Newsletter sign-up
View all newsletters

Enterprise Java Newsletter
Stay up to date on the latest tutorials and Java community news posted on JavaWorld

Sponsored Links

Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs

JavaWorld.com > Java Development Tools >

Java security evolution and concepts, Part 2

Discover the ins and outs of Java security

By Raghavan N. Srinivas, JavaWorld.com, 07/28/00

  • Print
  • Feedback
.

Page 6 of 6

grant signedBy "Duke" {
    permission java.io.FilePermission "/tmp/*", "read,write";
};


The entry shown below would provide unrestricted access -- clearly not desirable from a security viewpoint.

grant {
    // Allow everything for now
    permission java.security.AllPermission;
};


Many classes provide a Service Provider Interface (SPI) for providers to plug in their implementations. Examples include MessageDigest, Signature, KeyPairGenerator, and so on.

The MessageDigest class supports the MD5 and SHA algorithms. The getInstance() method is invoked to select the appropriate algorithm. The method update() is called to ready the input buffer, while the digest() method generates a message digest, the size of which (in this case, 128 bits, or 16 bytes) depends on the algorithm (in this case, MD5). The same digest() method would generate 160 bits (20 bytes) for the digest if the SHA algorithm was used. The code below is a complete application used to generate a message digest. 

// Simple application that generates a Message Digest
import java.security.*;
import java.io.*;
public class md5 {
    public static void main(String args[]) {
        try {
        if (args.length != 1) {
            System.out.println("Usage: java md5 < some_string >");
            System.exit(1);
        }
        // Create an output file "digest"
        FileOutputStream digestStream = new FileOutputStream("digest");
        // Use the MD5 algorithm. SHA will work as well
        MessageDigest md=MessageDigest.getInstance("MD5");
        byte buf[] = args[0].getBytes();
        // Update the data and digest it
        md.update(buf);
        digestStream.write(md.digest());
        } catch (Exception e) {
            System.out.println(e);
        }
    }
}


The Signature class supports digital signatures. The signature algorithm can be, for example, DSA (digital signature algorithm), with SHA-1 (secure hashing algorithm) as the hashing algorithm. (See Part 1 of this series for more on algorithms). The DSA algorithm using the SHA-1 message digest algorithm can be specified as SHA1withDSA. In the case of RSA, there are multiple message digest algorithms possible, so the signing algorithm could be, for example, MD2withRSA, MD5withRSA, or SHA1withRSA. The algorithm name must be specified, as there is no default. Fragments of code to generate a signature are illustrated here: 

    // Use SHA-1 as the hashing algorithm with DSA
    Signature sig = Signature.getInstance("SHA1withDSA", "SUN");
    // Initialize with private key
    sig.initSign(privKey);
      // Update the buffer with the message
      sig.update(buffer, 0, len);
      // Generate the signature
      String sigString = sig.sign();


Fragments of code to verify the signature are illustrated here: 

    // Use SHA-1 as the hashing algorithm with DSA
    Signature sig = Signature.getInstance("SHA1withDSA", "SUN");
    // Initialize with public key
    sig.initVerify(pubKey);
      // Update the buffer with the message
      sig.update(buffer, 0, len);
      // Verify the signature
      boolean verifies = sig.verify(sigToVerify);


Notice that the signature is generated with the private key and verified with the public key. For more code samples, see Mary Dageforde's tutorial in Resources.

Wrap it up: java.security.cert, java.security.interfaces, and java.security.spec

The java.security.cert package deals with certificates. It provides, for instance, an abstract class to import, generate, and verify X.509 certificates. The java.security.interfaces package is a set of interfaces used to generate DSA and RSA key pairs. Finally, the java.security.spec package may be used to control the parameters for various algorithms, like DSA or RSA, and their corresponding keys.

Conclusion

In this article, we saw the different aspects of Java security, starting with its evolution. We looked at the different components of Java 2 Security and saw how they work together to support the design of a flexible policy.

In my next installment of this series, I'll discuss Java security extensions and the tools available as part of the platform. Finally, I'll touch on issues that affect applet security -- that is, the relationship of browser security to Java applets.

About the author

Raghavan Srinivas, a Java technology evangelist at Sun Microsystems, specializes in Java and distributed systems. He is a proponent of Java technology and teaches graduate and undergraduate classes in the evening. He has spoken on a variety of technical topics at conferences around the world, and is a member of the joint IETF/W3C working group on XML Digital Signatures (xmldsig). A software developer for over 15 years, Srinivas worked for Digital Equipment Corporation before joining Sun. He has worked in several key technology areas, including the internals of VMS, Unix, and Windows NT platforms. Srinivas holds a master's degree in computer science from the University of Southwestern Louisiana's Center of Advanced Computer Studies. He likes hiking, running, and traveling, but most of all loves to eat, especially spicy food.

Read more about Tools & Methods in JavaWorld's Tools & Methods section.

  • Print
  • Feedback

Resources
  • JavaWorld security-related articles and resources
  • java.sun.com security-related resources
  • Useful security-related books, documentation, and Websites