Technology Stack

Like most technologies, the security technology can be viewed as a stack of technology layers where a higher-level layer depends on or makes use of lower-level layers. Let us begin our recap at the bottom of this stack.

Part 2 of the book explored the Java support for basic cryptographic services framework, service-specific API classes, PKI entities and the associated APIs, tools to handle these entities, access control mechanisms, and transport-layer security with SSL and XML standards for signature and encryption. These abstractions and APIs form the building blocks of the Java platform security and are used in higher-level services.

Cryptographic services fall under two categories: services that represent cryptographic operations such as digest computation, signature creation and validation, symmetric encryption, asymmetric encryption, key exchange, and so on, and services that represent data format, in memory, on disk or on the wire of cryptographic entities such as encryption/decryption keys, certificates, certificate chains, certificate revocation lists, signed data, encrypted data, and so on. The services representing operations have algorithms associated with them. Likewise, the services representing data formats have types associated with them.

The structure of Java APIs allows a program to be independent from the specific implementation or provider for both categories of services. In a number of cases, a program can be written even without any explicit dependency on the algorithm for a specific operation, or format type for a specific data entity. This means that you can switch implementation providers, or even the algorithms for specific services without changing the client program code, resulting in great flexibility and allowing a number of decisions regarding specific provider and/or algorithm to be deferred till deployment time, or even later.

Another noteworthy aspect of these APIs is the consistency and uniformity, in terms of how they are instantiated, initialized, and used. Such a uniform structure allows much faster learning and quicker development.

The cryptographic services form the basis for higher-level transport security protocols such as SSL and SSH. These services are also at the core of message security standards such as PKCS #7, XML Signature and XML Encryption. Among these, XML-based security standards, such as XML Signature and XML Encryption, form the basis for packaging and processing models for message-based security such as WS Security.

You get the idea of inter-connectedness among these security primitives and how higher-level facilities are built on top of lower-level primitives. This relationship among operations, formats and protocols is shown in Figure 12-1.

Some of the higher-level technologies of the technology stack shown in Figure 12-1 are discussed in the next section.