Presentation is loading. Please wait.

Presentation is loading. Please wait.

Signing, Sealing, and Guarding Java TM Objects Li Gong and Roland Schemers Javasoft, Sun Microsystems, Inc. “In This Paper, We Describe a Few New Constructs.

Published bySuzanna Baldwin Modified over 8 years ago

Similar presentations

Presentation on theme: "Signing, Sealing, and Guarding Java TM Objects Li Gong and Roland Schemers Javasoft, Sun Microsystems, Inc. “In This Paper, We Describe a Few New Constructs."— Presentation transcript:

1 Signing, Sealing, and Guarding Java TM Objects Li Gong and Roland Schemers Javasoft, Sun Microsystems, Inc. “In This Paper, We Describe a Few New Constructs for Signing, Sealing, and Guarding Java Objects. These Constructs Enrich the Existing Java Security APIs So That a Wide Range of Security-aware Application Can Be Significantly Easier to Build.” Presented by Yongqiang Li

2 A Tutorial of Three Java Security Classes: java.security.SignedObject java.security.GuardedObject javax.crypto.SealedObject

3 Outline  Introduction  Signing Java Objects  Sealing Java Objects  Guarding Java Objects  Conclusion  Questions

4 Introduction  Java language is widely used to build applications –JDK: JVM, javac, APIs, simplicity  “…the base platform provides a consistent security model that supports…” – policy based –configurable –extensible –fine-grained access control  Protection provided by the underlying object orientation –Data encapsulation –Object name space partition –Type safety  Distributed Java application – “…protect the state of an object for integrity and confidentiality” Runtime system Transit Stored externally

5 Introduction 2  java.security.SignedObject  java.security.GuardedObject  Javax.crypto.SealedObject } JDK1.2 - JCE1.2

6 Signing Java Objects 1  Protect object integrity  A serializable object - original object  SignedObject –Signed Object Deep copy of original In serialized form –Signature Sign algorithm –DSA(Digital Signature Algorithm) (NIST FIPS 186) – SHA-1(RFC 1321) message digest algorithm –MD5(NIST FIPS 180-1) message digest algorithm –Immutable signature Original object SignedObject  What is the difference between object signing and code signing ?

7 Signing Java Objects 2  Potential applications of a SignObject –as an unforgeable authorization token in any Java runtime –“…transmitted across JVMs and authenticity an still be verified” –“… to sign and serialize an object for storage outside the java runtime” –“A series of nested SignedObject can be used to construct a logical sequence of signatures”

8 Signing Java Objects 3  API Design –Class SignedObject public SignedObject(Serializable object, PrivateKey signingKey, Signature signingEngine) public final void sign(PrivateKey signingKey, Signature signingEngine); public final Object getContent(); public final byte[] getSignature(); public final String getAlgorithm(); public final boolean verify(PublicKey verificationKey, Signature verificationEngine);

9  Examples –Signing Signature signingEngine = Signature.getInstance(algorithm, provider); SignedObject so = new SignedObject(myobject, privatekey, signingEngine); Signing Java Objects 4 –Verifying Signature verificationEngine = Signature.getInstance(algorithm, provider); if(so.verify(publicKey, verificationEngine)) try { Object myobj = so.getContent(); } catch (ClassNotFoundException e) {};

10 Signing Java Objects 5  Performance Object size (bytes) Serialization (ms) 512-bit SHA-1/DSA1024-bit SHA-1/DSA Signing (ms) Verification (ms) Signing (ms) Verification (ms) 100254380151 1000264483157 10K1134153189260 100K91119113811681237 -JDK1.2beta, 166MHZ Sun Sparc Ultra-1,Solaris 2.5.1, 1000 rounds

11 Sealing Java Objects 1  Protect object confidentiality  A serializable object  A cryptographic algorithm –A bulk(symmetric key) encryption algorithm -DES, IDEA, RC4  Encryption  Decryption  Deserialization cipher text Original object SealedObject

12 Sealing Java Objects 2 cipher text Original object SignedObject and SealedObject  Using both SignedObject and SealedObject provides integrity and confidentiality –First create SignedObject –Then create SealedObject Signature  Why is blindly signing encrypted data sometimes dangerous?

13 Sealing Java Objects 3 –Decryption Cipher.init(Cipher.DECRYPT_MODE), desKey); try { String s = (String)so.getContent(cipher); } catch (ClassNotFoundException e) {};  Examples –Encryption KenGenerator keyGen = KeyGenerator.getInstance(“DES”); SecretKey desKey = keyGen.generateKey(); Cipher cipher = Cipher.getInstance(“DES”); Cipher.init(Cipher.ENCRYPT_MODE, desKey); String s = new String(“Greeting”); SealedObject so = new SealedObject(s, cipher);  API design –Class SealedObject public SealedObject(Serializable object, Cipher c); public final Object getContent(Cipher c);

14 Guarding Java Objects 1 Request object return object return guardedObject Request object Check permission Return object Check permission Provider Consumer Provider Don’t know what information needed by provider Don’t want a dialog for each request Information too security sensitive “… too much information to pass on”

15 Guarding Java Objects 2  What is the GuardedObject –“A GuardedObject is an object that is used to protect access to another object” requester Protected object GuardedObject Guard object 1.Request access go.getObjedct() 2. Check guard g.checkGuard() 3. Return reference

16 Guarding Java Objects 3  Benefits of using GuardedObject –“… access to a protected object is guaranteed to occur in a context where the protection mechanism would allow it” –Simplify sever programs –Replace access control lists with object stores –“A guarded object class itself does not need to know its own protection semantics” –“…encapsulate protection mechanisms for an object, which can differ for its different method invocations, all inside a guard.”

17 Guarding Java Objects 4  API design –Interface Guard public abstract void checkGuard(Object object); –Class GuardedObject public GuardedObject(Object object, Guard guard); public Object getObject();

18 Guarding Java Objects 5  Examples –Encapulate an objects protection semeantics inside a guard FileInputStream fis = new FileInputStream(“/a/b/c”); –Provider side Public abstract Permission implements Guard{ … Public void checkGuard{ AccessController.checkPermission(this); } FileInputStream fis = new FileInputStream(“/a/b/c”); FilePermission = new FilePermission(“/a/b/c”, “read”); GuardedObject g = new GuardedObject(fis,p); –Consumer side FileInputStream fis = (FileInputStream)g.getObject();

19 Conclusion  “The constructs enrich the existing Java security APIs so that security-aware application can be much easier to build.”  “The constructs are practical and usable in commercial products.”

20 Question?

Download ppt "Signing, Sealing, and Guarding Java TM Objects Li Gong and Roland Schemers Javasoft, Sun Microsystems, Inc. “In This Paper, We Describe a Few New Constructs."

Similar presentations

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & email) Java Security on the Browser Java Security in the Enterprise.

Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & ) Java Security on the Browser Java Security in the Enterprise.
Topic 7: Using cryptography in mobile computing. Cryptography basics: symmetric, public-key, hash function and digital signature Cryptography, describing.

Topic 7: Using cryptography in mobile computing. Cryptography basics: symmetric, public-key, hash function and digital signature Cryptography, describing.
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.

1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.
1 Pertemuan 12 E-mail Security Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 12 Security Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Ariel Eizenberg arielez@cs.huji.ac.il PPP Security Features Ariel Eizenberg arielez@cs.huji.ac.il.

Ariel Eizenberg PPP Security Features Ariel Eizenberg
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Copyright © 2009 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Java Software Solutions Foundations of Program Design Sixth Edition by Lewis.

Copyright © 2009 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Java Software Solutions Foundations of Program Design Sixth Edition by Lewis.
1 Homework Study Java Cryptography by Reading the rest of slides and accessing Sun ’ s Java website:

1 Homework Study Java Cryptography by Reading the rest of slides and accessing Sun ’ s Java website:
Lecture 9: Email Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 9: Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.

Similar presentations

Ads by Google