Presentation is loading. Please wait.

Presentation is loading. Please wait.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

Similar presentations

Presentation on theme: "LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi."— Presentation transcript:

1 LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi

2 From first lab  Java security technology includes a large set of APIs, tools, and implementations of commonly used security algorithms, mechanisms, and protocols.  The Java security APIs span a wide range of areas, including cryptography, public key infrastructure, secure communication, authentication, and access control.

3 Java Sandbox  The Java security model is based on a customizable "sandbox" in which Java software programs can run safely, without potential risk to systems or users.

4 Java Sandbox  The name comes from the fact that applets are restricted to act only inside their "sandbox", a safe playing area.  It provides a very restricted environment in which to run untrusted code obtained from the open network.  The downloaded remote code (an applet) is not trusted and can access only the limited resources provided inside the sandbox.  The local code is trusted to have full access to vital system resources (such as the file system).  The sandbox is not a one-size-fits-all model

5 Elements of Java Sandbox  The sandbox is composed of five elements: 1. Permissions 2. Keystores 3. Code sources 4. Protection domain 5. Policy files

6 Elements of Java Sandbox 1. Permissions : A permission is a specific action that code is allowed to perform.  Permissions are composed of three elements : 1- Type of the permission 2- Name 3- Action e.x: permission; permission java.lang.RuntimePermission “stopThread”; permission “/tmp/abc”, “read” ;

7 Elements of Java Sandbox 2. Keystores:  Code signing is one way which code can be granted more latitude. Signed code depends on public key certificates, they held in a location called a keystore.  Remember that public/private keys come in pairs. As we know, code can be digitally signed by a person or organizatin. The key used to actually sign the code is the signer's private key. The key used to check the signature for validity is the signer's public key.

8 Elements of Java Sandbox 3. Code sources:  They are the location from which a class has been loaded along with information about who signed the class if applicable.  The location specified by a URL : From the file system (file-based URL) or from network (network-based URL). 

9 Elements of Java Sandbox 4. Protection domain: are the basic concept of the default sandbox, Ex:  code loaded from allowed to read file from my disk  code loaded from allowed to initiate print jobs 

10 Elements of Java Sandbox 5. Policy files :  Policy files are the administrative element that controls the sandbox.  Policy files are simple files that can be created and modified by text editor. The policy is represented by a policy object as instantiated from the class grant [signedBy “signer_names”,] [codebase “URL”] { permission permission_class_name “target_name”, [“action”] [, signedBy “signer_names”]; Ex. grant signedBy “ACME Software” codebase { permission “c:\\autoexec.bat”,”read”; permission java.lang.RunTimePermission “queuePrintJob”; }

11 Java Security Model  The class loader  The Byte code verifier  The security manager

12 The class loader  One or more class loaders load classes that are not found on the CLASSPATH  Built-in classes are considered to be “trusted” and are always run in preference of a downloaded class of the same name.

13 The bytecode Verifier  Ensures that Java class files follow the rules of the Java language  helps enforce memory protections for all Java programs  not all files are subject to bytecode verification

14 The security manager  It is the primary interface between the core API and the operating system  It has the ultimate responsibility for allowing or preventing access to all system resources  Each application can have an individual security policy  Security policies are defined in external files that are accessible by the security manager  The security manager enforces the specified security policy

15 Java Security APIs  Separate packages that are now included as part of JDK 1.4  JCE - Java Cryptography classes  JSSE - Java Secure Sockets Extension  JAAS - Java Authentication and Authorization Services  More..

16 JCE - Java Cryptography Extension  It is an extension of the JCA  JCE provides a framework and implementations for:  encryption and decryption symmetric bulk encryption, such as DES, RC2, and IDEA Symmetric stream encryption, such as RC4 Asymmetric encryption, such as RSA Password-based encryption (PBE)  Key generation and key agreement  Message Authentication Code (MAC) algorithms.

17 JSSE - Java Secure Socket Extension  It enables secure Internet communications.  It provides a framework and an implementation for a Java version of the Secure Sockets Layer (SSL), and Transport Layer Security (TLS) protocols.  It includes functionality for data encryption, server authentication, message integrity, and optional client authentication.

18 JAAS - Java Authentication and Authorization Service  It is a framework for user-based authentication and authorization.  It can be used for two purposes:  authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application or an applet  authorization of users to ensure they have the access control rights (permissions) required to do the actions performed.

19 Lab work  Create any txt file (e.g :massage.txt) which contains at least 10 lines  Then write a program that reads this file and prints out the frequency of each alphapatic letter ( The frequency of letter ‘a’ =…., The frequency of letter ‘b’ =….", etc). Your output should be easily readable - maybe in tabular format in text file.  Write at the end of txt file your name and ID.

Download ppt "LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi."

Similar presentations

Ads by Google