Newsletter sign-up

View all newsletters

Sign up for our technology specific newsletters.

Enterprise Java

Email Address:

In Java we trust

Find out how the Java Security API can help you secure your applications

By Todd Sundsted, JavaWorld.com, 01/26/99

Trust everyone? Trust no one? Sounds a bit like the X-Files, but when it comes to confidential information, knowing who it is you're trusting is as important as knowing what you trust them with. This concept is as important for applications as it is for people. After all, we've made applications the custodians of our information and the stewards of our resources. It's true across the enterprise -- applications hold critical information about our business and our customers -- and it's true on the desktop. I can't tell you how many times I've been asked how to write an applet that scans a user's drive so that one user can commandeer another user's browser or capture private information.

Java, being the network development platform that it is, has had to tackle the problem of trust head on. The result is the Java Security API and the Java Cryptography Architecture.

A brief glance backward

Before I dive headlong into APIs, code, and commentary, I'd like to briefly revisit last month's discussion. If you're joining us for the first time, you might want to back up a month and read " Signed and delivered: An introduction to security and authentication ." This column provides a thorough introduction to all the terms and concepts I'll be using this month.

Security and authentication address two crucial concerns: that of proving a message was created by a particular entity, and that of proving a message wasn't tampered with after it was created. One way of meeting both of these goals is by the use of digital signatures.

Digital signatures depend heavily on a branch of cryptography known as public-key cryptography. Public-key algorithms are characterized by the fact that they rely on a matched pair of keys (one private and one public) rather than a single key. An entity keeps its private key secret, but makes its public key available.

A digital signature algorithm takes as input a message and an entity's private key, and generates a digital signature. The digital signature is created in such a way that anyone can take the entity's public key and use it to verify that the entity in fact signed the message in question. Furthermore, if the original message has been tampered with, the signature can no longer be verified. Digital signatures provide one additional benefit: once an entity has signed and distributed a message, it's impossible for its originator to deny having signed the message (without claiming his or her private key was stolen, anyway).

Of engines and providers

The Java Cryptography API defines the Java toolkit for security and authentication. The Java Cryptography Architecture (JCA) describes how to use the API. To ensure the highest degree of flexibility for both the developer and the end user, the JCA embraces two guiding principles:

1. The architecture should support algorithm independence and extensibility. A developer must be able to write applications without tying them too closely to a particular algorithm. In addition, as new algorithms are developed, they must be easily integrated with existing algorithms.
   
   
2. The architecture should support implementation independence and interoperability. A developer must be able to write applications without tying them to a particular vendor's implementation of an algorithm. In addition, implementations of an algorithm provided by different vendors must interoperate.
   
   

To satisfy these two requirements, the developers of the Java Cryptography API based their design on a system of engines and providers.

 

About Us | Advertise | Contact Us | Terms of Service/Privacy

Copyright, 2006-2008 Network World, Inc. All rights reserved.