Objectives:
• Cryptography
o Encoding
o Asynchronous encryption
o Synchronous encryption
• Message Digests
• Digital Signatures
• Digital Certificates
• Certificate Authorities
• Java Virtual Machine (JVM)
o Sandbox
o Bytecode verifier
o Class loader
o Security Manager
• policytool
• Java Security APIs
o Java Cryptography Architecture (JCA)
o Java Cryptography Extensions (JCE)
o Java Authentication and Authorization Services (JAAS)
o Java Secure Socket Extensions (JSSE)
Chapter Overview
Security is one of the largest concerns when developing any application. It can also be one of the most
difficult due to so many options. Each option has its own strengths and weaknesses. How to secure a web
site from standard attacks has been largely standardized.
Security should always be approached with respective caution to the sensitivity of the material that is to be
protected. Security is so vast that professionals are hired solely to maintain security. The topics covered in
this chapter only touch on the huge world of maintaining integrity and confidentiality with technical tools and
concepts.
Security Concerns_________________________________
• Security is a huge topic, that can’t be fully covered in a short class.
- What we can do is narrow the focus of what specific portion of security we are concerned with.
- Security applies to many different things.
• Some of the major security concerns include:
- Physical security
- System security
- Malicious code
- Data integrity
- Authentication
- Application security
- Audit Trails
• Because of the scope of the security topic we choose to cover many common web-based application
security concerns.
- Fundamental encryption concepts
- Software security review and understanding (SSL, digest, signature …)
- Authorization and authentication concerns.
Fundamental Internet Security Concepts
• When creating web-based applications all information transferred to and from a client can be intercepted.
- Web applications use HTTP on a TCP network to pass this information.
- Much of the information is just text and is easy to steal.
• This introduces a common set of possible attacks.
1) Sensitive information being transferred between client and server can be intercepted. (Theft -- if they
can see it, they can steal it)
2) Information being sent can be intercepted and changed allowing misinformation to be sent to client or
server. (Fraud)
3) A client or servers identity can be stolen and imitated. Allowing someone to imitate your application
or your client. (Impersonation)
• The corresponding way we deal with the above concerns are:
1) Encryption
2) & 3) Authentication
• Other attacks are possible, many of which are not of concern in this material.
- Virus spreading
- Malicious code
Security Cycle
• The main security model that we are going to deal with can be thought of as the following cycle:
• The following sections discuss each of these three pieces and how they relate, but for now, here’s a
quick look:
- Data integrity is the most important piece (protecting data).
- In some cases we need to authentication to protect our data.
- We sometimes rely on data integrity to do authentication.
- We also use authentication to enable authorization.
- We can use authorization to protect resources through policies (and thus, also, protect data integrity).
Data Integrity
• There are two main concepts that data integrity deals with:
1) To hide data (to protect us from theft)
2) To protect data from tampering (to protect us from fraud)
• The next several sections will deal with these to concepts.
• To give you a better idea of what’s to come, here’s a summary of the related topics:
1) Hiding Data/Cryptopgraphy
- Encoding
- Encryption
- Symmetric Encryption
- Asymmetric Encryption
2) Protecting Data
- Hashes/Message digests
- Digital Signatures
- Digital Certificates
- Certificate Authorities
• Cryptography
o Encoding
o Asynchronous encryption
o Synchronous encryption
• Message Digests
• Digital Signatures
• Digital Certificates
• Certificate Authorities
• Java Virtual Machine (JVM)
o Sandbox
o Bytecode verifier
o Class loader
o Security Manager
• policytool
• Java Security APIs
o Java Cryptography Architecture (JCA)
o Java Cryptography Extensions (JCE)
o Java Authentication and Authorization Services (JAAS)
o Java Secure Socket Extensions (JSSE)
Chapter Overview
Security is one of the largest concerns when developing any application. It can also be one of the most
difficult due to so many options. Each option has its own strengths and weaknesses. How to secure a web
site from standard attacks has been largely standardized.
Security should always be approached with respective caution to the sensitivity of the material that is to be
protected. Security is so vast that professionals are hired solely to maintain security. The topics covered in
this chapter only touch on the huge world of maintaining integrity and confidentiality with technical tools and
concepts.
Security Concerns_________________________________
• Security is a huge topic, that can’t be fully covered in a short class.
- What we can do is narrow the focus of what specific portion of security we are concerned with.
- Security applies to many different things.
• Some of the major security concerns include:
- Physical security
- System security
- Malicious code
- Data integrity
- Authentication
- Application security
- Audit Trails
• Because of the scope of the security topic we choose to cover many common web-based application
security concerns.
- Fundamental encryption concepts
- Software security review and understanding (SSL, digest, signature …)
- Authorization and authentication concerns.
Fundamental Internet Security Concepts
• When creating web-based applications all information transferred to and from a client can be intercepted.
- Web applications use HTTP on a TCP network to pass this information.
- Much of the information is just text and is easy to steal.
• This introduces a common set of possible attacks.
1) Sensitive information being transferred between client and server can be intercepted. (Theft -- if they
can see it, they can steal it)
2) Information being sent can be intercepted and changed allowing misinformation to be sent to client or
server. (Fraud)
3) A client or servers identity can be stolen and imitated. Allowing someone to imitate your application
or your client. (Impersonation)
• The corresponding way we deal with the above concerns are:
1) Encryption
2) & 3) Authentication
• Other attacks are possible, many of which are not of concern in this material.
- Virus spreading
- Malicious code
Security Cycle
• The main security model that we are going to deal with can be thought of as the following cycle:
• The following sections discuss each of these three pieces and how they relate, but for now, here’s a
quick look:
- Data integrity is the most important piece (protecting data).
- In some cases we need to authentication to protect our data.
- We sometimes rely on data integrity to do authentication.
- We also use authentication to enable authorization.
- We can use authorization to protect resources through policies (and thus, also, protect data integrity).
Data Integrity
• There are two main concepts that data integrity deals with:
1) To hide data (to protect us from theft)
2) To protect data from tampering (to protect us from fraud)
• The next several sections will deal with these to concepts.
• To give you a better idea of what’s to come, here’s a summary of the related topics:
1) Hiding Data/Cryptopgraphy
- Encoding
- Encryption
- Symmetric Encryption
- Asymmetric Encryption
2) Protecting Data
- Hashes/Message digests
- Digital Signatures
- Digital Certificates
- Certificate Authorities
Java Security Tutorial
Table of Contents
Copyright (c) 2008. Intertech, Inc. All Rights Reserved. This information is to be used exclusively as an
online learning aid. Any attempts to copy, reproduce, or use for training is strictly prohibited.
online learning aid. Any attempts to copy, reproduce, or use for training is strictly prohibited.
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
Courseware
Training Resources
Tutorials