Signing, Sealing, and Guarding Java TM Objects Li Gong and Roland Schemers Javasoft, Sun Microsystems, Inc. “In This Paper, We Describe a Few New Constructs for Signing, Sealing, and Guarding Java Objects. These Constructs Enrich the Existing Java Security APIs So That a Wide Range of Security-aware Application Can Be Significantly Easier to Build.” Presented by Yongqiang Li
A Tutorial of Three Java Security Classes: java.security.SignedObject java.security.GuardedObject javax.crypto.SealedObject
Outline Introduction Signing Java Objects Sealing Java Objects Guarding Java Objects Conclusion Questions
Introduction Java language is widely used to build applications –JDK: JVM, javac, APIs, simplicity “…the base platform provides a consistent security model that supports…” – policy based –configurable –extensible –fine-grained access control Protection provided by the underlying object orientation –Data encapsulation –Object name space partition –Type safety Distributed Java application – “…protect the state of an object for integrity and confidentiality” Runtime system Transit Stored externally
Introduction 2 java.security.SignedObject java.security.GuardedObject Javax.crypto.SealedObject } JDK1.2 - JCE1.2
Signing Java Objects 1 Protect object integrity A serializable object - original object SignedObject –Signed Object Deep copy of original In serialized form –Signature Sign algorithm –DSA(Digital Signature Algorithm) (NIST FIPS 186) – SHA-1(RFC 1321) message digest algorithm –MD5(NIST FIPS 180-1) message digest algorithm –Immutable signature Original object SignedObject What is the difference between object signing and code signing ?
Signing Java Objects 2 Potential applications of a SignObject –as an unforgeable authorization token in any Java runtime –“…transmitted across JVMs and authenticity an still be verified” –“… to sign and serialize an object for storage outside the java runtime” –“A series of nested SignedObject can be used to construct a logical sequence of signatures”
Signing Java Objects 3 API Design –Class SignedObject public SignedObject(Serializable object, PrivateKey signingKey, Signature signingEngine) public final void sign(PrivateKey signingKey, Signature signingEngine); public final Object getContent(); public final byte[] getSignature(); public final String getAlgorithm(); public final boolean verify(PublicKey verificationKey, Signature verificationEngine);
Examples –Signing Signature signingEngine = Signature.getInstance(algorithm, provider); SignedObject so = new SignedObject(myobject, privatekey, signingEngine); Signing Java Objects 4 –Verifying Signature verificationEngine = Signature.getInstance(algorithm, provider); if(so.verify(publicKey, verificationEngine)) try { Object myobj = so.getContent(); } catch (ClassNotFoundException e) {};
Signing Java Objects 5 Performance Object size (bytes) Serialization (ms) 512-bit SHA-1/DSA1024-bit SHA-1/DSA Signing (ms) Verification (ms) Signing (ms) Verification (ms) K K JDK1.2beta, 166MHZ Sun Sparc Ultra-1,Solaris 2.5.1, 1000 rounds
Sealing Java Objects 1 Protect object confidentiality A serializable object A cryptographic algorithm –A bulk(symmetric key) encryption algorithm -DES, IDEA, RC4 Encryption Decryption Deserialization cipher text Original object SealedObject
Sealing Java Objects 2 cipher text Original object SignedObject and SealedObject Using both SignedObject and SealedObject provides integrity and confidentiality –First create SignedObject –Then create SealedObject Signature Why is blindly signing encrypted data sometimes dangerous?
Sealing Java Objects 3 –Decryption Cipher.init(Cipher.DECRYPT_MODE), desKey); try { String s = (String)so.getContent(cipher); } catch (ClassNotFoundException e) {}; Examples –Encryption KenGenerator keyGen = KeyGenerator.getInstance(“DES”); SecretKey desKey = keyGen.generateKey(); Cipher cipher = Cipher.getInstance(“DES”); Cipher.init(Cipher.ENCRYPT_MODE, desKey); String s = new String(“Greeting”); SealedObject so = new SealedObject(s, cipher); API design –Class SealedObject public SealedObject(Serializable object, Cipher c); public final Object getContent(Cipher c);
Guarding Java Objects 1 Request object return object return guardedObject Request object Check permission Return object Check permission Provider Consumer Provider Don’t know what information needed by provider Don’t want a dialog for each request Information too security sensitive “… too much information to pass on”
Guarding Java Objects 2 What is the GuardedObject –“A GuardedObject is an object that is used to protect access to another object” requester Protected object GuardedObject Guard object 1.Request access go.getObjedct() 2. Check guard g.checkGuard() 3. Return reference
Guarding Java Objects 3 Benefits of using GuardedObject –“… access to a protected object is guaranteed to occur in a context where the protection mechanism would allow it” –Simplify sever programs –Replace access control lists with object stores –“A guarded object class itself does not need to know its own protection semantics” –“…encapsulate protection mechanisms for an object, which can differ for its different method invocations, all inside a guard.”
Guarding Java Objects 4 API design –Interface Guard public abstract void checkGuard(Object object); –Class GuardedObject public GuardedObject(Object object, Guard guard); public Object getObject();
Guarding Java Objects 5 Examples –Encapulate an objects protection semeantics inside a guard FileInputStream fis = new FileInputStream(“/a/b/c”); –Provider side Public abstract Permission implements Guard{ … Public void checkGuard{ AccessController.checkPermission(this); } FileInputStream fis = new FileInputStream(“/a/b/c”); FilePermission = new FilePermission(“/a/b/c”, “read”); GuardedObject g = new GuardedObject(fis,p); –Consumer side FileInputStream fis = (FileInputStream)g.getObject();
Conclusion “The constructs enrich the existing Java security APIs so that security-aware application can be much easier to build.” “The constructs are practical and usable in commercial products.”
Question?