Home Page Icon
Home Page
Table of Contents for
III. Distributed System Security
Close
III. Distributed System Security
by Venkata S.R. Krishna Chaganti, Paul J. Perrone, Jamie Jaworski
Java Security Handbook
Copyright
Dedication
About the Authors
Acknowledgments
Tell Us What You Think!
Introduction
The Importance of Java Security
Who Should Read This Book
How This Book is Organized
Getting Started
How to Use This Book
I. The Foundations of Java Security
1. Security Basics
The Basic Security Model
Cryptography
Classes of Cryptography
Message Digests
Symmetric Keys
Asymmetric Keys
Authentication and Nonrepudiation
Authentication Types
Password-Based Identity and Authentication
Physical-Token–Based Identity and Authentication
Biometrics-Based Identity and Authentication
Certificate-Based Identity and Authentication
Nonrepudiation
Access Control
Discretionary Access Control
Role-Based Access Control
Mandatory Access Control
Firewall Access Control
Domains
Auditing
Policies and Administration
Summary
2. Java Security Overview
The History of Security in Java
Java Security Architecture
Core Java 2 Security Architecture
Java Cryptography Architecture
Java Cryptography Extension
Java Secure Socket Extension
Java Authentication and Authorization Service
Byte Code Verifier
Class Loader
Class Loader Architecture and Security
Class-Loader Interfaces
Security Manager
Security Manager Interfaces
Custom Security Managers
Java Cryptography Architecture
The Architecture of JCA
Cryptographic Engines
Cryptographic Service Providers
Summary
3. Java Application Security Access Control
Permissions
Permissions Architecture
Permission Types
Custom Permission Types
Security Policies
Security Policy File Format
Referencing Properties in Policy Files
Using Security Policy Files
Security Policy Tool
Security Policy APIs
Java Access Control
Access Control Architecture
Guarded Objects
SecurityManager-to-Access Control Mapping
Fine-Grained and Configurable Access Control Example
Summary
4. Applet Security
Extending the Sandbox
The JDK 1.0 Sandbox
The JDK 1.1 Sandbox
JDK 1.2 Least Privilege
Specifying an Applet Security Policy
The Contents of the Security Policy File
The Syntax of Grant Entries
Using Signed Applets
Creating the JAR file
Signing the JAR File
Specifying a Signed Applet Policy
Obtaining a Signing Certificate
Working with Different Browsers
Summary
II. Cryptographic Security
5. Introduction to Cryptography
A Short History of Secret Writing
Cryptography, Cryptanalysis, and Cryptology
Ciphers
The Caesar Cipher
Cryptanalysis of the Caesar Cipher
A Simple Substitution Cipher
Cryptanalysis of the Simple Substitution Cipher
Secret-Key Cryptography
The Data Encryption Standard (DES)
DES Modes
ECB Mode and Padding
CBC Mode
PCBC Mode
CFB Mode
OFB Mode
Which Mode Should I Use?
A DES Example
DESede
Blowfish
Rivest Ciphers
Public Key Cryptography
The Rivest, Shamir, Adleman (RSA) Algorithm
An RSA Example
Using RSA
RSA Performance and Security
The ElGamal Algorithm
Message Digests
MD5
SHA-1
Base 64 Encoding
Digital Signatures
The Digital Signature Algorithm
Digital Certificates
Summary
6. Key Management and Digital Certificates
Importance of Key Management
Key Representation
Key Generation
The KeyPairGenerator Class
The KeyGenerator Class
The KeyGeneratorApp Program
Secure Random Numbers and Key Generation
Key Translation
The KeyFactory Class
The SecretKeyFactory Class
Key Agreement
Simple Key Management for Internet Protocols (SKIP)
JCE Support for Key Agreement
Examples of Implementing Key Agreements
Key Storage and Password-Based Encryption
Key Management Differences Between JDK 1.1 and the Java 2 Platform (version JDK 1.2)
JDK 1.1 Key Management
The Identity Class
The IdentityScope Class
The Signer Class
JDK 1.2 Key Management
The KeyStore Class
The Keytool
Summary
7. Message Digests and Digital Signatures
Message Digest Classes and Interfaces
MessageDigestSpi
MessageDigest
Computing Message Digests
DigestInputStream and DigestOutputStream
Working with Digest Streams
DigestException
Message Authentication Codes
MacSpi
Mac
MACs in Action
Signature Classes and Interfaces
SignatureSpi
Signature
Creating and Verifying Digital Signatures
SignedObject
Using SignedObject
Signer
SignatureException
Summary
8. The Java Cryptography Extension
Inside the JCE
The Cryptix JCE
Security Providers and Algorithm Independence
How a Security Provider Is Organized
Engine Classes
SPI Classes
Provider Classes
Creating a New Provider
Extending the SPI Class
Extending the Provider Class
Installing Provider Classes
Using the Provider
Summary
9. SSL and JSSE
SSL Overview
Java Secure Socket Extension Overview
JSSE Package and Class Overview
JSSE Providers
JSSE SSL Server Sockets
Obtaining an SSL Server Socket Factory
Creating SSL Server Sockets
SSL Server Socket Listening
Client Authentication
JSSE SSL Client Sockets
Obtaining an SSL Socket Factory
Creating SSL Client Sockets
JSSE SSL Sessions
Summary
III. Distributed System Security
10. Distributed Enterprise Security Overview
Distributed Enterprise System Technology
Enterprise Database Connectivity
Enterprise Communications
Enterprise Communication Services
Enterprise Container-Based Components
Enterprise Database Connectivity Security
Enterprise Communications Security
Basic Network Security
RMI Security
CORBA Security
Enterprise Communications Service Security
JNDI Security
Jini Security
JMS Security
JavaMail Security
Enterprise Container-Based Component Security
Web Component Security
EJB Security
Summary
11. Databases and Database Security
What Is a Database?
Relational Databases
Working with Keys
Structured Query Language
Remote Database Access
ODBC and JDBC Drivers
Microsoft's ODBC
Enter JDBC
Connecting to Databases with the java.sql Package
Setting Up a Database Connection
The DriverManager Class
The Driver Interface
The Connection Interface
Executing SQL Statements
The Statement Interface
The PreparedStatement and CallableStatement Interfaces
The StatementApp Program
Database Security Issues
Securing Database Connections
Using a Dedicated Subnet for Client-Server Communication
Encrypting Communication Between the Database Client and Server
Protecting the Database Client and Server
Using Firewalls
Deploying Intrusion Detection Systems
Hardening the Client and Server Platforms
Authenticating the Client and Server
Securing the User Connection
Authenticating the User
Implementing Access Controls
Implementing Access Controls at the Database Server
Implementing Access Controls at the Database Client
Implementing Access Controls at the Web Server
Implementing Access Controls at the User's Browser
Auditing
Database Scanning
Summary
12. The Java Authentication and Authorization Service
JAAS Overview
JAAS Subjects
Subject Relationships
Creating Subjects
Manipulating Subject Attributes
Specializing Subject Credentials
Authentication with JAAS
Login Module Configuration and Initialization
Login Context Construction
Login Module Configuration
Login Module Configuration File Location
Login Module Initialization
The Authentication Process
Callback Handling
Authorization with JAAS
JAAS Security Policy File Format
Using JAAS Security Policy Files
Performing Security-Critical Actions
JAAS Security Authorization Abstractions
JAAS Policy Manipulation
Authentication Permissions
Private Credential Permissions
Standard Java Security Policies with JAAS Permissions
Summary
13. CORBA Security
CORBA Security Overview
CORBA Security Packages
CORBA Security Architecture
Core CORBA Security Interfacing
Authentication
Delegation
Authorization
Auditing
Nonrepudiation
Encryption
Security Policies
Security Administration
Summary
14. Enterprise JavaBeans Security
EJB Security Overview
Standard Programmatic EJB Access Controls
Standard Declarative EJB Access Controls
Vendor-Specific EJB Access Controls
Vendor-Specific EJB Identity and Authentication
EJB Secure Communications, Delegation, and Auditing
EJB Connection Security
EJB Principal Delegation
EJB Security Auditing
Summary
15. Java Servlet and JSP Security
The Common Gateway Interface
Web Server-to-CGI Program Communication
CGI Program-to-Web Server Communication
Session State Maintenance
Cookies
URL Rewriting
Hidden Form Fields
Server-Side Programming Security Issues
Interception of Session State Information
Forgery of Session State Information
Buffer Overflow
Data Validation
Page Sequencing
Session Timeout
Information Reporting
Browser Residue
User Authentication
Logging of Sensitive Information
Least Privilege
Java Servlets
Why Servlets?
The Servlet API
The javax.servlet Package
Interfaces
Classes
Exceptions
The javax.servlet.http Package
Interfaces
Classes
The javax.servlet.jsp Package
Interfaces
Classes
Exceptions
The javax.servlet.jsp.tagext Package
Interfaces
Classes
How Servlets Work
Servlet Examples
Servlet Security
User Authentication
Role-based Access Controls
Transmission Security
Adding Security to the Sample Servlets
Container Security Requirements
Programmatic Security
JavaServer Pages
Summary
IV. Appendixes
A. Past Java Security Flaws
JavaScript (February, 1996)
DNS Attack (February, 1996)
Class Loader Implementation Bug (March, 1996)
Verifier Implementation Bug (March, 1996)
URL Name Resolution Attack (April, 1996)
Hostile Applets (April, 1996)
Classloader Attack Variant (May 18, 1996)
Illegal Type Cast Attack (June 2, 1996)
Inconsistency in javakey (December 13, 1996)
Web Spoofing (December, 1996)
Java Versus ActiveX (February 25, 1997)
Virtual Machine Bug (March 5, 1997)
Disclosure of IP Addresses (March 17, 1997)
Signing Flaw (April 29, 1997)
Verifier Bugs (May 16, 1997)
Another Verifier Bug (June 23, 1997)
RSA PKCS1 Risk in SSL (June 26, 1998)
Princeton Classloader Attack (July 22, 1998)
Execution of Unverified Code (March 26, 1999)
Construction of Unverified Classes (April 14, 1999)
Locally Installed Applet Classes (February 2, 2000)
B. The Mathematics of RSA
The Math Behind RSA
The Prime Numbers Are Infinite
Primality Testing
Prime Number Generation
Finding an Encryption Key
Reduced Set of Residues
Calculating d from e, p, and q
Calculating d, Knowing Only e and n
Cryptix and RSA
Encryption and Decryption
Computing and Verifying Signatures
C. Downloading and Installing the JCE
Downloading the JCE
Installing the JCE
Testing Your Installation
D. The Java 2 Security API
The java.security Package
Interfaces
Certificate
Guard
Key
Principal
PrivateKey
PrivilegedAction
PrivilegedExceptionAction
PublicKey
Classes
AccessControlContext
AccessController
AlgorithmParameterGenerator
AlgorithmParameterGeneratorSpi
AlgorithmParameters
AlgorithmParametersSpi
AllPermission
BasicPermission
CodeSource
DigestInputStream
DigestOutputStream
GuardedObject
Identity
IdentityScope
KeyFactory
KeyFactorySpi
KeyPair
KeyPairGenerator
KeyPairGeneratorSpi
KeyStore
KeyStoreSpi
MessageDigest
MessageDigestSpi
Permission
PermissionCollection
Permissions
Policy
ProtectionDomain
Provider
SecureClassLoader
SecureRandom
SecureRandomSpi
Security
SecurityPermission
Signature
SignatureSpi
SignedObject
Signer
UnresolvedPermission
Exceptions
AccessControlException
DigestException
GeneralSecurityException
InvalidAlgorithmParameterException
InvalidKeyException
InvalidParameterException
KeyException
KeyManagementException
KeyStoreException
NoSuchAlgorithmException
NoSuchProviderException
PrivilegedActionException
ProviderException
SignatureException
UnrecoverableKeyException
The java.security.acl Package
Interfaces
Acl
AclEntry
Group
Owner
Permission
Classes
Exceptions
AclNotFoundException
LastOwnerException
NotOwnerException
The java.security.cert Package
Interfaces
X509Extension
Classes
Certificate
CertificateFactory
CertificateFactorySpi
CRL
X509Certificate
X509CRL
X509CRLEntry
Exceptions
CRLException
CertificateEncodingException
CertificateException
CertificateExpiredException
CertificateNotYetValidException
CertificateParsingException
CRLException
The java.security.interfaces Package
Interfaces
DSAKey
DSAKeyPairGenerator
DSAParams
DSAPrivateKey
DSAPublicKey
RSAPrivateCrtKey
RSAPrivateKey
RSAPublicKey
Classes
Exceptions
The java.security.spec Package
Interfaces
AlgorithmParameterSpec
KeySpec
Classes
DSAParameterSpec
DSAPrivateKeySpec
DSAPublicKeySpec
EncodedKeySpec
PKCS8EncodedKeySpec
RSAPrivateCrtKeySpec
RSAPrivateKeySpec
RSAPublicKeySpec
X509EncodedKeySpec
Exceptions
InvalidKeySpecException
InvalidParameterSpecException
The javax.crypto Package
Interfaces
SecretKey
Classes
Cipher
CipherInputStream
CipherOutputStream
CipherSpi
KeyAgreement
KeyAgreementSpi
KeyGenerator
KeyGeneratorSpi
Mac
MacSpi
NullCipher
SealedObject
SecretKeyFactory
SecretKeyFactorySpi
Exceptions
BadPaddingException
IllegalBlockSizeException
NoSuchPaddingException
ShortBufferException
The javax.crypto.interfaces Package
Interfaces
DHKey
DHPrivateKey
DHPublicKey
Classes
Exceptions
The javax.crypto.spec Package
Interfaces
Classes
DESedeKeySpec
DESKeySpec
DHGenParameterSpec
DHParameterSpec
DHPrivateKeySpec
DHPublicKeySpec
IvParameterSpec
PBEKeySpec
PBEParameterSpec
RC2ParameterSpec
RC5ParameterSpec
SecretKeySpec
Exceptions
E. Downloading and Installing the Cryptix JCE 1.2
Downloading the Cryptix 3.1
Installing Cryptix 3.1
Testing Your Installation
F. Using the Keytool
Overview
Keystore Locations
Keytool Commands
The -certreq Command
The -delete Command
The -export Command
The -genkey Command
The -help Command
The -identitydb Command
The -import Command
The -keyclone Command
The -keypasswd Command
The -list Command
The -printcert Command
The -selfcert Command
The -storepasswd Command
The Cacerts Keystore
G. Using the jarsigner Tool
JAR Files
Using the jar Tool
Creating a JAR File
Viewing a JAR File
Extracting the Contents of a JAR File
Signing JAR Files
Using jarsigner to Sign a JAR File
Verifying the Signature of a JAR File
Changing the Applet Security Policy
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
9. SSL and JSSE
Next
Next Chapter
10. Distributed Enterprise Security Overview
Part III. Distributed System Security
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset