|
|
Featured White Papers
Sponsored Links
-
Slow Apps? Overloaded DBMS? - FREE Download
FREE Download Feb 14 - March 7th Eliminate bottlenecks & maximize performance ScaleOut StateServer®
Java security evolution and concepts, Part 1: Security nuts and bolts
Learn computer security concepts and terms in this introductory overview
- Feedback
- Discuss
Java security evolution and concepts: Read the whole series!
- Part 1: Learn computer security concepts and terms in this introductory overview
- Part 2: Discover the ins and outs of Java security
- Part 3: Tackle Java applet security with confidence
- Part 4: Learn how optional packages extend and enhance Java security
- Part 5: J2SE 1.4 offers numerous improvements to Java security
This article, the first in a series, will cover the general concepts of computer security and cryptography. Although mobile code is not a revolutionary concept, Java and the Internet present some unique challenges to computer security. The evolution of Java architecture and its impact on security, the different security APIs and tools, and applet security will be covered in the subsequent articles.
This security series does not intend to provide a comprehensive guide to computer security. Computer security is a multifaceted issue touching several disciplines, departments, and cultures. Investments in technologies should be followed up with investments in personnel training, strict policy enforcement, and periodic review of the overall security policy.
Note: See the "Sidebar 1: Crypto Algorithm for the Twenty-first Century" for more on algorithm development and the "Sidebar 2: Does the Length of a Key Matter?" for a discussion on the importance of key length in security.
What is computer security?
To understand what computer security means in general, what security means in everyday life is worth considering. Some of the general rules for security in day-to-day life also apply to computer security, as we'll see.
The limits of computer security
Is there such a thing as absolute computer security? In a word, no. The term secure systems is a misnomer since it implies that systems are either secure or not. Security, in truth, is a trade-off. Given unlimited resources, any form of security can be broken. While more and more resources are becoming available to the attacker, in the real world those resources remain finite. With that in mind, we should design systems in such a way that the cost of breaking them would far outweigh the rewards.
End-to-end security
What is end-to-end security? In a multitier system, each tier should have its own security and work in tandem with the other tiers. Designing security where different systems and middleware come together is quite a challenge. Simply put, system security is only as strong as the weakest link and, unless you consider security from an end-to-end viewpoint, it is subject to being broken.
Simplicity
Will a complex security design work? It might seem that the best way to stop an unauthorized user might be to design a very complex security scheme, but that's not true. Not only will the cost of designing a complex security system be prohibitive, it might be so complex that legitimate users will try to find a way around it. Simple systems, on the other hand, are easier understood and better analyzed.
- Feedback
Resources
- "Java Security Evolution and Concepts," Raghavan N. Srinivas (JavaWorld):
- Part 1Learn computer security concepts and terms in this introductory overview (April 2000)
- Part 2Discover the ins and outs of Java security (July 2000)
- Part 3Tackle Java applet security with confidence (December 2000)
- Part 4Learn how optional packages extend and enhance Java security (May 2001)
- Part 5J2SE 1.4 offers numerous improvements to Java security (December 2001)
- JavaWorld's Java Bookstore security page can point you to numerous security-related books
http://www.javaworld.com/javaworld/books/jw-books-security.html - For comprehensive Java security information, read the Java Security API page at java.sun.com
http://java.sun.com/security - "Security on the Java PlatformRecent Developments and Future Directions," Li Gong. Slides from a JavaOne 1998 technical session
covering Java security
http://java.sun.com/javaone/javaone98/sessions/T101/index.htm - Java security information from JavaOne 1999
http://industry.java.sun.com/javaone/99/tracks/ - "Low Level Security in Java," Frank Yellin (java.sun.com)
http://java.sun.com/sfaq/verifier.html - Java-security@sun.com archives -- April 2000
http://archives.java.sun.com/archives/java-security.html - "Frequently Asked Questions -- Java Security" (java.sun.com)
http://java.sun.com/sfaq/ - "TrailSecurity in Java 2 SDK 1.2," Mary Dageforde (Java Developer's Connection)
http://web2.java.sun.com/docs/books/tutorial/security1.2/index.html - Secure Internet Programming, Princeton University's well regarded Website, dedicates itself to computer security, especially
mobile code such as Java
http://www.cs.princeton.edu/sip/ - The University of Washington's Kimera -- A System Architecture for Networked Computers Website
http://kimera.cs.washington.edu/ - For CERT advisories, a comprehensive list of security-related problems with suggested remedial action, see
http://www.cert.org/ - Applied CryptographyProtocols, Algorithms, and Source Code in C, 2nd ed., Bruce Schneier (John Wiley and Sons, 1996). A fascinating book on the science and politics of cryptography
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0471128457 - Find information and news about the Advanced Encryption Standard (AES) by going to the AES Webpage
http://csrc.nist.gov/encryption/aes/ - RSA Labs' FAQ about today's cryptographyftp://ftp.rsasecurity.com/pub/labsfaq/labsfaq4.pdf
- X.509 standard for certificates
http://www.ietf.org/rfc/rfc2459.txt
About Us | Advertise | Contact Us | Terms of Service/Privacy
Copyright, 2006-2010 Infoworld, Inc. All rights reserved.
Java security evolution and concepts, Part 1: Security nuts and boltsBy Anonymous on May 7, 2009, 3:08 amexcellent artcile
Reply | Read entire comment
View all comments