Java Security Frameworks
Jump to navigation
Jump to search
JCA Java Cryptography Architecture
The initial java cryptography API allows independent implementation of the cryptographic functions and defines a standard API Default implementation "SUN"
Provides:
- Digital signature algorithms (DSA)
- DSA key pair generation
- DSA algorithm parameter generator/manager
- DSA factory for conversion of private key to public key
- Digital signature generation DSG
- Certificate builder and validator X509
- Certificate facory X509 certificates and revocation lists
- Key store JKS management of keys and certificates
- Message digest algorithms e.g. md5/sha1
new in jdk 2:
- key factories
- keystore creation and management
- algorithm parameter management
- algorithm parameter generation
- certificate factories
- enables a provider to supply a random number generation (RNG) algorithm
Based on the key clases:
- MessageDigest
- Signature
- KeyFactory
- KeyPairGenerator
JCE Java Cryptography Extension
Extends the JCA originally for algorithms subject to export control Default provider "SunJCE"
- Symmetric bulk encryption
- i.e. Block ciphers e.g. AES-128, AES-192, AES-256, DES, tripple DES, RC2, IDEA, blowfish, Serpent, Twofish
- Symmetric stream encryption, e.g. RC4
- as used in SSL, WEP
- Asymmetric encryption i.e. PGP e.g. RSA, ElGamal encryption, ECC (Elliptic curve cryptography)
- note: there is also an ElGamal signature scheme related to DSA different to ElGamal sncryption
- Password-based encryption (PBE) e.g. MD5 + DES-CBC or PKCS
- password + salt -> cryptographic hash, cipher, or HMAC -> repeat 1000 times => derived key - use as a cryptographic key
- Key Agreement - e.g. Diffie Hellman
- Message Authentication Codes (MAC) e.g. HMAC-SHA1
- PKCS#11 - RSA cryptographic token interface standard - storage and cryptographic services from devices
- Hardware Security Modules (HSM) and smart cards.
- Standard interfaces required
CertPath Java Certification Path API
API for certificate chains - checking, verifying, validating
JSSE Java Secure Socket Extension
Secure communication via SSL (Secure Socket Layer)/TLS (Transport Layer Security)
- data encryption
- server authentication
- message integrity
- optional client authentication
- public key crypto for exchange
- secret key crypto (block) for data transfer
Supports building of HTTPS, SSH, secure SMTP, IPSEC, Secure RMI or RMI/IIOP (over SSL)
JAAS Java Authentication and Authorisation Service
- identity verification
- roles/privileges
- supports pluggable authentication
- authentication - verifying identity,
- authorisation - access rights
JGGS Java Generic Secure Services
- Authentication/SSO Single Sign On
- e.g. kerberos
- GSS-API developed by IEFT
- token passing security protocols
- Does not support authorisation
Jargon
Encryption
- Encrypted message = cypher text
- Two way process involving a cryptographic key
Symetric Ciphers
- Symetric because encryption and decryption share same key
Block cipher
- symetric key encryption works on fixed length block of data
- padding required to make data fit block size
Stream cipher
- encrypts one byte/bit at a time
- sensitive to starting state
Sealed object
- encryption of a serialisable object
- offers confidentiality
Password based encryption PBE
- derivation of an encryption key from password
- password + salt -> hashing algorithm many times
AES
- Advanced Encryption Standard
- block algorithm
Message Authentication Code (MAC)
- HMAC - hashed key (hashed using password)
TLS Transport Layer Security
- successor to SSL
- TLS uses stronger encryption algorithms and has the ability to work on different ports
- TLS 1.0 based on SSL 3.0 but incompatible
- More extensible
- TLS allows secure and insecure communication over the same port
Key agreement protocols
- exchange of a secret key over an insecure network
- Diffie Hellman
Ephemeral
- short lived, transient
Non-repudiation
- irrefutable proof - person signed the document