Demystifying Java platform security -- Part 2

By Ramesh Nagappan 23 Jun 2006 | SearchAppSecurity.com

RSS FEEDS:  Software quality news and advice

As you've seen, Java has many security features. In Part 1, I examined security within the Java Runtime Environment, Java security management tools and Java applet security. In Part 2, I'll review Java Web Start security and the Java Extensible Security Architecture and APIs.

Java Web Start Security
Java Web Start (JWS) is a full-fledged Java application that provides mechanisms for application distribution through a Web server and facilitates Java rich-client access to applications over a network. The underlying technology of JWS is the Java Network Launch protocol (JNLP), which provides a standard way for packaging and provisioning the Java programs (as JAR files) and then launching Java programs over a network. The JNLP-packaged applications are typically started from a Web browser that launches the client-side JWS software, which downloads, caches and then executes the application locally.

Typical to a stand-alone Java application, JWS applications run outside a Web browser using the sandbox features of the underlying Java platform. JWS also allows definition of security attributes for client-side Java applications and their access to local resources, such as file system access, making network connections, and so on. These security attributes are specified using XML tags in the JNLP descriptor file. The JNLP descriptor defines the application access privileges to the local and network resources.

In addition, JWS allows the use of digital signatures for signing JAR files in order to verify the application origin and its integrity so that it can be trusted before it is downloaded to a client machine. The certificate used to sign the JAR files is verified using the trusted certificates in the client Java keystore. This helps users avoid starting malicious applications and inadvertent downloads without knowing the originating source of the application.

Java Extensible Security Architecture and APIs
In addition to the runtime security architecture, the Java platform provides an extensible security API architectural model to support a variety of security infrastructures and services, including cryptographic services; certificate interfaces and classes for managing digital certificates; Public Key Infrastructure (PKI) interfaces and classes to access, modify and manage the key repository; certificates and secure socket communication to protect the privacy and integrity of data transited over the network; services for authentication and access control; and mechanisms for single signon access to underlying applications.

The Java platform facilitates an extensible security architectural model via standards-based security API technologies that provide platform independence and allow interoperability among vendor implementations. It adds on a variety of security features to the core Java platform by integrating technologies to support cryptography, certificate management, authentication and authorization, secure communication, and other custom security mechanisms. The following illustrates the Java extensible security architecture and its core API mechanisms.

Java Platform Extensible Security Architecture and Elements

As part of the J2SE bundle, the Java extensible security architecture provides the following set of API frameworks, which contributes to the end-to-end security of Java applications:

• Java Cryptography Architecture (JCA): The JCA provides basic cryptographic services and algorithms, which include support for digital signatures and message digests. The JCA facilitates support for various cryptographic algorithms by defining the types and functionalities of cryptographic services. The cryptographic services include support for message digests and digital signatures. The JCA also ensures interoperability among the provider implementations using a standardized set of APIs, which implements those required cryptographic algorithms and services. For example, using the same algorithms, a key generated by one provider can be used by another provider; likewise, a digital signature generated by one provider can be verified using another provider.
• Java Cryptographic Extension (JCE):
The JCE augments the JCA functionalities with added cryptographic services that were subjected to U.S. export control regulations and includes support for encryption and decryption algorithms. JCE facilitates the Java platform with cryptographic services and algorithms by providing implementations and interfaces support for cryptographic ciphers used for encryption and decryption, Password-based encryption, secret key generation used for symmetric algorithms, key agreement for encrypted communication among multiple parties, MAC algorithms to validate information transmitted between parties and support for PKCS#11 (Cryptographic Token Interface Standard), which allows devices to store cryptographic information and perform cryptographic services.
• Java Certification Path API (Java CertPath):
The Java CertPath lets you check, verify and validate the authenticity of certificate chains. The Java CertPath APIs offers API-based mechanisms for parsing and managing certificates, certificate revocation lists (CRLs) and certification paths (also referred to as certificate chains). The API implementations can be plugged into any J2SE environment because the same JCA provider interfaces are used. The API includes algorithm-specific classes for building and validating X.509 certification paths according to IETF-defined PKIX standards.
• Java Secure Socket Extension (JSSE):
The JSSE facilitates secure communication by protecting the integrity and confidentiality of data exchanged using SSL/TLS protocols. JSSE enables end-to-end communication security for Java applications by providing a standardized API framework and mechanisms for client/server communications. JSSE provides support for SSL and TLS protocols and includes functionalities related to data encryption, message integrity and peer authentication. With JSSE, it is possible to develop client and server applications that use secure transport protocols, which include support for Secure HTTP (HTTP over SSL), Secure Shell (Telnet over SSL), Secure SMTP (SMTP over SSL), IPSEC (Secure IP), Secure RMI or RMI/IIOP and other standards-based security protocols.

Java security articles, resources Demystifying Java platform security -- Part 1 Learning Guide: Developing secure enterprise Java applications Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management -- Chapter 8 Professional Java Development with the Spring Framework -- Chapter 10: Acegi Security System for Spring Beginning Cryptography with Java -- Chapter 2, Symmetric Key Cryptography

• Java Authentication and Authorization Service (JAAS):
JAAS provides the mechanisms to verify the identity of a user or a device to determine its accuracy and trustworthiness and then provide access rights and privileges depending on the requesting identity. It facilitates to adopt pluggable authentication mechanisms and user based authorization.

JAAS provides Java API mechanisms and services for enabling authentication and authorization in Java-based application solutions. JAAS is the Java implementation of the Pluggable Authentication Module (PAM) framework originally developed for Sun's Solaris operating system. PAM enables the plugging in of authentication mechanisms, which allows applications to remain independent of the underlying authentication technologies. Using a PAM-based approach, JAAS Authentication modules allow integrating authentication technologies such as Kerberos, RSA, smart cards and biometric authentication systems.
• Java Generic Secure Services (JGSS):
JGSS provide the Java bindings for the GSS-API, which helps developing applications using Java-based GSS APIs to support a variety of authentication mechanisms, such as Kerberos-based authentication, and it facilitates single signon.
• Java Simple Authentication and Security Layer (Java SASL):
The Java SASL defines Java API mechanisms for authentication and optional establishment of a security layer between client and server applications. SASL is used by protocols such as the Lightweight Directory Access Protocol, version 3 (LDAP v3) and the Internet Message Access Protocol, version 4 (IMAP v4) to enable pluggable authentication.

Java SASL provides an authentication mechanism-neutral solution so the application that uses the API need not be hardwired to use any particular SASL mechanism. The API facilitates both client and server applications. It allows applications to select the mechanism based on desired security features such as whether they are susceptible to passive dictionary attacks or whether they accept anonymous authentication. The Java SASL API supports developers creating their own custom SASL mechanisms. SASL mechanisms are installed by using the JCA.

-------------------------------------
About the author: Ramesh Nagappan, CISSP, is a Java Technology Architect at Sun Microsystems who specializes in Java distributed computing architectures for mission-critical enterprise applications, Identity assurance and Access Management. Ramesh is the co-author of Core Security Patterns and also three other books on topics related to J2EE, EAI and Web Services. He frequently speaks at industry conferences related to Java, XML and Security. His current technology focus is on Web services security, identity assurance and strong authentication technologies using PKI, smart cards and biometrics.

Sound Off! -   Be the first to post a message to Sound Off!

Share -  Digg This!    Bookmark with Del.icio.us

				SOFTWARE QUALITY RELATED LINKS
				Ads by Google
				Free Download Join UNIX and Linux systems to AD & improve security. Free 30-Day Trial www.centeris.com/freetrial
				Value of Authentication Authentication is critical to online security - free thawte guide www.thawte.com
				Java Frameworks Tutorial Free On Demand Webinar Spring, Axis, Struts & Hibernate www.sourcelabs.com
				Windows Security Specialists in security software development and consulting. www.windowssecurityconsulting.com
				Java Message Increase system uptime with fault tolerant messaging. Use SonicMQ. www.sonicsoftware.com

RELATED CONTENT Security Mechanisms for J2EE Cryptography and Java applications JavaServer Faces: The Complete Reference -- Chapter 15, Securing JavaServer Faces Applications XSS prevention in Java Creating a secure login page with Java Java developers need to think about security What's a good authentication method for Java? Demystifying Java platform security -- Part 1 Beginning Cryptography with Java -- Chapter 2, Symmetric Key Cryptography Professional Java Development with the Spring Framework -- Chapter 10: Acegi Security System for Spring Developing secure enterprise Java applications

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Java Authentication and Authorization Service  (SearchSoftwareQuality.com) Java Cryptography Extension  (SearchSoftwareQuality.com) obfuscation  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary