Newsletter sign-up
View all newsletters

Enterprise Java Newsletter
Stay up to date on the latest tutorials and Java community news posted on JavaWorld

Sponsored Links

Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs

JavaWorld.com > Java Development Tools >

Java security evolution and concepts, Part 1: Security nuts and bolts

Learn computer security concepts and terms in this introductory overview

By Raghavan N. Srinivas, JavaWorld.com, 04/28/00

  • Print
  • Feedback

Page 2 of 7

Good system design requires security

Is it possible to retrofit security? The answer is rarely. Quite often it may be impossible to retrofit security without having to redesign substantial parts of the system. In almost all cases, retrofitting will be very expensive. Therefore, security should never be an afterthought -- it must be an integral part of the system design from the start.

Computer security basics

It's useful to understand what computer security protects against, the respective defense mechanisms, and the different terminologies associated with it.

Threats

Threats -- attacks against computer security -- can be broadly categorized as:

  • Secrecy attacks: Attempts to steal confidential information either by exploiting weaknesses in cryptographic algorithms or by other means.
  • Integrity attacks: Attempts to alter information with some selfish or malicious intent. Integrity attacks, it should be noted, can also be accidental.
  • Availability attacks: Attempts to disrupt a system's normal operations. Availability attacks are also referred to by the recently popularized term, denial of service (DoS) attacks.


Several attacks fall into one or more of the categories mentioned above. Examples include:

  • A brute force attack typically involves searching every key until the right one unlocks the door. While that may seem like an expensive operation, in reality it is possible to preen the search using specialized tools.
  • A Trojan horse attack involves planting an enemy as an insider in such a way that it's not apparently noticeable. A computer virus serves as a common Trojan horse example.
  • A person-in-the-middle attack intercepts communication between two parties without their knowledge. They assume that they're communicating normally.


Other attacks include: birthday attack, dictionary attack, meet-in-the-middle attack, and so on. (For a more comprehensive discussion, see Bruce Schneier's Applied Cryptography in Resources.)

Protections

To shield against security threats, there are a variety of protection mechanisms. Historically, defense mechanisms have involved erecting some sort of a wall or boundary, commonly referred to as a perimeter defense.

Firewalls, a fairly successful example of perimeter defense, separate internal (private) and external (public) networks, and provide a central point of control for a corporate policy. However, firewalls increasingly allow select forms of traffic -- HTTP for example -- to cross over.

A virtual private network (VPN), which provides the same security level as a private network while still using a shared network, serves as another protection example.

Cryptography

Cryptography and cryptanalysis, its related field, concerns itself with the design and analysis of algorithms for encrypting and decrypting information. We'll discuss cryptography's vital relationship to security in the sections below.

Confidentiality

Confidentiality is the process of protecting data from unauthorized use or users. Simply put, it means that only the intended recipient of a message can make sense of it.

  • Print
  • Feedback

Resources