java™ security overview tools to securely manage applications

Java™ Security Overview

Tools to securely

manage applications

Java SE Security

Java security technology includes:

a set of APIs, tools, implementations security algorithms, mechanisms, protocols.

Java SE Security

The Java security APIs span a wide range of areas, including: platform Security, cryptography, authentication and access control, secure communication, public key infrastructure.

Java SE Security

Java security technology provides the developer with a comprehensive security framework for writing applications,

and also provides the user or administrator with a set of tools to securely manage applications.

1 Introduction

Java SE Security Documentation

J2SE 1.4.2 | J2SE 5.0 | Java SE 6

Note

There are three security extensions for use with J2SE 1.3.1.

They are Java Authentication and Authorization Service, Java Cryptography Extension, and Java Secure Socket Extension.

These three extensions have been integrated into J2SE 1.4.

Java SE Security Overview

Platform SecurityCryptographyAuthentication and Access ControlSecure CommunicationsPublic Key Infrastructure (PKI)

3 Basic Security Architecture

http://java.sun.com/javase/6/docs/technotes/guides/security/

overview/jsoverview.html


The Java platform defines a set of APIs spanning major security areas, including cryptography, public key infrastructure, authentication, secure communication, and access control.


These APIs allow developers to easily integrate security into their application code. They were designed around the following principles:


Implementation independence

Applications do not need to implement security themselves.

Rather, they can request security services from the Java platform.

Implementation independence

Security services are implemented in providers (see below), which are plugged into the Java platform via a standard interface.

An application may rely on multiple independent providers for security functionality.


Implementation interoperability

Providers are interoperable across applications.

Specifically, an application is not bound to a specific provider, and a provider is not bound to a specific application.


Algorithm extensibility

The Java platform includes a number of built-in providers that implement a basic set of security services that are widely used today.

However, some applications may rely on emerging standards not yet implemented, or on proprietary services.

The Java platform supports the installation of custom providers that implement such services.


Security Providers

The java.security.Provider class encapsulates the notion of a security provider in the Java platform.

It specifies the provider's name and lists the security services it implements.


Security Providers

Multiple providers may be configured at the same time, and are listed in order of preference.

When a security service is requested, the highest priority provider that implements that service is selected.


Applications rely on the relevant getInstance method to obtain a security service from an underlying provider.

For example, message digest creation represents one type of service available from providers.


An application invokes the getInstance method in the

java.security.MessageDigest class to

obtain an implementation of a specific message digest algorithm, such as MD5.

MessageDigest md = MessageDigest.getInstance("MD5");


The program may optionally request an implementation from a specific provider, by indicating the provider name, as in the following:

MessageDigest md = MessageDigest.getInstance("MD5", "ProviderC");


Figures 1 and 2 illustrate these options for requesting an MD5 message digest implementation.


Both figures show three providers that implement message digest algorithms. The providers are ordered by preference from left to right (1-3).


In Figure 1, an application requests an MD5 algorithm implementation without specifying a provider name.


The providers are searched in preference order and the implementation from the first provider supplying that particular algorithm, ProviderB, is returned.

Figure 1 Provider searching


In Figure 2, the application requests the MD5 algorithm implementation from a specific provider, ProviderC.


This time the implementation from that provider is returned, even though a provider with a higher preference order, ProviderB, also supplies an MD5 implementation.

Figure 2 Specific provider requested


The Java platform implementation from Sun Microsystems includes a number of pre-configured default providers that implement a basic set of security services that can be used by applications.


Note that other vendor implementations of the Java platform may include different sets of providers that encapsulate vendor-specific sets of security services.


When this paper mentions built-in default providers, it is referencing those available in Sun's implementation.


The sections below on the various security areas (cryptography, authentication, ... .) each include descriptions of the relevant services supplied by the default providers.

A table in Appendix C summarizes all of the default providers.


File Locations

Certain aspects of Java security mentioned in this paper, including the configuration of providers, may be customized by setting security properties.


You may set security properties statically in the security properties file, which by default is the java.security file in the lib/security directory of the directory where the Java™ Runtime Environment (JRE) is installed.


Security properties may also be set dynamically by calling appropriate methods of the Security class (in the java.security package).


The tools and commands mentioned in this paper are all in the

~jre/bin directory,

where ~jre stands for the directory in which the JRE is installed.


The cacerts file mentioned in Section 5 is in:

~jre/lib/security.

4 Cryptography

4 Cryptography

The Java cryptography architecture is a framework for accessing and developing cryptographic functionality for the Java platform.

It includes APIs for a large variety of cryptographic services, including: ... ...

4 Cryptography

Message digest algorithms Digital signature algorithms Symmetric bulk encryption Symmetric stream encryption Asymmetric encryption Password-based encryption (PBE) Elliptic Curve Cryptography (ECC) Key agreement algorithms Key generators Message Authentication Codes (MACs) (Pseudo-) random number generators

4 Cryptography

For historical (export control) reasons, the cryptography APIs are organized into two distinct packages as follow:

The java.security package contains classes that are not subject to export controls (like Signature and MessageDigest).

4 Cryptography

The javax.crypto package contains classes that are subject to export controls (like Cipher and KeyAgreement).

4 Cryptography

The cryptographic interfaces are provider-based, allowing for multiple and interoperable cryptography implementations.

4 Cryptography

Some providers may perform cryptographic operations in software;

Others may perform the operations on a hardware token (for example, on a smartcard device or on a hardware cryptographic accelerator).

4 Cryptography

Providers that implement export-controlled services must be digitally signed.

The Java platform includes built-in providers for many of the most commonly used cryptographic algorithms, including:

4 Cryptography

RSA, DSA signature algorithms, DES, AES, ARCFOUR encryption algorithms, MD5 and SHA-1 message digest algorithms, Diffie-Hellman key agreement algorithm.

PKCS – Public Key Cryptography Standards

In cryptography, PKCS refers to a group of Public Key Cryptography Standards devised and published by RSA Security.

PKCS

RSA Data Security Inc was assigned the licensing rights for the patent on the RSA asymmetric key algorithm and acquired the licensing rights to several other key patents as well (e.g., the Schnorr patent).

PKCS

As such, RSA Security, and its research division, RSA Labs, were interested in promoting and facilitating the use of public-key techniques. To that end, they developed the PKCS standards.

PKCS

The several PKCS standards can be viewed at:

http://en.wikipedia.org/wiki/PKCS

PKCS #5

2.0Password-based Encryption StandardSee RFC 2898 and PBKDF2.

PKCS #6

V1.5Extended-Certificate Syntax StandardDefines extensions to the old v1 X.509

certificate specification. Obsoleted by v3 of the same.

PKCS#7

In cryptography, PKCS refers to a group of Public Key Cryptography Standards devised and published by RSA Security.

Cryptographic Message Syntax Standard. See RFC 2315. Used to sign and/or encrypt messages under a PKI. Used also for certificate dissemination (for instance as a

response to a PKCS#10 message). Formed the basis for S/MIME, which is now based on

RFC 3852, an updated Cryptographic Message Syntax Standard (CMS).

PKCS #10

V1.7Certification Request StandardSee RFC 2986. Format of messages sent

to a certification authority to request certification of a public key.

See certificate signing request.

PKCS #11

V2.20Cryptographic Token Interface (Cryptoki)An API defining a generic interface to

cryptographic tokens (see also Hardware Security Module).

PKCS #12

V1.0Personal Information Exchange Syntax

Standard.Defines a file format commonly used to

store private keys with accompanying public key certificates, protected with a password-based symmetric key.

PKCS #15

V1.1 Cryptographic Token Information Format

Standard. Defines a standard allowing users of

cryptographic tokens to identify themselves to applications, independent of the application's Cryptoki implementation (PKCS #11) or other API.

RSA has relinquished IC-card-related parts of this standard to ISO/IEC 7816-15.[1]

4 Cryptography

These default providers implement cryptographic algorithms in Java code.

The Java platform also includes a built-in provider that acts as a bridge to a native PKCS#11 (v2.x) token.

4 Cryptography

This provider, named SunPKCS11, allows Java applications to seamlessly access cryptographic services located on PKCS#11-compliant tokens.

Security Token

A security token (or sometimes a hardware token, authentication token or cryptographic token[1]) may be a physical device that an authorized user of computer services is given to aid in authentication. The term may also refer to software tokens.

Several types of security tokens.

Security Token

Hardware tokens are typically small enough to be carried in a pocket or purse and often are designed to attach to the user's keychain.

Security Token

Some may store cryptographic keys, such as a digital signature, or biometric data, such as a fingerprint.

Security Token

Some designs feature tamper resistant packaging, other may include small keypads to allow entry of a PIN.

SecurID tokens from RSA Security.

eToken tokens from Aladdin Knowledge Systems

ActivIdentity Tokens.

5 Public Key Infrastructure

Public Key Infrastructure (PKI)

Tools for managing keys and certificates and comprehensive, abstract APIs with support for the following features and algorithms:


Certificates and Certificate Revocation Lists (CRLs): X.509

Certification Path Validators and Builders: PKIX (RFC 3280), On-line Certificate Status Protocol (OCSP)


KeyStores: PKCS#11, PKCS#12

Certificate Stores (Repositories):

LDAP, java.util.Collection

Java ™ Cryptography Architecture(JCA) Reference Guide

for JavaTM Platform Standard Edition 6

http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html

includes the Java Cryptographic Extension (JCE)

6 Authentication

Abstract authentication APIs that can incorporate a wide range of login mechanisms through a pluggable architecture.

A comprehensive policy and permissions API that allows the developer to create and administer applications requiring fine-grained access to security-sensitive resources.

JAAS

Java Authentication and Authorization Service (JAAS)

Reference Guide

for the Java TM SE Development Kit 6

JAAS

http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html

Figure 3 Authentication login modules plugging

into the authentication framework

7 Secure Communication

8 Access Control

Figure 4 Controlling access to resources

User Guides

Java SE 6 Security Documentation

Extensive information on the security features of the Java SE 6 release, including reference guides, API specifications (javadocs), tool documentation, and tutorials.

Java 2 SDK, v 5.0 Security Documentation

Extensive information on the security features of the Java 2 SDK, v 5.0 release, including reference guides, API specifications (javadocs), tool documentation, and tutorials.

Java 2 SDK, v 1.4 Security Documentation

Extensive information on the security features of the Java 2 SDK, v 1.4 release, including reference guides, API specifications (javadocs), tool documentation, and tutorials.

Security Code Guidelines

Some guidelines to allow you to take full advantage of the security provided by the Java platform.

JAR Guide

A short introduction to using the JAR tool to create JAR files. This describes the applet tag syntax for associating an applet with a .JAR file, instead of a .class file.

JAR File Specification

JAR file is a file format based on the popular ZIP file format and is used for aggregating many files into one.

Deploying signed applets in Java Plug-in

A pointer to the Java Plug-in developer guide.

The guide includes a chapter on security and the signed applet support in Java Plug-in, ...

... which allows users to grant (signed) applets all permissions based on their authenticated signers, without having to configure and deploy any policy or keystore configuration files.

Security Tools

Documentation

keytool

Solaris/Linux and Microsoft Windows

keytool is a utility for creating and managing keystores and certificates.

jarsigner


jarsigner is a utility for generating and verifying JAR signatures.

Policy Tool


Policy tool is a GUI tool for creating and managing policy files.

kinit

Microsoft Windows

kinit is a utility for obtaining Kerberos v5 tickets.

klist

Microsoft Windows

klist is a utility to list entries in a Kerberos v5 credential cache and key tab.

ktab

Microsoft Windows ktab is a utility to help the user manage

entries in the key table.

Java Security Feedback Alias

Java Security Feedback Alias

Information about the [email protected] alias, and an online archive of the questions, comments, and answers from the alias.

Products and Technologies

JAAS

Java Authentication and Authorization Service (JAAS)

JAAS

The Java Authentication and Authorization Service (JAAS) is a set of APIs that enable services to authenticate and enforce access controls upon users.

JAAS

It implements a Java technology version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization. » Read More

JAAS

JAAS has now been integrated into the Java 2 SDK, version 1.4.

JAAS - What’s new – J2ME

November 2006

Foundation Profile 1.1 JSR 219

An expert group working via the Java Community Process has defined an optional package comprising the ...

JAAS in J2ME

... Java Secure Socket Extension (JSSE), Java Cryptography Extension (JCE), and Java Authentication and Authorization Service (JAAS) APIs for use with Java 2 Platform, Micro Edition Foundation Profile implementations.

JCE

Java Cryptography Extension (JCE)

JCE

The Java Cryptography Extension (JCE) is a set of packages that provides a framework and implementations for: encryption, key generation and key agreement, Message Authentication Code (MAC)

algorithms.

JCE

Support for encryption includes symmetric, asymmetric, block, and stream ciphers. The software also supports secure streams and sealed objects.

JCE in J2SE (included as part of J2SE 1.4.x and later)

JCE – What’s new - J2ME

June 2003Foundation Profile 1.1 JSR 219

An expert group working via the Java Community Process has defined an optional package comprising the ...

JCE in J2ME

Java Secure Socket Extension (JSSE), Java Cryptography Extension (JCE), and Java Authentication and Authorization Service (JAAS) APIs for use with Java 2 Platform, Micro Edition (J2ME) Foundation Profile implementations.

JSSE

Java Secure Socket Extension (JSSE)

JSSE

The Java Secure Socket Extension (JSSE) is a set of packages that enable secure Internet communications.

JSSE

It implements a Java technology version of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

JSSE

It includes functionality for data encryption, server authentication, message integrity, and optional client authentication.

JSSE

JSSE in J2SE (included as part of J2SE 1.4.x and later)

What's New in JSSE

June 2003

Foundation Profile 1.1 JSR 219 An expert group working via the

Java Community Process has defined an optional package comprising the

JSSE in J2ME

... Java Secure Socket Extension (JSSE), Java Cryptography Extension (JCE), and Java Authentication and Authorization Service (JAAS) APIs for use with Java 2 Platform, Micro Edition (J2ME) Foundation Profile implementations.

Security Resources

Free Advice from Security Experts

Free Advice from Security Experts

Sun has compiled its knowledge from over two decades of secure IT designs and deployments.

The resulting architectural blueprints and tools will help you simplify, enhance, and automate security controls throughout your enterprise.

Developing a Security Policy (PDF)This article details the importance of security policies and the basic steps involved.

Secure by Design

Sun.com Feature Story featuring "10 Steps to Better Security"

Security Executive Brief (PDF)

A printable overview of Sun's vision, methodology, and portfolio

Systemic Security Executive Overview Presentation (PDF)

Systemic Security Architectural Patterns Presentation (PDF)

Security Alert Feed

Get alerts and solutions for security vulnerabilities directly from the Sun experts

White Papers

These business and technical papers help security and IT professionals understand Sun's recommended approaches and tactics for managing real-world security and compliance goals. More

Webcasts

Listen to and watch Sun's Security NetTalks.

These on-demand webcasts provide practical and detailed recommendations from Sun and industry experts.

Easy and convenient expertise, ready when you are. More

Reference Documentation

Read Sun's extensive documentation of accrued knowledge on security technology and implementation.

These technical guides are for practitioners -- architects, developers, and system administrators who need tools today.

More

Sun Security Blueprints and Books

Search on security on this site to find the most popular and prolific topic on Sun's free best practices site.

Learn More

Mobile Java Tecnology


Introduction to Mobile Java Technology

To develop applications using wireless Java technology, you'll need to assimilate information from several fields.


You'll need to understand something about wireless communications technology, the business of wireless communications, and a lot about the Java platform.


Where should you begin? This page contains a high-level overview of wireless Java technology and many links to detailed information about specific subjects.

March 7, 2007An Introduction to the PIM API for Java ME The SDN Mobile Java site is presenting a six part series on the Personal Information Management API (JSR 75). Java ME expert and JCP member Enrique Ortiz provides the definitive text on the PIM API. Jump on Part 1 now and be prepared for the rest of the series in the coming weeks. » Read more

March 16, 2007Using the PIM API for Java ME, Part 2 - Portability Considerations In this installment Enrique explores how to test for PIM API presence on your device and test for presence of the various databases and fields. Learn how to navigate the API and build robust applications. » Read more

March 20, 2007Using the PIM API for Java ME, Part 3 - Security Considerations Will your application protect the user's address book, calendar and to-do list? In part 3 learn how PIM is designed to work in conjunction with the MIDP 2.0 security framework.» Read more

March 26, 2007Design Consideration for Using the PIM API for Java ME

Welcome to Part 4 of the PIM API series. Now it's time to explore design issues that will

affect how your application is developed. Read this, then start your application design.

» Read more

April 2, 2007Managing Personal Information - Using the PIM API for Java ME In the penultimate article in the PIM API series Enrique presents sample source. Small examples of how to do everything from retrieving the names of PIM databases through PIM create/read/update/delete operations to exception handling. Now it's time to play.» Read more

April 10, 2007Managing Personal Information - Summary of PIM Fields

In the final installment, it is provided an extensive reference on the PIM fields and pointers to related on-line resources.

Now you have it all. » Read more

The J2ME Universe

J2ME

The current universe of configurations, profiles and optional packages is shown in the diagram below.

The tables immediately following provide more details about the abbreviations in the figure.

The J2ME Universe Today (May 2007)

Overview of J2ME

Unlike J2SE, J2ME is not a piece of software, nor is it a single specification.

This difference can be confusing, even for developers who are already familiar with J2SE.

Overview of J2ME

Instead, J2MEis a platform, a collection of technologies and specifications that are designed for different parts of the small device market.

Because J2ME spans such a variety of devices, it wouldn't make sense to try to create a one-size-fits-all solution.

Overview of J2ME

J2ME, therefore, is divided into configurations, profiles,and optional packages.

Configurations are specifications that detail a virtual machine and a base set of APIs that can be used with a certain class of device.

Overview of J2ME

A configuration, for example, might be designed for devices that have less than 512 KB of memory and an intermittent network connection.

Overview of J2ME

The virtual machine is either a full Java Virtual Machine1 (as described in the specification) or some subset of the full JVM1.

The set of APIs is customarily a subset of the J2SE APIs.

Overview of J2ME

A profile builds on a configuration but adds more specific APIs to make a complete environment for building applications.

Overview of J2ME

While a configuration describes a JVM1 and a basic set of APIs, it does not by itself specify enough detail to enable you to build complete applications.

Profiles usually include APIs for application life cycle, user interface, and persistent storage.

Overview of J2ME

An optional package provides functionality that may not be associated with a specific configuration or profile.

Overview of J2ME

One example of an optional package is the Bluetooth API (JSR 82), which provides a standardized API for using Bluetooth networking.

This optional package could be implemented alongside virtually any combination of configurations and profiles.

The Java Community Process

JCP

The Java Community Process (JCP)

Specifications for J2SE, J2EE, and J2ME are developed under the aegis of the Java Community Process (JCP).


A specification begins life as a Java Specification Request (JSR).

An expert group consisting of representatives from interested companies is formed to create the specification.


The JSR then passes through various stages in the JCP before it is finished. Every JSR is assigned a number.

J2ME specifications are commonly referred to by their JSR number.

Overview of Wireless Communications

Overview of Wireless Communications

Wireless communications is a huge field, encompassing everything from radio and television broadcasting through pagers, mobile phones, and satellite communications.

The field of mobile phones is expanding very fast at the same time that standards and protocols are being adopted, used, updated, and sometimes discarded.

The other rapidly expanding part of the wireless world is that of wireless local area networks (LANs).

Driven by widespread acceptance of the IEEE 802.11 standard, wireless local networking for computers and other devices is spreading rapidly.

Although wireless may seem like a special case, it is actually more intuitive and more natural than wired networking.

Some day soon the need to plug a laptop into a network physically will seem quaint and antiquated.

The notion that you could walk into a room with your cell phone and have it unable to interact with other devices in the room will seem unbelievably primitive.

The future will reveal that wired networks are the special case.

Conceptually, wireless communications can be split into two types, local and wide area.

A local device is similar to a key fob with a button that unlocks a car, a 900 MHz cordless phone, a radio control toy, or a Bluetooth network.

All of these devices operate overshort distances, typically just a few meters.

Wide area wireless devices operate effectively over a much greater area. A pager or mobile phone is a good example.

You can talk on your mobile phone to any other phone on the planet.

These devices' greater range relieson a trick, however: a more elaborate land-based network.

A mobile phone doesn't have that much more radio power than a radio control toy.

What it does have is a network of carefully placed radio antennas (cell towers); the phone can continue to operate as long as it is within range of at least one tower.

The mobile phone device receives service from a wireless carrier, a company that operates the land-based network.

While a number of industry consortia and standard bodies, such as the International Telecommunication Union, ... ...

… … are trying to define or foster the development of standards for the wireless world, today's wireless world is still fragmented and complex.

If you buy a mobile phone in the U.S. today, it might run on Motorola's iDEN network or Sprint's PCS network.

Take it overseas to Europe and you'll be out of luck--your phone will not work with Europe's GSM network, nor will it work with the PDC network or any of the other mobile networks that live in Japan.

More information about wireless communications

Making Sense of Cellular gives an introductory overview of the wireless radio spectrum.

World of Wireless Communications provides a brief overview of wireless communications and the concept of an embedded device.

java™ security overview tools to securely manage applications

Documents

java security apis

security extensions

security functionality

java security overview

java platform

java authentication

basic set of security

major security areas