Presentation is loading. Please wait.

Presentation is loading. Please wait.

5/7/2018 Java Security and a Firewall Extension for Authenticity Control of Java Applets.

Published byDerick Clark Modified over 6 years ago

Similar presentations

Presentation on theme: "5/7/2018 Java Security and a Firewall Extension for Authenticity Control of Java Applets."— Presentation transcript:

1 5/7/2018 Java Security and a Firewall Extension for Authenticity Control of Java Applets

2 Outline of the Talk Thesis Objective Internet and Security
5/7/2018 Outline of the Talk Thesis Objective Internet and Security Filtering Methods Object Signing Java Authentication System Performance Analysis Conclusion

3 5/7/2018 Objective To design and implement a system to regulate the execution of Java applets in a network environment, inside a firewall.

4 DMZ Firewall Configuration
5/7/2018 DMZ Firewall Configuration DMZ (DeMilitarized Zone) HTTP Proxy Gateway Improves security, since fewer hosts are exposed Reduced bandwidth utilization through caching Provides logging and filtering capabilities

5 5/7/2018 Executable Content Executable content is executable code downloaded from a remote hosts and run on the downloading principal's machine upon receipt. Examples of executable content are Java applets, JavaScript, ActiveX, and PostScript Java is the most commonly used Java features: Built in security, both in the language and the run-time system Platform independent Object-Oriented

6 The Threat Several serious security problems have been found in Java
5/7/2018 The Threat Several serious security problems have been found in Java Type confusion attacks ( Flaws in the networking code Bug in the class loader implementation of Netscape Navigator ( Flaw in the security manager implementation of Internet Explorer Malicious applets that hang the system or send forged messages (

7 HTTP - HyperText Transfer Protocol
5/7/2018 HTTP - HyperText Transfer Protocol HTTP request through a proxy GET HTTP/1.0 Proxy-Connection: Keep-Alive User-Agent: Mozilla/3.0 (WinNT; I) Host: Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* HTTP reply HTTP/ OK Server: JavaWebServer/1.0.1 Content-Length: 1796 Content-Type: text/html Last-Modified: Mon, 17 Nov :06:31 GMT Connection: close Date: Fri, 26 Nov :06:08 GMT <HTML>

8 Filtering Methods Inspection of the Content-Type Header Field
5/7/2018 Filtering Methods Inspection of the Content-Type Header Field Straightforward Not all web servers specifies the right MIME type Possible to fool the filter Inspection of HTML Content The <APPLET> tag triggers the start of the JVM Caching causes problems Dynamic content (JavaScript) complicates detection of <APPLET> tags Slow Scanning for known Magic Numbers All Java class files must begin with the 4-byte hex signature CA FE BA BE Fast Can’t distinguish JARs (Java Archive) from zip archives Examination of the requested URL Java executable code must be stored in a .class or a .jar files

9 5/7/2018 Object Signing Digital signatures are used as a proof that communication came from a particular individual or organization. It can be applied to any kind of electronic document or binary data.

10 Using Digital Signatures
5/7/2018 Using Digital Signatures Signing Verifying Java Security and a Firewall Extension for Authenticity Control of Java Applets Report.txt Java Security and a Firewall Extension for Authenticity Control of Java Applets Report.txt Compare Hashing Algorithm One-way hash Hashing Algorithm Private key Public key One-way hash Digital Signature Digital Signature One-way hash Encryption Decryption

11 JAR - Java ARchive New feature in JDK 1.1
5/7/2018 JAR - Java ARchive New feature in JDK 1.1 Reduces the bandwidth utilization Fewer transactions are needed Uses ZIP compression Allows Java applets to be digitally signed

12 The JAR Format A signed JAR archive contains: 1 Manifest file
5/7/2018 The JAR Format A signed JAR archive contains: 1 Manifest file Contains a section for each signed file in an archive. n Signature Instruction Files Associates signatures to content files. n Digital Signature Instruction Files Signed copy of the corresponding Signature Instruction File. m Content Files The content of the archive. May contain a mix of signed and unsigned files.

13 Verifying integrity of a signed JAR file
5/7/2018 Verifying integrity of a signed JAR file Digital S. file Signature I. file 1. For each digital signature file: verify integrity of corresponding signature instruction file. 2. For each signature instruction file entry: verify hash of corresponding manifest file entry. 3. For each manifest file entry: verify hash of corresponding file. 1. Encrypted digest: 1wr4X5vg8d22d Name: report.txt Algortihm: SHA SHA-Hash: 6goIqkIAUwu6T Name: jas.java 2. Manifest file Report.txt Name: report.txt Algortihm: SHA SHA-Hash: CmnX58sSgpufb Name: jas.java SHA-Hash: Java Security and a Firewall Extension for Authenticity Control of Java Applets 3.

14 JAS - Java Authenticaton System
5/7/2018 JAS - Java Authenticaton System Features Detect Java applets in HTTP traffic Block unsigned Java applets Authorization control based on signer’s identity Integrity check of JAR files Editable database of trusted entities User notification when a request is rejected Components Proxy extension called JavaFilter (JF) Authentication Server (AS)

15 5/7/2018 JAS Message Flow 1. The client sends an HTTP request for a Java applet stored in a JAR file. 2.The Java Filter (JF) detects the request and issues an authorization request to the Authentication Server (AS). 3. AS requests the file from the server. 4. The server returns the JAR file. 5. After authentication and integrity check is the file passed to the proxy. 6. The proxy forwards the file content to the client.

16 Implementation Both components are written in Java (JDK 1.1.x)
5/7/2018 Implementation Both components are written in Java (JDK 1.1.x) The JavaFilter is an extension to the Java Proxy (Developed by HotLava Consulting ( The Authentication Server is implemented as a servlet Example of reusable classes: ASN.1 types, BER InputStream, X.509 certificate, JarFile HTTP is used in communications between the proxy and the authentication server. Integrates with JDK’s built-in entity database Dynamic notification applet

17 5/7/2018 Performance Analysis Five test suites with four different files in each suite The proxy alone introduces average latency of 80 ms JAS introduces and average latency of 1,5 s The response time varies considerably depending on which file in the test suite that is requested

18 Performance Analysis Fb(n): Time for JarFile constructor to finish
5/7/2018 Performance Analysis Fb(n): Time for JarFile constructor to finish Fa(n): Time for authentication procedure to complete Fi(n): Time for integrity check to complete

19 Performance Analysis Yoda Widedcan Pentium 133 MHz 32 MB RAM
5/7/2018 Performance Analysis Yoda Pentium 133 MHz 32 MB RAM NT 4.0 Workstation Widedcan Pentium 200 MHz 64 MB RAM NT 4.0 Server

20 5/7/2018 Conclusion The accomplishment of this thesis has been the design, and implementation of a system called JAS JAS is able to detect and reject potential threats, such as: Unsigned applets Applets signed by unauthorized entities JAR archives with integrity flaws. JAS performance could be improved. Possible improvements: JIT Compiler More efficient implementation of the integrity check process Faster cryptographic libraries

Download ppt "5/7/2018 Java Security and a Firewall Extension for Authenticity Control of Java Applets."

Similar presentations

InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)

InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team (Nanjing)
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
Introduction to Web Interface Technology (CSE2030)

Introduction to Web Interface Technology (CSE2030)
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
SSH Secure Login Connections over the Internet

SSH Secure Login Connections over the Internet
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
Electronic Mail Security

Electronic Mail Security
CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.

CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.
TCP/IP Protocol Suite 1 Chapter 22 Upon completion you will be able to: World Wide Web: HTTP Understand the components of a browser and a server Understand.

TCP/IP Protocol Suite 1 Chapter 22 Upon completion you will be able to: World Wide Web: HTTP Understand the components of a browser and a server Understand.
Web Security Chapter 6. Learning Objectives Understand SSL/TLS protocols and their implementation on the Internet Understand HTTPS protocol as it relates.

Web Security Chapter 6. Learning Objectives Understand SSL/TLS protocols and their implementation on the Internet Understand HTTPS protocol as it relates.
World Wide Web Hypertext model Use of hypertext in World Wide Web (WWW) WWW client-server model Use of TCP/IP protocols in WWW.

World Wide Web Hypertext model Use of hypertext in World Wide Web (WWW) WWW client-server model Use of TCP/IP protocols in WWW.
EIDE Design Considerations 1 EIDE Design Considerations Brian Wright Portland General Electric.

EIDE Design Considerations 1 EIDE Design Considerations Brian Wright Portland General Electric.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.

1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.

Similar presentations

Ads by Google