|
|
Featured White Papers
- Why choose an Open Source BPM?
- 10 FAQs on Business Process Management
- Best Practices for Getting Started with BPM
- Free Your Devs From The Pain Of Java Redeploys
- Increase Velocity 40% by Using JRebel
- What Developers Want: The End of Application Redeploys
- Developer Productivity Report: Java Tools, Tech, Devs, and Data
- Coding with JRebel: Java Forever Changed
- Utilizing Fast Testing to Transform Java Development
- Do You Really Get Classloaders?
- Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
- Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
- Coding with JRebel, Java Forever Changed
- 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data
Sponsored Links
Sponsored Links
Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs
Java security evolution and concepts, Part 1: Security nuts and bolts
Learn computer security concepts and terms in this introductory overview
Page 7 of 7
Figure 1. Digital signatures
Notice that the message uses a hashing algorithm to generate a fixed size hash, which is then encrypted to generate a signature. Those signatures are sometimes referred to as digital fingerprints since they represent the original message in a unique manner.
Using digital signatures does not guarantee confidentiality since the message is sent as plaintext. To further guarantee confidentiality, instead of sending the plaintext message, it could be encrypted with the receiver's public key, a process illustrated in Figure 2.
Figure 2. Digital signatures with encryption
Digital signatures come in several algorithms, such as ElGamal signatures, RSA, or digital signature algorithm (DSA). Both ElGamal and RSA algorithms can be used for encryption and digital signatures. In contrast, DSA, part of the digital signature standard (DSS), can be used only for digital signatures and not for encryption. A separate algorithm for encryption has to be used in conjunction with DSA if encryption is desired.
Table 2 below concisely summarizes the characteristics of all the different cryptographic algorithms we have discussed so far and provides some examples in each category.
| Cryptographic Algorithm | Brief description | Security Property | Issues | Examples | Security Property |
| One-way hash functions | Produces a fixed-length unique signature | One-wayness of algorithm | Signature collisions | SHA, MD4, MD5 |
| Message authentication codes (MAC) | One-way function, using a key | One-wayness of algorithm | Signature collisions | HMAC | Authentication |
| Symmetric Ciphers | Encryption and decryption based on same key | Key length and algorithm | Key distribution | DES | Authentication, integrity, confidentiality |
| Asymmetric ciphers(public key cryptography) | Different keys (public and private) for encryption and decryption. Public key easily available. |
Key length, algorithm and difficulty of deducing private key from public key. | Trust issue | RSA, ElGamal | Authentication, integrity |
| Digital signatures | Message hashed and encrypted with sender's private key for authentication | One-wayness and key length | No confidentiality | DSA, RSA | Authentication, integrity |
| Digital signatures with encryption | Message signed and encrypted with receiver's public key | Signature, encryption algorithms, and key length | Trust issue | Combinations of digital signatures and ciphers | Authentication, integrity, and confidentiality |
Certificates
Since digital signatures depend on the integrity of the public keys, how can verifiers be sure that the public key they've obtained did not come from an imposter? Also, while digital signatures authenticate the sender, how can the receiver be sure of the sender's trustworthiness?
The answer to those questions lies in certificates. A mutually trusted third party or a certificate authority (CA) issues a certificate. The CA has more information about the user than merely the public key. Certificates contain, and an expiry date. The issuer signs the certificate with its private key. The implicit assumption in the process is that the CA's public key is widely available and genuine.
Public key certificates are based on the X.509 standard. Some examples of CAs include Verisign, Thawte (now owned by VeriSign), and Entrust. In Java, the javax.security.cert package provides certificate support.
Public key infrastructure
The relatively new public key infrastructure (PKI) has several meanings in different sources. One view states that PKI refers to trust hierarchy and public key certificates, while another view holds that it also encompasses encryption and digital signature services. PKI also addresses several key-related issues, including key registration, revocation, selection, recovery, and so on.
Security standards
Table 3 lists a number of standards, some of which are complementary, and some are orthogonal to the algorithms and standards mentioned earlier. Those standards serve the useful purpose of being able to provide security, using commercially available products.
| Protocol/Standard | Brief description | Relevant Algorithms |
| IPSec (IP Security) | Cryptography-based security at the IP datagram layer | DES, 3DES, DH, MD5, RSA, SHA-1 |
| OpenPGP (Open Pretty Good Privacy) | Security services for email and data files | DES, 3DES, DH, MD5, RSA, SHA-1 |
| PPTP (Point-to-Point Tunneling Protocol | Used to create Virtual Private Networks | DES, RSA |
| SET (Secure Electronic Transaction) | Secure credit card transactions | DES, HMAC-SHA1, RSA, SHA1 |
| S/MIME | Security at application level | DES, 3DES, MD5, RSA, SHA1 |
| Secsh (Secure Shell) | Secure remote access | DES, 3DES, RSA |
| SSL (secure dockets layer) and TLS (transport layer security) | Secure pipe at the application layer | DES, DH, RSA, SHA1 |
Other security considerations
Besides the concepts needed to understand the technologies behind security, good computer security requires that systems administrators:
- Know thy enemy
- Identify assumptions and weaknesses
- Control secrets
- Remember human factors
- Limit the scope of access
- Understand your environment
- Remember physical security
- Make security pervasive
Those factors are equally as important, if not more, as the technologies forming the foundation of security.
A closely related issue to security and cryptography is privacy, which deals with the rights and responsibilities that govern the acquisition, disclosure, and use of personal information. Privacy needs to be considered in the design of a software system in general and the security features in particular.
Conclusion
In this article I have attempted to demystify the terminology behind computer security in general. Admittedly, there is a lot of terminology to deal with, but the fundamental concepts are simple. Beyond computer security, we've looked at cryptography's importance to security and examined its main features.
In the next article in this series, we'll relate those concepts to Java and its role as a programming language for the Internet. We'll discuss the aspects of Java security, its evolution, and its unique challenges to computer security. Finally, we'll touch upon issues that affect applet security; that is, the relationship of browser security to Java applets.
About the author
Raghavan Srinivas is a Java technology evangelist at Sun Microsystems who specializes in Java and distributed systems. He is a proponent of Java technology and teaches graduate and undergraduate classes in the evening. He has spoken on a variety of technical topics at conferences around the world, and he is a member of the joint IETF/W3C working group on XML digital signatures (xmldsig). As a software developer for over 15 years, Raghavan worked for Digital Equipment before joining Sun. He has worked in several key technology areas, including the internals of VMS, Unix, and Windows NT platforms. Srinivas holds a master's degree in computer science from the Center of Advanced Computer Studies at the University of Southwestern Louisiana. He enjoys hiking, running, and traveling, but most of all he enjoys eating, especially spicy food.Read more about Tools & Methods in JavaWorld's Tools & Methods section.
- Feedback
More from JavaWorld
Resources
- "Java Security Evolution and Concepts," Raghavan N. Srinivas (JavaWorld):
- Part 1Learn computer security concepts and terms in this introductory overview (April 2000)
- Part 2Discover the ins and outs of Java security (July 2000)
- Part 3Tackle Java applet security with confidence (December 2000)
- Part 4Learn how optional packages extend and enhance Java security (May 2001)
- Part 5J2SE 1.4 offers numerous improvements to Java security (December 2001)
- JavaWorld's Java Bookstore security page can point you to numerous security-related books
http://www.javaworld.com/javaworld/books/jw-books-security.html - For comprehensive Java security information, read the Java Security API page at java.sun.com
http://java.sun.com/security - "Security on the Java PlatformRecent Developments and Future Directions," Li Gong. Slides from a JavaOne 1998 technical session
covering Java security
http://java.sun.com/javaone/javaone98/sessions/T101/index.htm - Java security information from JavaOne 1999
http://industry.java.sun.com/javaone/99/tracks/ - "Low Level Security in Java," Frank Yellin (java.sun.com)
http://java.sun.com/sfaq/verifier.html - Java-security@sun.com archives -- April 2000
http://archives.java.sun.com/archives/java-security.html - "Frequently Asked Questions -- Java Security" (java.sun.com)
http://java.sun.com/sfaq/ - "TrailSecurity in Java 2 SDK 1.2," Mary Dageforde (Java Developer's Connection)
http://web2.java.sun.com/docs/books/tutorial/security1.2/index.html - Secure Internet Programming, Princeton University's well regarded Website, dedicates itself to computer security, especially
mobile code such as Java
http://www.cs.princeton.edu/sip/ - The University of Washington's Kimera -- A System Architecture for Networked Computers Website
http://kimera.cs.washington.edu/ - For CERT advisories, a comprehensive list of security-related problems with suggested remedial action, see
http://www.cert.org/ - Applied CryptographyProtocols, Algorithms, and Source Code in C, 2nd ed., Bruce Schneier (John Wiley and Sons, 1996). A fascinating book on the science and politics of cryptography
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0471128457 - Find information and news about the Advanced Encryption Standard (AES) by going to the AES Webpage
http://csrc.nist.gov/encryption/aes/ - RSA Labs' FAQ about today's cryptographyftp://ftp.rsasecurity.com/pub/labsfaq/labsfaq4.pdf
- X.509 standard for certificates
http://www.ietf.org/rfc/rfc2459.txt