Java™ Security Overview Tools to securely manage applications Java SE Security Java security technology includes: a set of APIs, tools, implementations security algorithms, mechanisms, protocols. Java SE Security The Java security APIs span a wide range of areas, including: platform Security, cryptography, authentication and access control, secure communication, public key infrastructure. Java SE Security Java security technology provides the developer with a comprehensive security framework for writing applications, and also provides the user or administrator with a set of tools to securely manage applications. 1 Introduction Java SE Security Documentation J2SE 1.4.2 | J2SE 5.0 | Java SE 6 Note There are three security extensions for use with J2SE 1.3.1. They are Java Authentication and Authorization Service, Java Cryptography Extension, and Java Secure Socket Extension. These three extensions have been integrated into J2SE 1.4. Java SE Security Overview Platform Security Cryptography Authentication and Access Control Secure Communications Public Key Infrastructure (PKI) 3 Basic Security Architecture http://java.sun.com/javase/6/docs/ technotes/guides/security/overvie w/jsoverview.html 3 Basic Security Architecture The Java platform defines a set of APIs spanning major security areas, including cryptography, public key infrastructure, authentication, secure communication, and access control. 3 Basic Security Architecture These APIs allow developers to easily integrate security into their application code. They were designed around the following principles: 3 Basic Security Architecture Implementation independence Applications do not need to implement security themselves. Rather, they can request security services from the Java platform. Implementation independence Security services are implemented in providers (see below), which are plugged into the Java platform via a standard interface. An application may rely on multiple independent providers for security functionality. 3 Basic Security Architecture Implementation interoperability Providers are interoperable across applications. Specifically, an application is not bound to a specific provider, and a provider is not bound to a specific application. 3 Basic Security Architecture Algorithm extensibility The Java platform includes a number of built-in providers that implement a basic set of security services that are widely used today. However, some applications may rely on emerging standards not yet implemented, or on proprietary services. The Java platform supports the installation of custom providers that implement such services. 3 Basic Security Architecture Security Providers The java.security.Provider class encapsulates the notion of a security provider in the Java platform. It specifies the provider's name and lists the security services it implements. 3 Basic Security Architecture Security Providers Multiple providers may be configured at the same time, and are listed in order of preference. When a security service is requested, the highest priority provider that implements that service is selected. 3 Basic Security Architecture Applications rely on the relevant getInstance method to obtain a security service from an underlying provider. For example, message digest creation represents one type of service available from providers. 3 Basic Security Architecture An application invokes the getInstance method in the java.security.MessageDigest class to obtain an implementation of a specific message digest algorithm, such as MD5. MessageDigest md = MessageDigest.getInstance("MD5"); 3 Basic Security Architecture The program may optionally request an implementation from a specific provider, by indicating the provider name, as in the following: MessageDigest md = MessageDigest.getInstance("MD5", "ProviderC"); 3 Basic Security Architecture Figures 1 and 2 illustrate these options for requesting an MD5 message digest implementation. 3 Basic Security Architecture Both figures show three providers that implement message digest algorithms. The providers are ordered by preference from left to right (1-3). 3 Basic Security Architecture In Figure 1, an application requests an MD5 algorithm implementation without specifying a provider name. 3 Basic Security Architecture The providers are searched in preference order and the implementation from the first provider supplying that particular algorithm, ProviderB, is returned. Figure 1 Provider searching 3 Basic Security Architecture In Figure 2, the application requests the MD5 algorithm implementation from a specific provider, ProviderC. 3 Basic Security Architecture This time the implementation from that provider is returned, even though a provider with a higher preference order, ProviderB, also supplies an MD5 implementation. Figure 2 Specific provider requested 3 Basic Security Architecture The Java platform implementation from Sun Microsystems includes a number of pre-configured default providers that implement a basic set of security services that can be used by applications. 3 Basic Security Architecture Note that other vendor implementations of the Java platform may include different sets of providers that encapsulate vendorspecific sets of security services. 3 Basic Security Architecture When this paper mentions built-in default providers, it is referencing those available in Sun's implementation. 3 Basic Security Architecture The sections below on the various security areas (cryptography, authentication, ... .) each include descriptions of the relevant services supplied by the default providers. A table in Appendix C summarizes all of the default providers. 3 Basic Security Architecture File Locations Certain aspects of Java security mentioned in this paper, including the configuration of providers, may be customized by setting security properties. 3 Basic Security Architecture You may set security properties statically in the security properties file, which by default is the java.security file in the lib/security directory of the directory where the Java™ Runtime Environment (JRE) is installed. 3 Basic Security Architecture Security properties may also be set dynamically by calling appropriate methods of the Security class (in the java.security package). 3 Basic Security Architecture The tools and commands mentioned in this paper are all in the ~jre/bin directory, where ~jre stands for the directory in which the JRE is installed. 3 Basic Security Architecture The cacerts file mentioned in Section 5 is in: ~jre/lib/security. 4 Cryptography 4 Cryptography The Java cryptography architecture is a framework for accessing and developing cryptographic functionality for the Java platform. It includes APIs for a large variety of cryptographic services, including: ... ... 4 Cryptography Message digest algorithms Digital signature algorithms Symmetric bulk encryption Symmetric stream encryption Asymmetric encryption Password-based encryption (PBE) Elliptic Curve Cryptography (ECC) Key agreement algorithms Key generators Message Authentication Codes (MACs) (Pseudo-) random number generators 4 Cryptography For historical (export control) reasons, the cryptography APIs are organized into two distinct packages as follow: The java.security package contains classes that are not subject to export controls (like Signature and MessageDigest). 4 Cryptography The javax.crypto package contains classes that are subject to export controls (like Cipher and KeyAgreement). 4 Cryptography The cryptographic interfaces are providerbased, allowing for multiple and interoperable cryptography implementations. 4 Cryptography Some providers may perform cryptographic operations in software; Others may perform the operations on a hardware token (for example, on a smartcard device or on a hardware cryptographic accelerator). 4 Cryptography Providers that implement export-controlled services must be digitally signed. The Java platform includes built-in providers for many of the most commonly used cryptographic algorithms, including: 4 Cryptography RSA, DSA signature algorithms, DES, AES, ARCFOUR encryption algorithms, MD5 and SHA-1 message digest algorithms, Diffie-Hellman key agreement algorithm. PKCS – Public Key Cryptography Standards In cryptography, PKCS refers to a group of Public Key Cryptography Standards devised and published by RSA Security. PKCS RSA Data Security Inc was assigned the licensing rights for the patent on the RSA asymmetric key algorithm and acquired the licensing rights to several other key patents as well (e.g., the Schnorr patent). PKCS As such, RSA Security, and its research division, RSA Labs, were interested in promoting and facilitating the use of public-key techniques. To that end, they developed the PKCS standards. PKCS The several PKCS standards can be viewed at: http://en.wikipedia.org/wiki/PKCS PKCS #5 2.0 Password-based Encryption Standard See RFC 2898 and PBKDF2. PKCS #6 V1.5 Extended-Certificate Syntax Standard Defines extensions to the old v1 X.509 certificate specification. Obsoleted by v3 of the same. PKCS#7 In cryptography, PKCS refers to a group of Public Key Cryptography Standards devised and published by RSA Security. Cryptographic Message Syntax Standard. See RFC 2315. Used to sign and/or encrypt messages under a PKI. Used also for certificate dissemination (for instance as a response to a PKCS#10 message). Formed the basis for S/MIME, which is now based on RFC 3852, an updated Cryptographic Message Syntax Standard (CMS). PKCS #10 V1.7 Certification Request Standard See RFC 2986. Format of messages sent to a certification authority to request certification of a public key. See certificate signing request. PKCS #11 V2.20 Cryptographic Token Interface (Cryptoki) An API defining a generic interface to cryptographic tokens (see also Hardware Security Module). PKCS #12 V1.0 Personal Information Exchange Syntax Standard. Defines a file format commonly used to store private keys with accompanying public key certificates, protected with a password-based symmetric key. PKCS #15 V1.1 Cryptographic Token Information Format Standard. Defines a standard allowing users of cryptographic tokens to identify themselves to applications, independent of the application's Cryptoki implementation (PKCS #11) or other API. RSA has relinquished IC-card-related parts of this standard to ISO/IEC 7816-15.[1] 4 Cryptography These default providers implement cryptographic algorithms in Java code. The Java platform also includes a builtin provider that acts as a bridge to a native PKCS#11 (v2.x) token. 4 Cryptography This provider, named SunPKCS11, allows Java applications to seamlessly access cryptographic services located on PKCS#11-compliant tokens. Security Token A security token (or sometimes a hardware token, authentication token or cryptographic token[1]) may be a physical device that an authorized user of computer services is given to aid in authentication. The term may also refer to software tokens. Several types of security tokens. Security Token Hardware tokens are typically small enough to be carried in a pocket or purse and often are designed to attach to the user's keychain. Security Token Some may store cryptographic keys, such as a digital signature, or biometric data, such as a fingerprint. Security Token Some designs feature tamper resistant packaging, other may include small keypads to allow entry of a PIN. SecurID tokens from RSA Security. eToken tokens from Aladdin Knowledge Systems ActivIdentity Tokens. 5 Public Key Infrastructure Public Key Infrastructure (PKI) Tools for managing keys and certificates and comprehensive, abstract APIs with support for the following features and algorithms: Public Key Infrastructure (PKI) Certificates and Certificate Revocation Lists (CRLs): X.509 Certification Path Validators and Builders: PKIX (RFC 3280), On-line Certificate Status Protocol (OCSP) Public Key Infrastructure (PKI) KeyStores: PKCS#11, PKCS#12 Certificate Stores (Repositories): LDAP, java.util.Collection Java ™ Cryptography Architecture (JCA) Reference Guide for JavaTM Platform Standard Edition 6 http://java.sun.com/javase/6/docs/technote s/guides/security/crypto/CryptoSpec.html includes the Java Cryptographic Extension (JCE) 6 Authentication Abstract authentication APIs that can incorporate a wide range of login mechanisms through a pluggable architecture. A comprehensive policy and permissions API that allows the developer to create and administer applications requiring finegrained access to security-sensitive resources. JAAS Java Authentication and Authorization Service (JAAS) Reference Guide for the Java TM SE Development Kit 6 JAAS http://java.sun.com/javase/6/docs/technote s/guides/security/jaas/JAASRefGuide.html Figure 3 Authentication login modules plugging into the authentication framework 7 Secure Communication 8 Access Control Figure 4 Controlling access to resources User Guides Java SE 6 Security Documentation Extensive information on the security features of the Java SE 6 release, including reference guides, API specifications (javadocs), tool documentation, and tutorials. Java 2 SDK, v 5.0 Security Documentation Extensive information on the security features of the Java 2 SDK, v 5.0 release, including reference guides, API specifications (javadocs), tool documentation, and tutorials. Java 2 SDK, v 1.4 Security Documentation Extensive information on the security features of the Java 2 SDK, v 1.4 release, including reference guides, API specifications (javadocs), tool documentation, and tutorials. Security Code Guidelines Some guidelines to allow you to take full advantage of the security provided by the Java platform. JAR Guide A short introduction to using the JAR tool to create JAR files. This describes the applet tag syntax for associating an applet with a .JAR file, instead of a .class file. JAR File Specification JAR file is a file format based on the popular ZIP file format and is used for aggregating many files into one. Deploying signed applets in Java Plugin A pointer to the Java Plug-in developer guide. The guide includes a chapter on security and the signed applet support in Java Plug-in, ... ... which allows users to grant (signed) applets all permissions based on their authenticated signers, without having to configure and deploy any policy or keystore configuration files. Security Tools Documentation keytool Solaris/Linux and Microsoft Windows keytool is a utility for creating and managing keystores and certificates. jarsigner Solaris/Linux and Microsoft Windows jarsigner is a utility for generating and verifying JAR signatures. Policy Tool Solaris/Linux and Microsoft Windows Policy tool is a GUI tool for creating and managing policy files. kinit Microsoft Windows kinit is a utility for obtaining Kerberos v5 tickets. klist Microsoft Windows klist is a utility to list entries in a Kerberos v5 credential cache and key tab. ktab Microsoft Windows ktab is a utility to help the user manage entries in the key table. Java Security Feedback Alias Java Security Feedback Alias Information about the javasecurity@sun.com alias, and an online archive of the questions, comments, and answers from the alias. Products and Technologies JAAS Java Authentication and Authorization Service (JAAS) JAAS The Java Authentication and Authorization Service (JAAS) is a set of APIs that enable services to authenticate and enforce access controls upon users. JAAS It implements a Java technology version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization. » Read More JAAS JAAS has now been integrated into the Java 2 SDK, version 1.4. JAAS - What’s new – J2ME November 2006 Foundation Profile 1.1 JSR 219 An expert group working via the Java Community Process has defined an optional package comprising the ... JAAS in J2ME ... Java Secure Socket Extension (JSSE), Java Cryptography Extension (JCE), and Java Authentication and Authorization Service (JAAS) APIs for use with Java 2 Platform, Micro Edition Foundation Profile implementations. JCE Java Cryptography Extension (JCE) JCE The Java Cryptography Extension (JCE) is a set of packages that provides a framework and implementations for: encryption, key generation and key agreement, Message Authentication Code (MAC) algorithms. JCE Support for encryption includes symmetric, asymmetric, block, and stream ciphers. The software also supports secure streams and sealed objects. JCE in J2SE (included as part of J2SE 1.4.x and later) JCE – What’s new - J2ME June 2003 Foundation Profile 1.1 JSR 219 An expert group working via the Java Community Process has defined an optional package comprising the ... JCE in J2ME Java Secure Socket Extension (JSSE), Java Cryptography Extension (JCE), and Java Authentication and Authorization Service (JAAS) APIs for use with Java 2 Platform, Micro Edition (J2ME) Foundation Profile implementations. JSSE Java Secure Socket Extension (JSSE) JSSE The Java Secure Socket Extension (JSSE) is a set of packages that enable secure Internet communications. JSSE It implements a Java technology version of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. JSSE It includes functionality for data encryption, server authentication, message integrity, and optional client authentication. JSSE JSSE in J2SE (included as part of J2SE 1.4.x and later) What's New in JSSE June 2003 Foundation Profile 1.1 JSR 219 An expert group working via the Java Community Process has defined an optional package comprising the JSSE in J2ME ... Java Secure Socket Extension (JSSE), Java Cryptography Extension (JCE), and Java Authentication and Authorization Service (JAAS) APIs for use with Java 2 Platform, Micro Edition (J2ME) Foundation Profile implementations. Security Resources Free Advice from Security Experts Free Advice from Security Experts Sun has compiled its knowledge from over two decades of secure IT designs and deployments. The resulting architectural blueprints and tools will help you simplify, enhance, and automate security controls throughout your enterprise. Developing a Security Policy (PDF) This article details the importance of security policies and the basic steps involved. Secure by Design Sun.com Feature Story featuring "10 Steps to Better Security" Security Executive Brief (PDF) A printable overview of Sun's vision, methodology, and portfolio Systemic Security Executive Overview Presentation (PDF) Systemic Security Architectural Patterns Presentation (PDF) Security Alert Feed Get alerts and solutions for security vulnerabilities directly from the Sun experts White Papers These business and technical papers help security and IT professionals understand Sun's recommended approaches and tactics for managing real-world security and compliance goals. More Webcasts Listen to and watch Sun's Security NetTalks. These on-demand webcasts provide practical and detailed recommendations from Sun and industry experts. Easy and convenient expertise, ready when you are. More Reference Documentation Read Sun's extensive documentation of accrued knowledge on security technology and implementation. These technical guides are for practitioners -- architects, developers, and system administrators who need tools today. More Sun Security Blueprints and Books Search on security on this site to find the most popular and prolific topic on Sun's free best practices site. Learn More Mobile Java Tecnology Mobile Java Tecnology Introduction to Mobile Java Technology To develop applications using wireless Java technology, you'll need to assimilate information from several fields. Mobile Java Tecnology You'll need to understand something about wireless communications technology, the business of wireless communications, and a lot about the Java platform. Mobile Java Tecnology Where should you begin? This page contains a high-level overview of wireless Java technology and many links to detailed information about specific subjects. March 7, 2007 An Introduction to the PIM API for Java ME The SDN Mobile Java site is presenting a six part series on the Personal Information Management API (JSR 75). Java ME expert and JCP member Enrique Ortiz provides the definitive text on the PIM API. Jump on Part 1 now and be prepared for the rest of the series in the coming weeks. » Read more March 16, 2007 Using the PIM API for Java ME, Part 2 Portability Considerations In this installment Enrique explores how to test for PIM API presence on your device and test for presence of the various databases and fields. Learn how to navigate the API and build robust applications. » Read more March 20, 2007 Using the PIM API for Java ME, Part 3 Security Considerations Will your application protect the user's address book, calendar and to-do list? In part 3 learn how PIM is designed to work in conjunction with the MIDP 2.0 security framework. » Read more March 26, 2007 Design Consideration for Using the PIM API for Java ME Welcome to Part 4 of the PIM API series. Now it's time to explore design issues that will affect how your application is developed. Read this, then start your application design. » Read more April 2, 2007 Managing Personal Information - Using the PIM API for Java ME In the penultimate article in the PIM API series Enrique presents sample source. Small examples of how to do everything from retrieving the names of PIM databases through PIM create/read/update/delete operations to exception handling. Now it's time to play. » Read more April 10, 2007 Managing Personal Information Summary of PIM Fields In the final installment, it is provided an extensive reference on the PIM fields and pointers to related on-line resources. Now you have it all. » Read more The J2ME Universe J2ME The current universe of configurations, profiles and optional packages is shown in the diagram below. The tables immediately following provide more details about the abbreviations in the figure. The J2ME Universe Today (May 2007) Overview of J2ME Unlike J2SE, J2ME is not a piece of software, nor is it a single specification. This difference can be confusing, even for developers who are already familiar with J2SE. Overview of J2ME Instead, J2MEis a platform, a collection of technologies and specifications that are designed for different parts of the small device market. Because J2ME spans such a variety of devices, it wouldn't make sense to try to create a one-size-fits-all solution. Overview of J2ME J2ME, therefore, is divided into configurations, profiles,and optional packages. Configurations are specifications that detail a virtual machine and a base set of APIs that can be used with a certain class of device. Overview of J2ME A configuration, for example, might be designed for devices that have less than 512 KB of memory and an intermittent network connection. Overview of J2ME The virtual machine is either a full Java Virtual Machine1 (as described in the specification) or some subset of the full JVM1. The set of APIs is customarily a subset of the J2SE APIs. Overview of J2ME A profile builds on a configuration but adds more specific APIs to make a complete environment for building applications. Overview of J2ME While a configuration describes a JVM1 and a basic set of APIs, it does not by itself specify enough detail to enable you to build complete applications. Profiles usually include APIs for application life cycle, user interface, and persistent storage. Overview of J2ME An optional package provides functionality that may not be associated with a specific configuration or profile. Overview of J2ME One example of an optional package is the Bluetooth API (JSR 82), which provides a standardized API for using Bluetooth networking. This optional package could be implemented alongside virtually any combination of configurations and profiles. The Java Community Process JCP The Java Community Process (JCP) Specifications for J2SE, J2EE, and J2ME are developed under the aegis of the Java Community Process (JCP). The Java Community Process (JCP) A specification begins life as a Java Specification Request (JSR). An expert group consisting of representatives from interested companies is formed to create the specification. The Java Community Process (JCP) The JSR then passes through various stages in the JCP before it is finished. Every JSR is assigned a number. J2ME specifications are commonly referred to by their JSR number. Overview of Wireless Communications Overview of Wireless Communications Wireless communications is a huge field, encompassing everything from radio and television broadcasting through pagers, mobile phones, and satellite communications. The field of mobile phones is expanding very fast at the same time that standards and protocols are being adopted, used, updated, and sometimes discarded. The other rapidly expanding part of the wireless world is that of wireless local area networks (LANs). Driven by widespread acceptance of the IEEE 802.11 standard, wireless local networking for computers and other devices is spreading rapidly. Although wireless may seem like a special case, it is actually more intuitive and more natural than wired networking. Some day soon the need to plug a laptop into a network physically will seem quaint and antiquated. The notion that you could walk into a room with your cell phone and have it unable to interact with other devices in the room will seem unbelievably primitive. The future will reveal that wired networks are the special case. Conceptually, wireless communications can be split into two types, local and wide area. A local device is similar to a key fob with a button that unlocks a car, a 900 MHz cordless phone, a radio control toy, or a Bluetooth network. All of these devices operate overshort distances, typically just a few meters. Wide area wireless devices operate effectively over a much greater area. A pager or mobile phone is a good example. You can talk on your mobile phone to any other phone on the planet. These devices' greater range relieson a trick, however: a more elaborate landbased network. A mobile phone doesn't have that much more radio power than a radio control toy. What it does have is a network of carefully placed radio antennas (cell towers); the phone can continue to operate as long as it is within range of at least one tower. The mobile phone device receives service from a wireless carrier, a company that operates the land-based network. While a number of industry consortia and standard bodies, such as the International Telecommunication Union, ... ... … … are trying to define or foster the development of standards for the wireless world, today's wireless world is still fragmented and complex. If you buy a mobile phone in the U.S. today, it might run on Motorola's iDEN network or Sprint's PCS network. Take it overseas to Europe and you'll be out of luck--your phone will not work with Europe's GSM network, nor will it work with the PDC network or any of the other mobile networks that live in Japan. More information about wireless communications Making Sense of Cellular gives an introductory overview of the wireless radio spectrum. World of Wireless Communications provides a brief overview of wireless communications and the concept of an embedded device.