Java Security CS-328. JDK 1.0 Security Model Sandbox Java Virtual Machine Local Code Remote Code Local Host System Resources (File System, Sockets, Printers…)

Slides:

Advertisements

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu

Advertisements

Internet Protocol Security (IP Sec)

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Java security (in a nutshell)

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Lecture 23 Internet Authentication Applications

Module 5: Configuring Access for Remote Clients and Networks.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Guide to Network Defense and Countermeasures Second Edition

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

JSSE API University of Palestine Eng. Wisam Zaqoot April 2010.

CS 255 – Cryptography & Computer Security Programming Project 2 – Winter 04 Priyank Patel

CSCI 6962: Server-side Design and Programming

Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

Secure Socket Layer (SSL)

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Security in Java Sunesh Kumra S

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

Unit 1: Protection and Security for Grid Computing Part 2

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.

Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.

Module 9: Fundamentals of Securing Network Communication.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

Kerberos By Robert Smithers. History of Kerberos Kerberos was created at MIT, and was named after the 3 headed guard dog of Hades in Greek mythology Cerberus.

Jaas Introduction. Outline l General overview of Java security Java 2 security model How is security maintained by Java and JVM? How can a programmer.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

TCS Internal Security. 2 TCS Internal Objective Objective :  Android Platform Security Architecture.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

Securing Access to Data Using IPsec Josh Jones Cosc352.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Java.

1 Example security systems n Kerberos n Secure shell.

Web Security CS-431.

Secure Sockets Layer (SSL)

Java security (in a nutshell)

Topic: Java Security Models

Presentation transcript:

Java Security CS-328

JDK 1.0 Security Model Sandbox Java Virtual Machine Local Code Remote Code Local Host System Resources (File System, Sockets, Printers…)

JDK 1.1 Security Model Sandbox Java Virtual Machine Local Code Remote Untrusted Code Local Host System Resources (File System, Sockets, Printers…) Remote Trusted Code Full AccessLimited Access

JDK 1.2 Security Model Sandbox Java Virtual Machine Local Host System Resources (File System, Sockets, Printers…) Full AccessLimited Access Security PolicyClass Loader All Code

Java Security Attributes Easy to use Fine Grained Access Control Easy to Configure Security Policy Easy to Extend Access Control Structure Easy to Extend Security Checks to Applications

The Security Model The Java Security Model is made up of three primary pieces: –The Bytecode Verifier –The Class Loader –The Security Manager

The Bytecode Verifier Once bytecodes have been loaded in to the machine but before they are run: –Opcodes are checked –Addresses are verified to access only memory in the virtual machine –Strict type enforcement Only verified code is run on the JVM

The Class Loader Imported class are each run in their own namespace Built-in classes are all run in a single namespace Class loader always searches the built-in name space for a requested class first so as to avoid running a downloaded class with the same name. Built-in classes are considered to be “trusted” and are always run in preference of a downloaded class of the same name.

The Security Manager Each application can have an individual security policy Security policies are defined in external files that are accessible by the security manager The security manager enforces the specified security policy The application security is made up of two pieces: –A system piece, found in java.home\lib\security –An application specific piece in user.home\lib\security (or anywhere you want to put it)

Policy Files grant [signedBy “signer_names”,] [codebase “URL”] { permission permission_class_name “target_name”, [“action”] [, signedBy “signer_names”]; Ex. grant signedBy “ACME Software” codebase { permission java.io.FilePermission “c:\\autoexec.bat”,”read”; permission java.lang.RunTimePermission “queuePrintJob”; }

Permissions java.security.AllPermission – allow the application to run with all premissions; i.e. without any security restrictions java.awt.AWTPermission – allows access to GUI things, like the Windows clipboard java.io.FilePermission – allows code access to read and write files java.net.NetPermission – allows code to perform certain network related operations, such as requestPasswordAuthentication java.util.PropertyPermission – allows code access to property values (read/write) Java.lang.ReflectPermission – allows code to query information about classes (ex supressAccessChecks allows ability to find out about public, private and protected fields and methods

Permissions (more) java.lang.RuntimePermission – allows the ability for code to perform operations related to the performance of the JVM (ex. loadLibrary allows the dynamic linking to a specific library; queuePrintJob allows the queuing of a print job) java.security.SecurityPermission – allows code the ability to perform operations related to policy enforcement java.io.SerializablePermission – allows code to perform operations related to the serialization/deserialization of objects (ex. enableSubstitution allows one object to be substituted for another during serialization/deserialization). java.net.SocketPermission – allows code to perform operations related to establishing connections to host systems. Targets are ports or ranges of port numbers; actions are accept, connect, listen and resolve.

New in Java 1.4 Separate packages that are now included as part of JDK –JCE - Java Cryptography classes –JSSE - Java Secure Sockets Extension –JAAS - Java Authentication and Authorization Services –Java GSS API - Java Generic Security Services API –Java Certification Path API

JCE – Java Encryption Extensions JCE covers –encryption and decryption symmetric bulk encryption, such as DES, RC2, and IDEA Symmetric stream encryption, such as RC4 Asymmetric encryption, such as RSA Password-based encryption (PBE) –key agreement –Message Authentication Code (MAC) Strong Cryptography is the default –unlimited is available (depending on export restrictions)

JSSE – Java Secure Sockets Extensions Provides support for communications using SSL (Secure Sockets Layer) and TLS (Transport Layer Security) –commonly thought of as HTTPS part of javax.net SSL (and thus HTTPS) permits encrypted traffic to be exchanged between the client and server. –After an SSL client initiates a conversation with an SSL server, the server sends an X.509 certificate back to the client for authentication. The client then checks the validity of the certificate. Assuming the server is verified, the client generates a premaster secret key, encrypts it with the server's public key from the certificate, and sends the encrypted key back to the server. From this premaster key, the client and server generate a master key for the session. After some basic handshaking, the encrypted exchange can commence. The JSSE library hides these inner workings of the SSL protocol from you.

JAAS - Java Authentication and Authorization Services JAAS provides for the authentication of users and the authorization of tasks based upon that authentication Previously, anyone authenticated had access to the same security restrictions. Now, you can control what tasks are available for a specific authenticated user requires modification of security policies

Java GSS-API - Java Generic Security Services API adds Kerberos V5 support to the Java platform. Kerberos originated at the Massachusetts Institute of Technology (MIT) as project Athena back in Essentially, a network authentication protocol. –Defined in RFC 1510 from 1993 –biggest draw is not having to send passwords over the net. –offers single sign-on within one domain -- if everything within the domain has been Kerberos-enabled. –support is also provided for single sign-on across different security realms over a network. –Used in conjunction with JAAS, once a user's identity is established, future authentication requests are no longer necessary.

Java Certification Path API Certification Path API provides classes for building and validating certificate chains, an important requirement of a Public Key Infrastructure (PKI). These certificates provide for the storage of security keys for users. By trusting the issuer of a certificate that holds the keys, and trusting the issuer of the certificate that trusts the original certificate, you establish chains of trust Building and validating certification paths is an important part of many standard security protocols, such as SSL/TLS, Secure/MIME (S/MIME), and IP Security (IPsec).