Java Security Frameworks

From sheep
Jump to navigation Jump to search

JCA Java Cryptography Architecture

The initial java cryptography API allows independent implementation of the cryptographic functions and defines a standard API Default implementation "SUN"

Provides:

  • Digital signature algorithms (DSA)
    • DSA key pair generation
    • DSA algorithm parameter generator/manager
    • DSA factory for conversion of private key to public key
    • Digital signature generation DSG
  • Certificate builder and validator X509
  • Certificate facory X509 certificates and revocation lists
  • Key store JKS management of keys and certificates
  • Message digest algorithms e.g. md5/sha1

new in jdk 2:

  • key factories
  • keystore creation and management
  • algorithm parameter management
  • algorithm parameter generation
  • certificate factories
  • enables a provider to supply a random number generation (RNG) algorithm

Based on the key clases:

  • MessageDigest
  • Signature
  • KeyFactory
  • KeyPairGenerator

JCE Java Cryptography Extension

Extends the JCA originally for algorithms subject to export control Default provider "SunJCE"

  • Symmetric bulk encryption
    • i.e. Block ciphers e.g. AES-128, AES-192, AES-256, DES, tripple DES, RC2, IDEA, blowfish, Serpent, Twofish
  • Symmetric stream encryption, e.g. RC4
    • as used in SSL, WEP
  • Asymmetric encryption i.e. PGP e.g. RSA, ElGamal encryption, ECC (Elliptic curve cryptography)
    • note: there is also an ElGamal signature scheme related to DSA different to ElGamal sncryption
  • Password-based encryption (PBE) e.g. MD5 + DES-CBC or PKCS
    • password + salt -> cryptographic hash, cipher, or HMAC -> repeat 1000 times => derived key - use as a cryptographic key
  • Key Agreement - e.g. Diffie Hellman
  • Message Authentication Codes (MAC) e.g. HMAC-SHA1
  • PKCS#11 - RSA cryptographic token interface standard - storage and cryptographic services from devices
    • Hardware Security Modules (HSM) and smart cards.
    • Standard interfaces required

CertPath Java Certification Path API

API for certificate chains - checking, verifying, validating

JSSE Java Secure Socket Extension

Secure communication via SSL (Secure Socket Layer)/TLS (Transport Layer Security)

  • data encryption
  • server authentication
  • message integrity
  • optional client authentication
  • public key crypto for exchange
  • secret key crypto (block) for data transfer

Supports building of HTTPS, SSH, secure SMTP, IPSEC, Secure RMI or RMI/IIOP (over SSL)

JAAS Java Authentication and Authorisation Service

  • identity verification
  • roles/privileges
  • supports pluggable authentication
  • authentication - verifying identity,
  • authorisation - access rights

JGGS Java Generic Secure Services

  • Authentication/SSO Single Sign On
  • e.g. kerberos
  • GSS-API developed by IEFT
  • token passing security protocols
  • Does not support authorisation


Jargon

Encryption

  • Encrypted message = cypher text
  • Two way process involving a cryptographic key

Symetric Ciphers

  • Symetric because encryption and decryption share same key

Block cipher

  • symetric key encryption works on fixed length block of data
  • padding required to make data fit block size

Stream cipher

  • encrypts one byte/bit at a time
  • sensitive to starting state

Sealed object

  • encryption of a serialisable object
  • offers confidentiality

Password based encryption PBE

  • derivation of an encryption key from password
  • password + salt -> hashing algorithm many times

AES

  • Advanced Encryption Standard
  • block algorithm

Message Authentication Code (MAC)

  • HMAC - hashed key (hashed using password)

TLS Transport Layer Security

  • successor to SSL
  • TLS uses stronger encryption algorithms and has the ability to work on different ports
  • TLS 1.0 based on SSL 3.0 but incompatible
  • More extensible
  • TLS allows secure and insecure communication over the same port

Key agreement protocols

  • exchange of a secret key over an insecure network
  • Diffie Hellman

Ephemeral

  • short lived, transient

Non-repudiation

  • irrefutable proof - person signed the document