In the previous article we explored JDK built in security mechanisms which includes a secure class loading and verification system that ensures the execution of only legitimate Java code. In this second instalment we are exploring how java provides security with libraries and APIs.
Java’s security extends beyond the platform itself. It provides a comprehensive set of APIs and tools covering cryptography, authentication, secure communication, and more, empowering developers to build robust security into their applications.
Developers receive a comprehensive framework for secure coding, while users and administrators benefit from tools for secure application management.
Java Cryptography Architecture (JCA)
JCA (Java Cryptography Architecture) is one of the most important Java security libraries. It provides a provider-based architecture, meaning developers can leverage different security implementations.
Additionally, JCA offers a rich set of APIs for various security functionalities, including:
- Digital signatures: Signing data to ensure authenticity and origin.
- Message digests (hashes): Creating unique fingerprints of data for verification.
- Certificates and validation: Managing digital certificates used for secure communication and verifying their legitimacy.
- Encryption: Encrypting data for confidentiality using various algorithms (symmetric/asymmetric, block/stream ciphers) depending on the specific need
These APIs allow developers to easily integrate security into their application code.
Some of the principles upon which JCA is implemented include: Implementation independence, interoperability, algorithm independence and extensibility
Developers can use cryptographic services, such as digital signatures and message digests, without worrying about the implementation details or even the algorithms that form the basis for these concepts.
Public Key Infrastructure(PKI)
Public Key Infrastructure (PKI) is a term used for a framework that enables secure exchange of information based on public key cryptography.
PKI establishes a trust framework in the digital world. It binds real-world identities to digital certificates issued by trusted authorities and offers a mechanism to verify the certificates’ authenticity.
The classes related to PKI are located in the java.security and java.security.cert packages.
The Java platform provides for long-term persistent storage of cryptographic keys and certificates via key and certificate stores.
The java.security.KeyStore class represents a key store, a secure repository of cryptographic keys and/or trusted certificates.
The java.security.cert.CertStore class represents a certificate store in Java. These stores are public repositories, meaning anyone can potentially add certificates to them. They can also be vast, holding a large number of certificates, and the certificates within a single store might not be related or necessarily trusted.
The Java platform includes a special built-in key store, cacerts, that contains a number of certificates for well-known, trusted CAs. The keytool utility is able to list the certificates included in cacerts.
There are two built-in tools for working with keys, certificates, and key stores:
- keytool creates and manages key stores, acts as a personal vault for your cryptographic keys and certificates in the Java ecosystem. It empowers developers and administrators to create, manage, and utilize these essential security elements within their applications.
- jarsigner signs JAR files and verifies signatures on signed JAR files. Signing a JAR file with a trusted certificate acts like a digital seal. It allows the recipient to verify that the JAR originated from a specific source (the certificate owner) and hasn’t been tampered with during transmission. This is crucial for preventing malware or unauthorized code from being introduced into the system disguised as a legitimate application.
Java Secure Socket Extension (JSSE)
The Java Secure Socket Extension (JSSE) enables secure Internet communications.
Developers can use it to build secure connections for any type of application (web, file transfer, remote access) on a server. This secure communication happens over the standard internet protocol (TCP/IP)
JSSE hides the complex technical aspects of secure communication, so developers can focus on building the core functionality of their applications without worrying about making mistakes that could create security vulnerabilities.
SSE provides both an application programming interface (API) framework and an implementation of that API.
The JSSE standard API, available in the javax.net and javax.net.ssl packages, extends the core network and cryptographic services defined by the java.security and java.net packages by providing extended networking socket classes, trust managers, key managers, SSL contexts, and a socket factory framework for encapsulating socket creation behavior.
Authentication and Authorization Service (JAAS)
JAAS enables you to authenticate users and securely determine who is currently executing Java code, and authorize users to ensure that they have the access control rights, or permissions, required to do the actions performed.
- for authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet; and
- for authorization of users to ensure they have the access control rights (permissions) required to do the actions performed.
Authentication verifies the identity of someone trying to access something. They might prove it with a secret they know (like a password) or something only they can create (like a signed message with a private key).
Applications use JAAS to identify who’s requesting access (the “subject”). This could be a person logging in or another program. Only after verifying the identity does the application grant access to resources.
Once a Subject is authenticated, it is populated with associated identities, or Principals. A Subject may have many Principals.
In addition to associated Principals, a Subject may own security-related attributes, which are referred to as credentials.
We can think of a credential as a digital ID card. It holds information that lets new services verify who you are. This information could be a password, a special ticket (like a Kerberos ticket), or even a digital certificate.
XML Digital Signature API
XML Signatures aren’t just for XML documents! They can be used to digitally sign any kind of data, like text files, images, or even other programs. The data you want to sign is identified using special references within the XML Signature itself.
The Java XML Digital Signature API is a standard Java API for generating and validating XML Signatures.
XML Signatures are described in one or more of three forms: detached, enveloping, or enveloped. A detached signature is over data that is external, or outside of the signature element itself. Enveloping signatures are signatures over data that is inside the signature element, and an enveloped signature is a signature that is contained inside the data that it is signing.
Java protects your applications from bad actors! It automatically checks XML signatures for hidden dangers that could crash your programs or compromise security.
Conclusion
By understanding Java security libraries and utilizing their functionalities effectively, developers can implement robust security measures in their applications for a more secure and trustworthy user experience.
JAAS defines a framework for authentication and authorization within applications
JSSE enables secure communication between applications over networks
XML security offers secure validation mode to protect against malicious XML signatures.
In conclusion, Java security APIs empower developers to build secure and trustworthy applications. By understanding and utilizing these APIs effectively, developers can create applications that protect user privacy, ensure data integrity, and maintain secure communication channels.
There are, however, important considerations to keep in mind:
While JCA provides powerful APIs, understanding core cryptographic concepts helps developers use them effectively. Security APIs are powerful tools, but secure coding practices are still essential for building truly secure applications.