods to override?
• Do new methods need to be added?
• How to implement the overridden methods?
• How strict should the security rules be?

Flowchart for
FileInputStream
Create a File object.

Does not call SecurityManager.
Create a FileInputStream object

with File object as the argument for
the constructor. (Calls
SecurityManager for permission.)
Is SecurityManager Yes Permission to

equal to null? read is allowed.
No
SecurityManager calls
checkRead() method
Read No
allowed? checkRead()
throws exception.
Yes
checkRead() returns
Perform the read.

FileInputStream Example
• A read from a FileInputStream object checks:
• Is a security manager loaded?

• If so, call checkRead() from security manager
• If checkRead() returns, read operation continues
• If checkRead() does not allow a file read, it throws a
SecurityException.
• FileInputStream objects – Check for existence of
security manager upon creation

Methods and Operations
Methods and Operations on Objects
Operations On Approved By
Sockets checkAccept(String host, int port)

checkConnect(String host, int port)
checkConnect(String host, int port, Object executionContext)
checkListen(int port)
Threads checkAccess(Thread thread)
checkAccess(ThreadGroup threadgroup)
Class loader checkCreateClassLoader()
File system checkDelete(String filename)
checkRead(FileDescriptor filedescriptor)
checkRead(String filename)
checkRead(String filename, Object executionContext)
checkWrite(FileDescriptor filedescriptor)
checkWrite(String filename)
System checkExec(String command)
commands checkLink(String library)
Interpreter checkExit(int status)
Package checkPackageAccess(String packageName)
checkPackageDefinition(String packageName)
Properties checkPropertiesAccess()
checkPropertyAccess(String key)
checkPropertyAccess(String key, String def)
Networking checkSetFactory()
Windows checkTopLevelWindow(Object window)

Security Manager checkXXX Methods

• Called by Java classes and Java runtime
• checkXXX() methods

Security Managers and Applications

• No security manager by default
• Checking for a security manager
SecurityManager secureApp =
System.getSecurityManager();

Security Manager Overview

• Definition
• Role of security manager
• Browser security manager

Module Overview
• Course map
• Relevance
• Objectives

Module 4
Security Manager

Think Beyond
• You have looked at the verification process and class
loaders in detail and their role in overall Java security.
• The third element in the java.lang package that
provides for security is the security manager.
• The next module provides the details on the
SecurityManager class and how to write your own
security manager.

Check Your Progress

• Identify what a class loader controls and what role it
plays in Java security.
• Explain name spaces and their relationship to class
loaders.
• Distinguish between the applet class loader and the
system class loader.
• Describe the significance of the
java.security.SecureClassLoader class in JDK
1.2.
• Write a simple class loader for either JDK 1.1 or 1.2 that
addresses a specified security problem.

Exercise: Creating Your Own Class

Loader
• Objective
• Preparation
• Tasks
• Failure to check the cache
• Add checksum validation to the class loader
• Handling resources
• A generalized class loader

Further Security Features

• Restriction of certain package hierarchies
• Access protected
• Definition protected
• Handling digital signatures
• Class loaders and name space

Class Loader Security Considerations

• Essential security features
• Validate class/package name
• Check the cache
• Check system class
• Run verifier

Class Loaders in JDK 1.2

• Subclassing SecureClassLoader
• Implement a constructor
• Define findLocalClass(String classname)
• Class loader hierarchies
• findLocalClass() method
• URLClassLoader class

Resource Loading
• getResource()
• getSystemResource()
• getSystemResourceAsStream()
• Resource naming

Creating Customized Class Loaders

• Note – In JDK 1.2, unnecessary to create a new
ClassLoader
• Create protocol handlers
• Possible reasons for creating a ClassLoader class in an
application
• To load classes from unusual type
• To restrict classes it loads, special security
protections are required
• To update caching of remote classes
• To use a modified classfile format

Standard Class Loaders

• System class loader
• Browser class loader (applets)
• java.security.SecureClassLoader and
java.net.URLClassLoader in JDK 1.2
• URLs describing JAR over HTTP
• jar:http://www.foo.com/classes/utils.jar!/

Resolve the Class

• loadClass(String, boolean)
• resolveClass()

Add the Class to the Cache

• Since JDK 1.1, defineClass() automatically places the
loaded class into the cache.

Install the Class

• defineClass() methods
• defineClass(byte[], int, int) – Deprecated
• defineClass(String, byte[], int, int)
• Reason for existence of second defineClass()
• defineClass() in SecureClassLoader

Load the Byte Code

• Load bytes of class into single array
• Allocation of sufficient size may not be possible
before loading
• Load byte codes in chunks and accumulate

Create File/Directory Reference

• Build directory reference using package name
• Path concept
• Directory hierarchy on disk system
• HTTP server
• Directory structure in ZIP or JAR file

Check the Parent Class Loader

• Before loading a class, is class loadable by parent class
loader?
• Prior to JDK 1.2, parent class loader = system class
loader
• In JDK 1.2, class loaders form a tree
• Invoking parent class loader
• loadClass()
• findSystemClass()
• Reasons for checking system classes

Check the Cache

• java.util.Map interface
• java.util.Hashtable class
• Changes with JDK 1.1 and JDK 1.2
• Per-class loader cache

Validate the Class Name

• Validate class and package name
• Area of security bugs in earlier JDK versions

Tasks to Loading a Class

• Validate the class name
• Check the cache
• Check the parent class loader
• Create a file or directory reference
• Load the byte code
• Install the class
• Add the class to the cache
• Resolve the class

How Is a Class Loaded?

• The loadClass() method
• public loadClass(String name)
• protected Class loadClass(String name,
boolean resolve)

When Is a Class Loaded?

• Source code level
• MyClass mc = new MyClass();
• Class c = Class.forName("myUtils.MyClass");
• ClassLoader cl =
this.getClass().getClassLoader();
Class c = cl.loadClass("myUtils.MyClass");
• Explicitly created
• ClassLoader cl = new MyClassLoader();

Module Overview
• Course map
• Relevance
• Objectives
• References

Module 3
Class Loaders

Think Beyond
• What is the role of a class loader?
• What are its responsibilities?
• What class loaders are provided by the JVM and
browsers?
• How do you write and implement your own class
loader?

Check Your Progress

• Define byte codes.
• Describe the principle of checking byte codes for static

integrity.
• Outline the type of checks that can (must be) deferred to

runtime.
• Explain why type safety is fundamental to security in

Java.

Exercise:Working With Byte Codes

• Objective
• Preparation
• Tasks
• Kimera verifier and disassembler
• Class that fails the verifier
• Jasmin – Java assembler interface

Indirect Execution
• Definition
• JIT compilers
• JavaChips

What Is Being Done

• Formal definition of the JVM
• Compatibility tests

Kimera Project
• What is it?
• Kimera verifier
• JDK 1.1.2 verifier bug discovered
• Verifier summary

Verifier and Class Loader Exploitation

• Classes and name spaces
• Creating class loaders
• Hostile class loader creates type confusion
Class1 Class2
Class2 Class1
Class3 Class3
Class3Malicious Class3Trusted
private boolean spoof; private boolean trustMe;
• Fixing the problem

Verifier Bugs in Previous JDK Releases

• Type confusion
• Case of type confusion
• Definition

Type Safety
• Type safety example
makeTrue()
Alarm method Applet
turnOn fileAccessAllowed
setTime networkAccessAllowed
setAlarm
• Type checking
• Dynamic
• Static

Completing All Four Passes

• If all passes complete without error, you know that:
• Classes adhere to the class file format specifications.
• There are no access restriction violations.
• Code causes no operand stack overflows or
underflows.
• Types of parameters to opcodes are always correct.
• No illegal data conversions have occurred.
• Object field accesses are legal.
• Local variables are initialized before first access.

Pass 4
• Checks performed vary between JVM implementations
• In a Sun JVM implementation, the executing instruction
performs specific actions:
• The first time a class is referenced
• The first time it invokes a method, or accesses or
modifies a field

Pass 3 – Byte Code Verification

• Byte code verifier performs data-flow analysis on each
method
• Operand stack size and types of objects
• Local variable access
• Method invocation and arguments
• Fields values
• Opcode argument types on the operand stack and in
local variables

Pass 2
• Checks that items are well formed
• final classes are not subclassed, and final methods
are not overridden.
• Every class (except Object) has a superclass.
• Constant pool is properly formed.
• Field and method references in the constant pool
have valid names, classes, and type descriptors.

Pass 1
• Checks the basic form of the class file
• First four bytes have correct magic number
• Recognized attributes have the proper length
• class file is not truncated and does not have trailing
extra bytes
• Constant pool does not contain unrecognizable
information

Class Verifier
• Significance to Java security
• Verification process
During loading During linking During execution
Checks on first
Basic class Remaining Data-flow time execution
file integrity checks that do analysis on of instructions
checks not require each method referencing
looking at the in the code classes,
code array array methods,
fields
Pass 1 Pass 2 Pass 3 Pass 4

(byte code verifier)

Java Interpreter
• Running code compiled for JVM
• Tasks of Java interpreter
• Loading code
• Verifying code
• Executing code

Java Virtual Machine

• Definition
• Characteristics of the JVM
• Knows class file format
• Imposes strong format and structural constraints

• Operates on primitive values and reference values
• Supports execution of multiple threads

Module Overview
• Course map
• Relevance
• Objectives
• References

Module 2
Java Virtual Machine and

the Verification Process

Think Beyond
• What does the byte code verifier check?
• How sure can you be that a particular JVM
implementation and byte code verifier work as
specified by the Java language?

Check Your Progress

• Define computer security and identify five good
security practices.
• Describe the security features provided in the Java
language, including the sandbox, bytecode verifier,
class loader, and security manager.
• Explain what the Java security solution is with regard to
good security practices.

Security Manager
• Called by JVM when code is run
• Approves or disapproves actions

Byte Code Verifier
Untrusted
byte code
Local Java Java Byte code Some class Security

source code compiler verifier loader manager
CLASSPATH
byte code

Byte Code Verifier

• Called by class loader
• Code must conform to language specifications
• Checks for violations of
• Rules
• Name space
• Stack
• Type casts

Class Loader
• Downloads code for imported applet
• Enforces name space boundaries
Classes Classes
Local from from a
classes trusted URL
machines

What Is the Sandbox?

• Definion
• Model

Sandbox Security Model

Three-pronged approach:
• Byte code verifier
• Class loader
• Security manager

Security Practices and the Java

Language

Security Practices and Java

• Authentication – Message digests, digital signatures,
certificates
• Authorization – Access control lists, security manager,
JDK 1.2 protection domains
• Confidentiality – Public/private key encryption
• Non-Repudiation – Message digests, digital signatures
• Auditing – Security manager, future enhancements
• Containment – VM, class loader, security manager,
JDK 1.2 protection domains

Auditing
• Helps isolate and remedy problems
• Does not prevent attacks
• Records extent of breaches
• Assists in repairing damage

Non-Repudiation
• Proof of participation in a transaction
• Promotes electronic agreements between individuals

Confidentiality and Integrity

• Confidentiality – Provides protection from
unauthorized access
• Data integrity – Provides protection against data
alteration

Resource Control and Containment

• Depends on authentication and authorization
• Defines resources available to each authenticated user

Authorization
• For each authenticated user:
• Determines levels of access
• Determines allowed activities or actions

Identification and Authentication

• Legitimacy of node or user
• Account (identification)
• Password (authentication)

What Is Security?
• Definition
• Good security practices
• Identification and authentication
• Authorization
• Resource control and containment
• Confidentiality and integrity
• Non-repudiation
• Auditing
• Educate users, break-in detection, recovery plan

Module Overview
• Course map
• Relevance
• Objectives
• References

Module 1
Security Overview

Typographical Conventions and

Symbols
• Courier – Commands, files, and directories, on-screen
computer output
• Courier bold – Input you type
• Courier italic – Variables and command-line

placeholders
• Palatino italics – Book titles, new words or terms, words

that are emphasized
Implementing Java Security Preface, slide 15 of 15

How to Use the Icons
• Discussion
• Laboratory
• Reference

How to Use Course Materials

• Course Map
• Relevance
• Overhead Image
• Lecture
• Exercise
• Check Your Progress
• Think Beyond

Introductions
• Name
• Company affiliation
• Title, function, and job responsibility
• Security application experience
• Distributed computing experience
• Reasons for enrolling in this course
• Expectations for this course

How Prepared Are You?

• Experienced Java programmer able to use AWT
components, layout managers, event handling?
• Implemented interfaces and exception handling?
• Worked with I/O classes, socket communication, and
threads?
• Experienced with object-oriented programming
languages?
• At ease with learning new APIs?
• Learn best from code example and technical
explanation?

Topics Not Covered

• Object-oriented concepts
• Object-oriented design and analysis
• System administration concepts
• Java language constructs
• Details on distributed programming APIs

Guidelines for Module Pacing

Module Day 1 Day 2 Day 3 Day 4 Day 5
About This Course A.M.

Security Overview A.M.
Java Virtual Machine and Byte Code Verifier A.M./P.M.
Class Loaders P.M.
Security Managers A.M.
Extending the Sanbox Security Model A.M./P.M.
JDK Security Classes P.M.
Cryptography A.M.
Message Digests A.M./P.M.
Digital Signatures and Certificates P.M.
Access Control Lists A.M.
Secure Communications A.M./P.M.
Encryption and SSL P.M.
Java Security-Related Software and Products A.M.
Applets and Common Internet Security Problems A.M.
Balanced Solutions P.M.

Skills Gained by Module

Meaning of:
• Black boxes
• Gray boxes
Module
Skills Gained 1 2 3 4
Skill or Objective 1

Course Objectives
• Identify and describe five good security practices and explain how the
features of the Java platform address these practices.
• Describe the security features provided by the Java Virtual Machine and the
byte code verifier.
• Implement a security manager or class loader to control specific aspects of
security.
• Compare and contrast the Sandbox and the Java Protection Domains Security
model.
• Use the security classes in JDK 1.2 to create new Permission types and a
security policy file.
• Compare and contrast symmetric and asymmetric algorithms for encryption.
• Implement digital signatures, message digests, or access control lists to
enhance the security provided with the Java language.
• Use jarsigner and keytool utilities to create and manage public and private
keys and certificates, as well as generate and verify signatures for JAR files.
• Define SSL, SKIP, and secure multicast; explain why they are important to
secure communications; and identify technologies that are using them.
• Use the SSL API classes and methods to encrypt data to protect it from
network “snooping.”
• Describe the security features provided by most Web servers and the
additional features of Java Web Server™.
• Compare and contrast the security options provided by browsers such as
Netscape Navigator and HotJava.
• Implement a malicious applet that results in denial of service.
• Describe and demonstrate common Internet security problems.
• Weigh costs against the benefits when implementing a Java security policy.

Module-by-Module Overview
• Module 9 – Digital Signatures and Certificates
• Module 10 – Access Control Lists
• Module 11 – Secure Communications
• Module 12 – Encryption and SSL
• Module 13 – Java Security-Related Software and
Products
• Module 14 – Applets and Common Internet Security
Problems
• Module 15 – Balanced Solutions

Module-by-Module Overview
• Module 1 – Security Overview
• Module 2 – Java Virtual Machine and Byte Code
Verification
• Module 3 – Class Loaders
• Module 4 – Security Managers
• Module 5 – Extending the Sandbox Security Model
• Module 6 – JDK Security Classes
• Module 7 – Cryptography
• Module 8 – Message Digests

Course Map
Foundation
JVM and
Security Overview
Byte Code Verification
Class Loaders Security Managers
Security Model and Classes
Extending the Sandbox JDK Security

Security Model Classes
Security Features
Cryptography Message Digests
Digital Signatures Access Control

and Certificates Lists
Security Protocols and Products
Secure Encryption and Java Security-Related

Communications SSL Software and Products
Security Problems and Policies
Applets and Common

Balanced Solutions
Internet Security Problems

Course Overview
• Security features of the Java platform and JDK
• JVM, verification, class loaders
• Java Protected Domains security model
• JDK 1.2 security classes
• Security protocols and Java products
• Applets and Internet security problems
• Balanced solutions

Course Goal
Main goals of the course:
• Describe and illustrate security features of the Java
platform and JDK
• Give you practice implementing these security features

Preface
About This Course

Implementing Java Security xiii

Exercise: Malicious Applets, False Mail, Password Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-21

Check Your Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-22
Think Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-23
Balanced Solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1

Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2
Risks, Cost, and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3
Monitoring CERT and Other Security Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-5
Outlining a Java Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-6
Other Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-7
Check Your Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-8
Implementing Java Security xii

Security Configuration in Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6

HotJava Browser Security Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7
Applet Security Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9
Advanced Applet Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-10
Firewalls and Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-11
Java Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-12
Exercise: Investigating Browser Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-13
Think Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-15
Applets and Common Internet Security Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1

Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2
Problems Still Exist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3
Security Threats Posed by Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4
Attack Applets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5
Malicious Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6
Denial of Service Applets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7
Deprecation of Thread Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-8
Example of Recommended Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9
Instead of suspend and resume . . . . . . . . . . . . . . . . . . . . . . . 14-10
CLASSPATH and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-11
CERT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-12
cert-advisory Mailing List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13
Security-Related Mailing Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-14
Security-Related WWW Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-15
Common Internet Security Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-16
Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-17
Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-18
Berkeley r Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-19
Internal Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-20
Implementing Java Security xi

JSAFE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-14
SKIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15
Comparison of SSL and SKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-16
Secure Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17
Covert Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-18
Think Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-20
Encryption and SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1

Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2
Secure Sockets Layer API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
Standard Java Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4
SSL Socket Factories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5
Implementation Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6
sun.security Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8
Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-9
Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10
Login Facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11
CertStore Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12
Using the SSL Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-13
Exercise: Using Cryptography in Java Programs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14
Think Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16
Java Security-Related Software and Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1

Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2
Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
Java Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4
What SSL Provides to Your Web Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5
Implementing Java Security x

Exercise: Working With Digital Signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-33

Think Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-35
Access Control Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1

Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
What Are Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3
Why Use ACLs? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
ACL Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
How ACLs Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6
ACL Entries and Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
Calculating Individual Principal Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
ACL Interface Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9
ACL Code Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10
Enforcing Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13
Exercise: Using Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14
Think Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16
Secure Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1

Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
Secure Communication Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5
Major Protocol Elements of SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6
telnet Implementation Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-8
Server Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9
Browser Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10
S-HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11
Products Implementing SSL and S-HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13
Implementing Java Security ix

Think Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
Digital Signatures and Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
What Are Digital Signatures? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Comparing Handwritten and Digital Signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
What Are Certificates? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
Certificate Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
Which Applications Use Certificates? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
JDK Signing Utilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
X.509 Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
X.509 Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12
Keystore Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
keytool Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14
Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16
Option Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17
Generating or Adding Data to the Keystore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18
Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-19
Displaying Data in the Keystore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20
Deleting an Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21
Importing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22
Exporting Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-24
jarsigner Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25
jarsigner Tool Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-26
jarsigner Option Value Defaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27
Content of the Signed JAR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28
Signing a JAR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29
Verifying a JAR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-30
Modifying the Security Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-31
Recap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-32
Implementing Java Security viii

Common Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8

Algorithms at a Glance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9
World Legal Picture of Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10
Restrictions Elsewhere . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11
Java Cryptography Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12
Major Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13
Provider Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14
Security Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15
Engine Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16
Key Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
Signature Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18
Creating and Using a Signature Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19
Signature Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20
Java Cryptography Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-21
Think Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23
Message Digests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
About Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Using Message Digests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
Common Digest Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
Message Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
MessageDigest Class. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
Methods in the MessageDigest Class. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
Example for Computing a Digest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11
How to Use the Hash Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
Exercise: Creating Message Digests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13
Implementing Java Security vii


Think Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19
JDK Security Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Permissions and Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
java.security.Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
java.security.CodeSource . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
java.security.Permission . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
PermissionCollection and Permissions . . . . . . . . . . . . . . . . . . . 6-7
Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
java.security.ProtectionDomain . . . . . . . . . . . . . . . . . . . . . 6-10
java.security.AccessController . . . . . . . . . . . . . . . . . . . . . 6-11
java.security.SecureClassLoader . . . . . . . . . . . . . . . . . . . . 6-12
sun.misc.Launcher . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13
Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14
PropertyPermission Class Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15
Using the Permission Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17
New Types of Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18
Exercise: Permission Classes and Java Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20
Think Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Benefits of Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
Cryptographic Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Symmetric Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
Asymmetric Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
Implementing Java Security vi

Overriding the checkRead Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11

accessOK Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
Security Manager Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13
checkLink and checkTopLevelWindow Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
checkAccess Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15
checkWrite Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16
checkWrite Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17
checkXXX Method Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18
Installing a Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19
File Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20
After Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-21
Exercise: Creating a Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22
Think Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24
Extending the SandBox Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Java Security Model Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Sandbox Security Model Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
What the Sandbox Does Not Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
Applet Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
Java Protection Domains Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Protection Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9
Security Policy File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
GUI Policy Tools – policytool . . . . . . . . . . . . . . . . . . . . . . . 5-12
Policy File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Policy File Example Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
Matching Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15
Domains and Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16
Calculating Permissions Across Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
Implementing Java Security v

How Is a Class Loaded? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

Tasks to Loading a Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Validate the Class Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Check the Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Check the Parent Class Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
Create File/Directory Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Load the Byte Code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
Install the Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
Add the Class to the Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Resolve the Class. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
Standard Class Loaders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Creating Customized Class Loaders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Resource Loading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Class Loaders in JDK 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
Class Loader Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18
Further Security Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
Exercise: Creating Your Own Class Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20
Think Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Security Manager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Security Managers and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Security Manager checkXXX Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Methods and Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
FileInputStream Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
Flowchart for FileInputStream . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Creating Your Own Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Default checkRead Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10
Implementing Java Security iv

What Is the Sandbox? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

Class Loader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
Byte Code Verifier. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
Think Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
Java Virtual Machine and the Verification Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Java Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Java Interpreter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Class Verifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Pass 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Pass 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Pass 3 – Byte Code Verification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Pass 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Completing All Four Passes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Type Safety. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Verifier Bugs in Previous JDK Releases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Verifier and Class Loader Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Kimera Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
What Is Being Done . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
Indirect Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Exercise:Working With Byte Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
Think Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
Class Loaders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
When Is a Class Loaded? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Implementing Java Security iii

Course Contents
About This Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Preface-1

Course Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preface-2
Course Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preface-3
Course Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preface-4
Module-by-Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preface-5
Course Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preface-7
Skills Gained by Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preface-8
Guidelines for Module Pacing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preface-9
Topics Not Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preface-10
How Prepared Are You? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preface-11
Introductions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preface-12
How to Use Course Materials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preface-13
How to Use the Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preface-14
Typographical Conventions and Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preface-15
Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
What Is Security?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Identification and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Resource Control and Containment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Confidentiality and Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Non-Repudiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Security Practices and Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Sandbox Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Implementing Java Security ii

Implementing Java
Security
SL-303

SL303 - Implementing Java Security - Oh - 0498

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SL303 - Implementing Java Security - Oh - 0498

Uploaded by

Copyright:

Available Formats

Sun Educational Services

Check Your Progress

Implementing Java Security Module 15, slide 8 of 8

Other Security Considerations

Implementing Java Security Module 15, slide 7 of 8

Outlining a Java Security Policy

Implementing Java Security Module 15, slide 6 of 8

Monitoring CERT and Other Security

Implementing Java Security Module 15, slide 5 of 8

Risks, Costs, and Benefits

Implementing Java Security Module 15, slide 4 of 8

Risks, Cost, and Benefits

Implementing Java Security Module 15, slide 3 of 8

Implementing Java Security Module 15, slide 2 of 8

Implementing Java Security April 1998

Implementing Java Security Module 14, slide 23 of 23

Check Your Progress

Implementing Java Security Module 14, slide 22 of 23

Exercise: Malicious Applets, False

Implementing Java Security Module 14, slide 21 of 23

Implementing Java Security Module 14, slide 20 of 23

Implementing Java Security Module 14, slide 19 of 23

Implementing Java Security Module 14, slide 18 of 23

Implementing Java Security Module 14, slide 17 of 23

Common Internet Security Problems

Implementing Java Security Module 14, slide 16 of 23

Security-Related WWW Sites

Implementing Java Security Module 14, slide 15 of 23

Security-Related Mailing Lists

Implementing Java Security Module 14, slide 14 of 23

cert-advisory Mailing List

Implementing Java Security Module 14, slide 13 of 23

Implementing Java Security Module 14, slide 12 of 23

CLASSPATH and Security

Implementing Java Security Module 14, slide 11 of 23

Instead of suspend and resume

Implementing Java Security Module 14, slide 10 of 23

public void stop() { // applet’s stop method

public void run() {

Implementing Java Security Module 14, slide 9 of 23

Deprecation of Thread Methods

Implementing Java Security Module 14, slide 8 of 23

Denial of Service Applets

Implementing Java Security Module 14, slide 7 of 23

Implementing Java Security Module 14, slide 6 of 23

Implementing Java Security Module 14, slide 5 of 23

Security Threats Posed by Java

Implementing Java Security Module 14, slide 4 of 23

Problems Still Exist

Implementing Java Security Module 14, slide 3 of 23

Implementing Java Security Module 14, slide 2 of 23

Applets and Common

Implementing Java Security April 1998

Implementing Java Security Module 13, slide 15 of 15

Check Your Progress

Implementing Java Security Module 13, slide 14 of 15

Exercise: Investigating Browser

Implementing Java Security Module 13, slide 13 of 15

Implementing Java Security Module 13, slide 12 of 15

Firewalls and Browsers

Implementing Java Security Module 13, slide 11 of 15

Advanced Applet Security Settings

Implementing Java Security Module 13, slide 10 of 15