Java security evolution and concepts, Part 1: Security nuts and bolts

Resources Links

Ajax
Articles
Bioinformatics-Tutorials
Database-Tutorials
Free Books
Hibernate-Tutorials
J2EE-Tutorials
J2ME-Tutorials
Java-Tutorials
JavaScript
JDBC-Tutorials
JMS-Tutorials
JSP-Tutorials
Linux-Tutorials
MS Technology
PHP
RMI-Tutorials
Servlets-Tutorials
Struts-Tutorials
Tools For Java Technology
UML-Tutorials
Web Graphics Designing
Web Hosting Tutorial
Web-Services-Tutorials

More Tutorials

JSP Tutorials
Hibernate Tutorials
Struts Tutorials
JSF Tutorials MySQL Tutorials
Spring Tutorials
EAI Tutorials
JAXB Tutorials
Web Services Tutorials
JDO Tutorials
Java Tutorials
Java Certification
Linux Tutorials
Java Servlets
WAP Tutorials
EJB Tutorials
JDBC Tutorials
Bio Informatics
Java Server Faces Java Interview Questions

Tutorial: Java security evolution and concepts, Part 1: Security nuts and bolts - JavaWorld April 2000

Java security evolution and concepts, Part 1: Security nuts and bolts - JavaWorld April 2000

Tutorial Details:

Java security evolution and concepts, Part 1: Security nuts and bolts
Java security evolution and concepts, Part 1: Security nuts and bolts
By: By Raghavan N. Srinivas
Learn computer security concepts and terms in this introductory overview
omputing models have changed drastically in the last few decades, and with the changes has come a greater need for application security in large-scale ecommerce and ebusiness systems, as the recent spate of denial of service (DoS) attacks on several popular sites demonstrates. More specific to the Java community, with Java emerging as the de facto standard platform for Internet programming, the ability to securely move Java code around is fundamental.
Java security evolution and concepts: Read the whole series!
Part 1: Learn computer security concepts and terms in this introductory overview
Part 2: Discover the ins and outs of Java security
Part 3: Tackle Java applet security with confidence
Part 4: Learn how optional packages extend and enhance Java security
Part 5: J2SE 1.4 offers numerous improvements to Java security
This article, the first in a series, will cover the general concepts of computer security and cryptography. Although mobile code is not a revolutionary concept, Java and the Internet present some unique challenges to computer security. The evolution of Java architecture and its impact on security, the different security APIs and tools, and applet security will be covered in the subsequent articles.
This security series does not intend to provide a comprehensive guide to computer security. Computer security is a multifaceted issue touching several disciplines, departments, and cultures. Investments in technologies should be followed up with investments in personnel training, strict policy enforcement, and periodic review of the overall security policy.
Note: See the " Sidebar 1: Crypto Algorithm for the Twenty-first Century " for more on algorithm development and the " Sidebar 2: Does the Length of a Key Matter? " for a discussion on the importance of key length in security.
What is computer security?
To understand what computer security means in general, what security means in everyday life is worth considering. Some of the general rules for security in day-to-day life also apply to computer security, as we'll see.
The limits of computer security
Is there such a thing as absolute computer security? In a word, no. The term secure systems is a misnomer since it implies that systems are either secure or not. Security, in truth, is a trade-off. Given unlimited resources, any form of security can be broken. While more and more resources are becoming available to the attacker, in the real world those resources remain finite. With that in mind, we should design systems in such a way that the cost of breaking them would far outweigh the rewards.
End-to-end security
What is end-to-end security? In a multitier system, each tier should have its own security and work in tandem with the other tiers. Designing security where different systems and middleware come together is quite a challenge. Simply put, system security is only as strong as the weakest link and, unless you consider security from an end-to-end viewpoint, it is subject to being broken.
Simplicity
Will a complex security design work? It might seem that the best way to stop an unauthorized user might be to design a very complex security scheme, but that's not true. Not only will the cost of designing a complex security system be prohibitive, it might be so complex that legitimate users will try to find a way around it. Simple systems, on the other hand, are easier understood and better analyzed.
Good system design requires security
Is it possible to retrofit security? The answer is rarely. Quite often it may be impossible to retrofit security without having to redesign substantial parts of the system. In almost all cases, retrofitting will be very expensive. Therefore, security should never be an afterthought -- it must be an integral part of the system design from the start.
Computer security basics
It's useful to understand what computer security protects against, the respective defense mechanisms, and the different terminologies associated with it.
Threats
Threats -- attacks against computer security -- can be broadly categorized as:
Secrecy attacks: Attempts to steal confidential information either by exploiting weaknesses in cryptographic algorithms or by other means.
Integrity attacks: Attempts to alter information with some selfish or malicious intent. Integrity attacks, it should be noted, can also be accidental.
Availability attacks: Attempts to disrupt a system's normal operations. Availability attacks are also referred to by the recently popularized term, denial of service (DoS) attacks.
Several attacks fall into one or more of the categories mentioned above. Examples include:
A brute force attack typically involves searching every key until the right one unlocks the door. While that may seem like an expensive operation, in reality it is possible to preen the search using specialized tools.
A Trojan horse attack involves planting an enemy as an insider in such a way that it's not apparently noticeable. A computer virus serves as a common Trojan horse example.
A person-in-the-middle attack intercepts communication between two parties without their knowledge. They assume that they're communicating normally.
Other attacks include: birthday attack, dictionary attack, meet-in-the-middle attack, and so on. (For a more comprehensive discussion, see Bruce Schneier's Applied Cryptography in Resources .)
Protections
To shield against security threats, there are a variety of protection mechanisms. Historically, defense mechanisms have involved erecting some sort of a wall or boundary, commonly referred to as a perimeter defense.
Firewalls, a fairly successful example of perimeter defense, separate internal (private) and external (public) networks, and provide a central point of control for a corporate policy. However, firewalls increasingly allow select forms of traffic -- HTTP for example -- to cross over.
A virtual private network (VPN), which provides the same security level as a private network while still using a shared network, serves as another protection example.
Cryptography
Cryptography and cryptanalysis, its related field, concerns itself with the design and analysis of algorithms for encrypting and decrypting information. We'll discuss cryptography's vital relationship to security in the sections below.
Confidentiality
Confidentiality is the process of protecting data from unauthorized use or users. Simply put, it means that only the intended recipient of a message can make sense of it.
If you're exchanging sensitive information with someone else, you want to be absolutely sure that only the intended recipient of the message can make sense of the message and, in the eventuality that it falls into wrong hands, the message becomes effectively useless. Confidentiality is accomplished by some form of cryptographic technique.
Authentication
The authentication process confirms the user's identity. The user could be a software entity or a human. A principal is the party whose identity is verified. Associated with a principal is a set of credentials . Usually, authentication confirms identity by some secret information -- a password, for example -- known only to the user and the authenticator. Beyond passwords, more sophisticated security schemes employ advanced techniques such as smart cards or biometrics (finger printing, retinal scans, and so on) for authentication.
Once authentication is established, access to the user (or generally principal ) is governed by the access control mechanisms in force.
Kerberos -- based on keys and encryption -- demonstrates an early authentication technology. It uses timestamps -- sessions remain valid for a defined time period -- to achieve that. To work properly, Kerberos fundamentally assumes that the clocks in a distributed system are synchronized.
Public key infrastructure (PKI), discussed in sections below, represents a more general authentication solution.
The Java Authentication and Authorization Service (JAAS) framework supplements the Java 2 platform with user-based authentication and access control capabilities. JAAS is a standard extension to the Java 2 Software Development Kit, v 1.3.
Integrity
Let's say that you sent an electronic check. When the bank ultimately receives the check, it needs to be sure that the payment amount has not been tampered, a security concept known as integrity .
Nonrepudiation
In the electronic check scenario outlined above, if you indeed sent the check, there ought to be no way you can deny it. Nonrepudiation provides undeniable evidence of actions such as proof of origin of data to the recipient or receipt of data to the sender.
Auditing and logs
Keeping a record of resource access that was granted or denied might be useful for audit purposes later. To that end, auditing and logs serve the useful purposes of preventing a break-in or analyzing a break-in post mortem.
Policy and access control
A security policy focuses on controlling access to protected data. It's important that the security enforcing mechanisms should be flexible enough to enforce the policy. That is referred to as keeping the policy separate from the mechanism. While that decision might be based on authorizing access to a resource based on the identity of principal, it is often easier to administer access control based on roles . Each principal is mapped to a unique role for the purposes of access control. It is often implemented as a list or matrix enumerating the access that different users/roles have to the different protected resources.
Java 2 Platform, Enterprise Edition (J2EE) uses role-based authentication for enforcement of its policies. With that in mind, in J2EE the developer of the business lo

Read Tutorial at: Click here to view the tutorial

Rate Tutorial: Java security evolution and concepts, Part 1: Security nuts and bolts - JavaWorld April 2000

View Tutorial: Java security evolution and concepts, Part 1: Security nuts and bolts - JavaWorld April 2000

Related Tutorials:

Displaying 1 - 50 of about 3181 Related Tutorials.

OOPs and Its Concepts in Java
Java OOPs Concepts,OOPs Java,OOP Using Java,OOPs and Its Concepts in Java OOPs and Its Concepts in Java ... rather than actions and logic. Objects represent some concepts or things and like

Tips: WiFi Security for Home Networks
Tips: WiFi Security for Home Networks Tips: WiFi Security for Home Networks ...; Introduction Security is a huge

VoIP Security
. There's no magic bullet for effective VoIP security, but it must be part... part of the IP network--which should already have good security practices in place... VoIP Security VoIP Security

Relational Database Concepts
Relational Database Concepts Relational Database Concepts ...; An important part of every business is to keep

Java Virtual Machine
different machines. The key to Java's portability and security is the Java Virtual.... Java compilers translate applets in two steps. The first part of the translation... Java: Java Virtual Machine

JDO UNPLUGGED - PART 1
JDO - Java Data Objects Tutorials, JDO Java Data Object, JDO Tutorial, JDO UNPLUGGED - PART I JDO UNPLUGGED - PART I...; Java Data Objects is an 'Object

JDO UNPLUGGED - PART II
JDO - Java Data Objects Tutorials, JDO Java Data Object, JDO Tutorial, JDO UNPLUGGED - PART II JDO UNPLUGGED - PART II... www.jcp.org and selecting JSR-12 or can be downloaded from sun java website. Goto

Class and Interface Concepts
Java: Class and Interface Concepts Java: Class and Interface Concepts Class and Interface Concepts... declare this class abstract" error message from the Java compiler is rather

Compressing the file into GZIP format.
File Compression Java - Compressing the file into GZIP Format... will help to understand the concepts of GZIP. GZIP compresses the actual size... the file to the great extent. It is a part of java.util.zip package. To make

Security Issues with the Applet
Security Issues with the Applet Security Issues...; Java applet is run... deemed trustworthy by the end user. The security restriction is provided

Eclipse Plunging/Team Development
. This integration has been available since January 2003, and on April 9th... review tool to help finding and sharing defects of any files (including Java... into Eclipse IDE and its concepts. The FastTrack plugin provides basic issue

Use of Array in Java
Java Array,Java Arrays Example,Use of Array in Java,Java Array Program Use of Array in Java ...; This Java programming

New to Java?
Foundation Classes (JFC) - It is a part of Java class libraries based on the Java... Connectivity (JDBC) - JDBC API is a part of Java Standard Edition that helps in accessing.... Learn EJB - Enterprise Java Beans are a part of J2EE

Open Source Testing
Security Testing Methodology Manual The Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing security...) which collectively test: information and data controls, personnel security

Open Source Web Frameworks in Java
Open Source Web Frameworks in Java Open Source Web Frameworks in Java Struts Struts Frame work.... Struts is maintained as a part of Apache Jakarta project and is open source

Misc.Online Books
what nuts, bolts and beams are for construction design, what 2-by-4s and 2-by-6s... programmer is difficult and noble. The hardest part of making real a collective... on core concepts in language design such as functions, records, objects, and types

Advanced Java Tutorials
will find the Java topics that should be part of Advanced Java study course. We have... Advance Java Tutorials you will be able to apply the advance concepts to develop... have good exposure to the object-oriented programming (OOP) concepts of Java

Security and Privacy Issues in Location Based Service (LBS)
Security and Privacy Issues in Location Based Service (LBS) Security and Privacy Issues in Location Based Service (LBS... adequate security for maintaining user’s privacy. The following paragraph

Java Reference Books
the essential APIs of Java 1.2, including networking, security, input and output... Java Reference Books Java Reference...; The Java Language Specification

Acucorp - ACUCOBOL-GT Eclipse Plug-in
to advance the creation, evolution, and promotion of the Eclipse Platform... installation includes Java development tools, but its architecture allows users... capabilities using the Eclipse IDE, the same interface that supports Java development

Events
to handle events in Java awt. Events are the integral part of the java platform. You can see the concepts related to the event handling through the example and use... Java Events,Java Events Handling,Event Handling Using Java Awt

JFreeChart - An Introduction
java chart library. David Gilbert founded the JFreeChart project in February 2000

Open Source Knowlegde base Software
for professional security managers and those for whom security, while not being their full-time job, comprises a significant part of their responsibilities. The aim... seeking to understand more about security. We invite submissions from

Open Source Antivirus
, network security and computer security to communicate with each other, to develop solutions for various security problems, and to develop new security... in Java.? This article will take a look at the OpenAntivirus AV engine, assess

Java as an Object Oriented Language
concepts along with their role in developing the java applications and programs... Introduction Java as an Object Oriented Language... as well as object oriented languages. But in case of java, it is a fully

Privacy and Security Issues in BI
Privacy and Security Issues in BI GPS Capability,GPS Capabilities Privacy and Security Issues in BI ...; WITH THE GROWTH of Business Intelligence market, the privacy and security issues

Linux Firewall
by the security policy. It is generally used to protect data from one network from... of them and blocks some specific ones that don't meet the security criteria... security on Linux server or even can block an IP or network completely. In this way

Wi-Fi as a part of LBS
Wi-Fi as a part of LBS Wi-Fi as a part of LBS

JAVA JAZZ UP - Free online Java magazine
in the Sun Java Runtime Environment by the Google?s Security team, that threatened... Free Java Magazine,Free Java Magazines,JAVA JAZZ UP Issue 1,Free Online Java Magazine JAVA JAZZ UP - Free online Java magazine

Important JDBC Concepts
Important JDBC Concepts Important JDBC Concepts

C# Programming Books
rights reserved. No part of this publication may be reproduced, stored...; C# Nuts and Bolts This is our second book on C# so we have assumed that you have

Beginners Java Tutorial
java Beginner,java Beginners,Beginning java,Beginners Java Tutorial,Java for beginners Beginners Java Tutorial...; This tutorial will introduce you with the Java Programming

Java Example Codes and Tutorials
is the main component of Java architecture and it is the part of the JRE (Java Runtime... Java Sun, Sun Java Tutorials, Java Tutorials - Java Example Codes and Java Tutorials Java

Free Java Books
, are part of the successful Java BluePrints program created by Sun Microsystems... (hereafter referred to as adventure builder) are part of the successful Java BluePrints... Servlet v2.3 security model (for more information, see the Java Servlet

Core Java Training Topics
of the Java Programming Language Object-Oriented concepts... Core Java Training Topics Core Java Training...; Core Java Training Course Objective

Java Beans Books
Java Beans Books Java Beans Books ...; Java Beans book review The book opens... to the general concepts involved in using software components, and describing some

EJB Books
and short on the nuts and bolts of actually deploying and running beans on real... for the experienced Java developer or manager, Professional EJB provides a truly in-depth guide to using Enterprise Java Beans, including versions 1.0 and 2.0.

Core Java Jobs at Rose India
the usage of different Java API You will be part of our advance... java concepts Candidate must be well versed with all Object... Core Java Jobs,Core Java Job,Core Java Jobs at Rose India

Java Programming Books
, and the accompanying Java Pet Store sample application, are part of the successful Java BluePrints...-years old, our original work, Java Security: Hostile Applets, Holes, and Antidotes... separate fact from fiction when it comes to mobile code security. Java has

Uncompressing the file in the GZIP format.
Java GZIP Example, GZIP file format in Java... to understand the concepts of GZIP. Sometimes it happens that when you... it. This utility is a part of java.util.zip package which provides classes and methods

Tutorials - Java Server Pages Technology
JSP Tutorials - Java Server Pages Technology Tutorial Tutorials - Java Server Pages Technology ...; JavaServer Pages JavaServer Pages (JSP) technology is the Java

Java XML Books
the graphical techniques you need to make Java a standard part of your graphics..., Part 2 In this second part in a several part series on XML for Java.... The java.xml.parsers package is part of the Java API for XML Processing (JAXP

Other Java Resources
Java: Other Java Resources Java NotesOther Java Resources Online books, notes, and reviews Java Documentation - java.sun.com is where to go do download the Java development

OOPs Concept
the OOPs concepts along with fundamentals used to develop the java... and behavior. This feature is achieved in java through the class and object... within the class and makes it available only through the methods. Java

"JSONArray" example in Java
in Java ...; In this part of JSON tutorial you will study how to use JSONArray in Java. JSONArray is a sequential and ordered way of collection

Download security software
security software Download security software ... security software at its best. Process Guard Just release version 3

Learn Java Quickly, Quick Java Tutorial
and security to Java. This is a software process that converts the compiled Java... the operating system and CPU architecture. JVM is a part of Java Run Time... Learn Java,Learn Java Quickly,Learn Java Programming,Learning Online Java

Site navigation