Download presentation
Presentation is loading. Please wait.
1
Security
2
Java E-Commerce © Martin Cooke, 2003
This lecture Security requirements for e-commerce Java language features Java sandbox 24/04/2019 Java E-Commerce © Martin Cooke, 2003
3
Java E-Commerce © Martin Cooke, 2003
Later lectures Next: Authentication & authorisation Cryptography Cryptographic hash functions Encryption/decrption: symmetric and public key systems Applications Message digests digital signatures & certificates SSL and SET Java support for cryptography 24/04/2019 Java E-Commerce © Martin Cooke, 2003
4
Security requirements for e-commerce
5
Why security is a hot topic
Security threats have increased out of all recognition in the last 10 years, with virtually no aspect of life left untouched, leaving opportunities to snoop, sneal, clog up, impersonate, modify, delete, or simply make mistakes and wreak havoc …. Financial transactions eg credit card details Sensitive information eg exam papers Downloaded programs, including applets 24/04/2019 Java E-Commerce © Martin Cooke, 2003
6
Aspects not covered here
Nature of threats Tools for attacks Firewalls Virtual private networks (VPNs) Auditing for post-mortems See Ince (2001), ch 11 24/04/2019 Java E-Commerce © Martin Cooke, 2003
7
The purpose of security
Security is not used simply to protect against direct threats … … but is essential in establishing trust in transactions between unseen parties Security & trust are probably the most significant barriers to e-commerce 24/04/2019 Java E-Commerce © Martin Cooke, 2003
8
Four cornerstones of security & trust
authentication integrity & non- authorisation confidentiality repudiation 24/04/2019 Java E-Commerce © Martin Cooke, 2003
9
Java E-Commerce © Martin Cooke, 2003
Authentication authentication The identities of all parties involved in an operation should be verified (including code sources) 24/04/2019 Java E-Commerce © Martin Cooke, 2003
10
Java E-Commerce © Martin Cooke, 2003
Integrity authentication integrity ensure information has not been tampered with 24/04/2019 Java E-Commerce © Martin Cooke, 2003
11
Java E-Commerce © Martin Cooke, 2003
Non-repudiation authentication integrity & non- repudiation cannot deny that you are the sender of the info, or that it has been received 24/04/2019 Java E-Commerce © Martin Cooke, 2003
12
Java E-Commerce © Martin Cooke, 2003
Confidentiality authentication integrity & non- confidentiality repudiation only intended recipient can make sense of message or stored information 24/04/2019 Java E-Commerce © Martin Cooke, 2003
13
Java E-Commerce © Martin Cooke, 2003
Authorisation authentication integrity & non- authorisation confidentiality repudiation Is the user or code allowed to carry out certain operations? 24/04/2019 Java E-Commerce © Martin Cooke, 2003
14
Java E-Commerce © Martin Cooke, 2003
Security tradeoffs With unlimited resources, most forms of security can be broken Cost of breaking should outweigh reward Have to consider end-to-end security only as secure as weakest part Eg: encryption with private key is all very well, but weakness is often storage of private key Aim for simplicity Don’t want to frighten away legitimate users Easier to analyse and maintain 24/04/2019 Java E-Commerce © Martin Cooke, 2003
15
Common web scenarios and their security aspects
16
Scenario 1: online banking
Authentication: is this a valid user? Authorisation: does this user have permission to access account information? Confidentiality: is account information secure from attack? … but must still be easy to use 24/04/2019 Java E-Commerce © Martin Cooke, 2003
17
Scenario 2: Downloading code
Authentication: does the code come from a trusted source? Integrity: has the code been tampered with before or during downloading? Authorisation: does the code have permission to carry out certain operations? 24/04/2019 Java E-Commerce © Martin Cooke, 2003
18
Scenario 3: online credit card transactions
Authentication: does the credit card belong to the customer? Is the merchant valid? Is the merchant bank valid? Integrity: have any details been altered en route? Non-repudiation: can any of the parties deny that any aspects of the transaction took place? Confidentiality: should the merchant have access to credit card details? Should the bank have access to purchase details? 24/04/2019 Java E-Commerce © Martin Cooke, 2003
19
But isn’t Java secure?
20
Java 2 security features
Configurable security policy to protect you from Java programs (this lecture) Authentication and authorisation framework to protect you against end users (next lecture) Integrity checks for data Digital signatures Digital certificates Key management Encryption/decryption (from 1.4) 24/04/2019 Java E-Commerce © Martin Cooke, 2003
21
Java E-Commerce © Martin Cooke, 2003
Core API class files remote class files local class files signed class files bytecode verifier class loader core Java API Security package Key db security manager & access controller operating system Source: Oaks, fig 1-2 24/04/2019 Java E-Commerce © Martin Cooke, 2003
22
Java E-Commerce © Martin Cooke, 2003
Core API class files remote class files local class files Bytecode verifier Ensures that Java class files follow the rules of Java eg memory protection Only applies to classes outside the core signed class files bytecode verifier class loader core Java API Security package Key db security manager & access controller operating system 24/04/2019 Java E-Commerce © Martin Cooke, 2003
23
Java E-Commerce © Martin Cooke, 2003
Core API class files remote class files local class files Class loader Does the obvious … … but can set permissions for each class loaded (so-called protection domains) so that access controller knows which classes have which permissions signed class files bytecode verifier class loader core Java API Security package Key db security manager & access controller operating system 24/04/2019 Java E-Commerce © Martin Cooke, 2003
24
Java E-Commerce © Martin Cooke, 2003
Core API class files remote class files local class files Security package java.security and subpackages Large, complex, API Message digests Keys and certificates Digital signatures Encryption authentication signed class files bytecode verifier class loader core Java API Security package Key db security manager & access controller operating system 24/04/2019 Java E-Commerce © Martin Cooke, 2003
25
Java E-Commerce © Martin Cooke, 2003
Core API class files remote class files local class files Security manager & access controller Responsible for allowing or preventing access to system resources Based on policies set by system admin Why 2? Security manager defers most actions to access controller SM exists for backwards compatibility signed class files bytecode verifier class loader core Java API Security package Key db security manager & access controller operating system 24/04/2019 Java E-Commerce © Martin Cooke, 2003
26
Java E-Commerce © Martin Cooke, 2003
Core API class files remote class files local class files Key database Set of keys used to create or verify digital signatures May exist as external file or database signed class files bytecode verifier class loader core Java API Security package Key db security manager & access controller operating system 24/04/2019 Java E-Commerce © Martin Cooke, 2003
27
Security features in the language
Every object has an access level Private, package, protected, public Cannot access arbitrary memory locations Immutable final objects Variables must be initialised before use Array-bound checking No arbitrary object casting 24/04/2019 Java E-Commerce © Martin Cooke, 2003
28
Enforcement 1: compiler
Every object has an access level Private, package, protected, public Cannot access arbitrary memory locations Immutable final objects Variables must be initialised before use Array-bound checking No arbitrary object casting 24/04/2019 Java E-Commerce © Martin Cooke, 2003
29
Enforcement 2: byte-code verifier
Necessary since it is possible to compile classes which, together, represent non-conforming Java code Internal part of JVM Proves that a series of bytecodes is a legal sequence of Java instructions Correct format for class No subclassing of finals Single superclass for each class No illegal primitive data conversion No illegal casting (*) No operand stack overflow/underflow (*) cannot test fully until runtime Every object has an access level Private, package, protected, public Cannot access arbitrary memory locations Immutable final objects Variables must be initialised before use Array-bound checking No arbitrary object casting 24/04/2019 Java E-Commerce © Martin Cooke, 2003
30
Enforcement 3: runtime system
Every object has an access level Private, package, protected, public Cannot access arbitrary memory locations Immutable final objects Variables must be initialised before use Array-bound checking No arbitrary object casting 24/04/2019 Java E-Commerce © Martin Cooke, 2003
31
The Java Sandbox
32
Java E-Commerce © Martin Cooke, 2003
The sandbox Originally, applied only to applets and was very ‘tight’ Since 1.1, offered fine-grained security authorisation to code Since 1.2, can be applied to applications as well as applets (only difference is that it is default for applets) Implemented by security manager 24/04/2019 Java E-Commerce © Martin Cooke, 2003
33
Elements of the sandbox
Permissions Code sources Protection domains Keystores Policy file 24/04/2019 Java E-Commerce © Martin Cooke, 2003
34
Elements of the sandbox
Permissions Code sources Protection domains Keystores Policy file Specific action that code is allowed to perform Specified as triple Type Name Actions specified in policy file permission java.security.AllPermission Allows code to do anything permission java.lang.RuntimePermission “stopThread”; permission java.io.FilePermission “/tmp/foo”,”read”; Self-evident 24/04/2019 Java E-Commerce © Martin Cooke, 2003
35
Elements of the sandbox
Permissions Code sources Protection domains Keystores Policy file Location from which class has been loaded Possibly including information about who signed the class java.security.CodeSource 24/04/2019 Java E-Commerce © Martin Cooke, 2003
36
Elements of the sandbox
Permissions Code sources Protection domains Keystores Policy file Maps permissions to code sources Eg code loaded from <URL> can do <X> 24/04/2019 Java E-Commerce © Martin Cooke, 2003
37
Elements of the sandbox
Permissions Code sources Protection domains Keystores Policy file Java code may be digitally signed (later) Uses keys, held in keystore 24/04/2019 Java E-Commerce © Martin Cooke, 2003
38
Elements of the sandbox
Permissions Code sources Protection domains Keystores Policy file Used to list permissions, identify keystore location, specify code sources and protection domains Global policy file: lib/security/java.policy Local policy file: .java.policy in home dir Policies based on union of the two 24/04/2019 Java E-Commerce © Martin Cooke, 2003
39
Java E-Commerce © Martin Cooke, 2003
Policy file example keystore “${user.home}${/}.keystore”; grant codeBase “ { permission java.io.FilePermission “/tmp”, “read”; permission java.lang.RuntimePermission “queuePrintJob”; }; grant signedBy “mpc” codeBase “ { permission java.security.AllPermission; grant signedBy “gjb” { permission java.net.SocketPermission “*:1024-”, “accept, connect, listen”; } grant { permission java.util.PropertyPermission “java.version”, “read”; 24/04/2019 Java E-Commerce © Martin Cooke, 2003
40
Java E-Commerce © Martin Cooke, 2003
Keystore keystore “${user.home}${/}.keystore”; grant codeBase “ { permission java.io.FilePermission “/tmp”, “read”; permission java.lang.RuntimePermission “queuePrintJob”; }; grant signedBy “mpc” codeBase “ { permission java.security.AllPermission; grant signedBy “gjb” { permission java.net.SocketPermission “*:1024-”, “accept, connect, listen”; } grant { permission java.util.PropertyPermission “java.version”, “read”; Consult keystore in home directory if need to check certificates 24/04/2019 Java E-Commerce © Martin Cooke, 2003
41
Java E-Commerce © Martin Cooke, 2003
Codebases keystore “${user.home}${/}.keystore”; grant codeBase “ { permission java.io.FilePermission “/tmp”, “read”; permission java.lang.RuntimePermission “queuePrintJob”; }; grant signedBy “mpc” codeBase “ { permission java.security.AllPermission; grant signedBy “gjb” { permission java.net.SocketPermission “*:1024-”, “accept, connect, listen”; } grant { permission java.util.PropertyPermission “java.version”, “read”; combination of signedBy and codeBase elements 24/04/2019 Java E-Commerce © Martin Cooke, 2003
42
Java E-Commerce © Martin Cooke, 2003
Permissions keystore “${user.home}${/}.keystore”; grant codeBase “ { permission java.io.FilePermission “/tmp”, “read”; permission java.lang.RuntimePermission “queuePrintJob”; }; grant signedBy “mpc” codeBase “ { permission java.security.AllPermission; grant signedBy “gjb” { permission java.net.SocketPermission “*:1024-”, “accept, connect, listen”; } grant { permission java.util.PropertyPermission “java.version”, “read”; 2, 3 or 4 parts Type, name, actions 24/04/2019 Java E-Commerce © Martin Cooke, 2003
43
Java E-Commerce © Martin Cooke, 2003
Protection domains keystore “${user.home}${/}.keystore”; grant codeBase “ { permission java.io.FilePermission “/tmp”, “read”; permission java.lang.RuntimePermission “queuePrintJob”; }; grant signedBy “mpc” codeBase “ { permission java.security.AllPermission; grant signedBy “gjb” { permission java.net.SocketPermission “*:1024-”, “accept, connect, listen”; } grant { permission java.util.PropertyPermission “java.version”, “read”; “allow code loaded from dcs to read /tmp and to queue print jobs” “allow code loaded from mpc.com and signed by mpc to do anything” “allow code signed by gjb, loaded from anywhere, to do 3 actions on any host, on all ports >1024” “Allow all code to read the java version” 24/04/2019 Java E-Commerce © Martin Cooke, 2003
44
Java E-Commerce © Martin Cooke, 2003
Default policy file 24/04/2019 Java E-Commerce © Martin Cooke, 2003
45
Java E-Commerce © Martin Cooke, 2003
PolicyTool 24/04/2019 Java E-Commerce © Martin Cooke, 2003
46
Launching the sandbox for applications
java -Djava.security.manager <app> java -Djava.security.manager \ -Djava.security.policy=<URL> <app> 24/04/2019 Java E-Commerce © Martin Cooke, 2003
47
Programming perspective: The access controller
Main mechanism used by Java API to implement the sandbox Simple to use 24/04/2019 Java E-Commerce © Martin Cooke, 2003
48
Java E-Commerce © Martin Cooke, 2003
Example import java.applet.*; import java.net.*; import java.security.*; public class AccessTest extends Applet { public void init() { SocketPermission sp = new SocketPermission( getParameter(“host”)+”:6000”,”connect”); try { AccessController.checkPermission(sp); System.out.print(“OK to open socket”); } catch (AccessControlException ace) { System.out.println(ace); } Source: Oaks, p102 24/04/2019 Java E-Commerce © Martin Cooke, 2003
49
Java E-Commerce © Martin Cooke, 2003
Example import java.applet.*; import java.net.*; import java.security.*; public class AccessTest extends Applet { public void init() { SocketPermission sp = new SocketPermission( getParameter(“host”)+”:6000”,”connect”); try { AccessController.checkPermission(sp); System.out.print(“OK to open socket”); } catch (AccessControlException ace) { System.out.println(ace); } 1. Construct permission (NB a permission instance is NOT the same as a permission!) Source: Oaks, p102 24/04/2019 Java E-Commerce © Martin Cooke, 2003
50
Java E-Commerce © Martin Cooke, 2003
Example import java.applet.*; import java.net.*; import java.security.*; public class AccessTest extends Applet { public void init() { SocketPermission sp = new SocketPermission( getParameter(“host”)+”:6000”,”connect”); try { AccessController.checkPermission(sp); System.out.print(“OK to open socket”); } catch (AccessControlException ace) { System.out.println(ace); } 1. Construct permission 2. Check it (static method of AccessController) Source: Oaks, p102 24/04/2019 Java E-Commerce © Martin Cooke, 2003
51
Java E-Commerce © Martin Cooke, 2003
Example import java.applet.*; import java.net.*; import java.security.*; public class AccessTest extends Applet { public void init() { SocketPermission sp = new SocketPermission( getParameter(“host”)+”:6000”,”connect”); try { AccessController.checkPermission(sp); System.out.print(“OK to open socket”); } catch (AccessControlException ace) { System.out.println(ace); } 1. Construct permission 2. Check it (static method of AccessController) 3. Catch exception Source: Oaks, p102 24/04/2019 Java E-Commerce © Martin Cooke, 2003
52
Constructing your own permissions
Think of this as similar to constructing own exceptions Powerful and flexible way to implement arbitrary, application-specific, security policies, which can be administered from a policy file Eg read, modify rows with particular fields from database Extend java.security.Permission Easier to extend java.security.BasicPermission 24/04/2019 Java E-Commerce © Martin Cooke, 2003
53
Java E-Commerce © Martin Cooke, 2003
Interim summary The Java language contains many features which make it difficult to subvert The sandbox concept applies to applets (always) and applications, using -Djava.security.manager A policy file specifies which permissions can be granted to code coming from specific locations and/or specific signers This adds up to protecting system resources from untrusted code But what about unstrusted users? 24/04/2019 Java E-Commerce © Martin Cooke, 2003
54
Java E-Commerce © Martin Cooke, 2003
Summary Authentication, authorisation, integrity and confidentiality are the cornerstones of security Java supports security in many ways, from language features to APIs, but is only as secure as the programmer makes it 24/04/2019 Java E-Commerce © Martin Cooke, 2003
55
Java E-Commerce © Martin Cooke, 2003
Resources Books Oaks (2001) Java Security (2nd edition) O’Reilly, Ince, ch 11 Norris & West (2001) eBusiness Essentials, Wiley, , chs 4 and 5 24/04/2019 Java E-Commerce © Martin Cooke, 2003
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.