Unit 8 Security

8/14/2019 Unit 8 Security

1/18

Unit -8(Security)

Introduction:When java first came into existence the excitement was not about a well-crafted

programming language but also about the possibility of safely executing appletsthat are delivered over internet. Obviously, delivering executable is applets ispractical only when the recipients are sure that the code cant wreak havoc ontheir machines. For this reason security was the major concern of both designersand the users of java technology. This means in java security mechanisms areimplemented as an integral part of java technology unlike the case with otherlanguages and systems where security was implemented as an afterthought or areaction to break-ins.Three mechanisms help ensure safety:

Language design features (bounds checking on arrays, legal type

conversions only, no pointer arithmetic).

An access control mechanism that controls what the code can do (such asfile access, network access).

Code signing, whereby code authors can use standard cryptographic

algorithms to authenticate java code. Then, the users of the code candetermine exactly who created the code & whether the code has beenaltered after it was signed.

When class files are loaded into the virtual machine, they are checked forintegrity. For maximum security, both the default mechanism for loading a classand a custom class need to work with a security managerclass that controlswhat actions code can perform.

Class LoadersA Java compiler converts source into the machine language of a hypotheticalmachine, called the virtual machine. The virtual machine code is stored in a classfile with a .class extension.Each class file contains the definition and implementation code forone class or interface. These class files must be interpreted by a program thatcan translate the instruction set of the virtual machine into the machine languageof the target machine.The virtual machine loads only those class files that are needed for the executionof a program. For eg, suppose program execution starts with MyProgram.class.Here are the steps that the virtual machine carries out. .1) The virtual machine has a mechanism for loading class files, for eg, byreading the files from disk or by requesting them from the Web; it uses thismechanism to load the contents of the MyProgram class file.2) If the MyProgram class has instance variables or superclasses of anotherclass type, these class files are loaded as well.3) The virtual machine then executes the main method in MyProgram.4) If the main method or a method that main calls requires additional classes,these are loaded next.

(Nikita Taneja) 1


2/18

The class loading mechanism doesn't just use a single class loader. Every Javaprogram has at least three class loaders:

The bootstrap class loader- The bootstrap class loader loads the

system classes(typically, from the JAR files rt.jar). it is an integral part of

the virtual machine(VM) and is usually implemented in C. there is noClassLoaderobject corresponding to the bootstrap class loader. Fro eg.

String.class.getClassLoader()return null.

The extension class loader- It loads the standard extensions from the

jre/lib/ext directory. You can drop jar files into that directory and theextension class loader will find the classes in the, even without any classpath.

The system class loader(also sometimes called the application class

loader) It loads the application classes. It locates classes in thedirectories and JAR/ZIP files on the class path, as set by the CLASSPATH

environment variable or the -classpath command line option.

In suns Java implementation, the extension and system class loaders areimplemented in Java.Class loaders have a parent/childrelationship. Every class loader except for thebootstrap class loader has a parent class loader. A class loader is supposed togive its parent a chance to load any given class and only load it if the parent hasfailed. For eg, when the system class loader is asked to load a system class (say,

java.util.ArrayList), then it first asks the extension class loader. That class loaderfirst asks the bootstrap class loader. The bootstrap class loader finds and loadsthe class in rt.jar, neither of the other class loaders searches any further.

Applets, servlets and RMI stubs are loaded with custom class loaders. You caneven write your own class loader for specialized purposes, that lets you carry outspecialized security checks before you pass the bytecodes to the vIrtualmachine. For example, you can write a class loader that can refuse to load aclass that has not been marked as paid for".

Using Class Loaders as NamespacesEvery Java programmer knows that package names are used to eliminate nameconflicts. There are two classes called Date in the standard library, but of coursetheir real names are java.util.Date and java.sql.Date.The simple name is only a

programmer convenience and requires the inclusion of appropriate importstatements. In a running program, all class names contain their package name.

You can have two classes in the same virtual machinethat have the same class and package. A class is determined by its full name andthe class loader. This technique is useful for loading code from multipIe sources.For example,

(Nikita Taneja) 2


3/18

a browser uses separate instances of the applet class loader class for each webpage. This allows the virtual machine to separate classes from different webpages, no matter what they are named.

Writing Your Own Class Loader

To write your own class loader, you simply extend the ClassLoader class andoverride the method.findClass(String classNarne)

The loadClassmethod of the ClassLoader superclass takes care of thedelegation to the parent and calls findClass only if the class hasn't already beenloaded and if the parent class loader was unable to load the class.Your implementation of this method must do the following:1) Load the bytecodes for the class from the local file system or from some othersource.2) Call the defineClassmethod of the ClassLoader superclass to present thebytecodes to the virtual machine.

Bytecode VerificationWhen a class loader presents the bytecodes of a newly loaded Java platformclass to the virtual machine, these bytecodes are first inspected by a verifier. Theverifier checks that the instructions cannot perform actions that are obviouslydamaging. All classes except for system classes are verified. You can, however,deactivate verification with the undocumented -noverify option.For eg,

java noverify HelloHere are some of the checks that the verifier carries out:

That variables are initialized before they are used That method calls match the types of object references.

That rules for accessing private data and methods are not violated

That local variable accesses fall within the runtime stack.

That the runtime stack does not overflow

If any of these checks fails, then the class is considered corrupted and will not beloaded.This strict verification is an important security consideration. Accidental errors,such as uninitialized variables, can easily wreak havoc if they are not caught. Inthe wide open world of the Internet, you must be protected against malicious

programmers who create evil effects on purpose. For eg, by modifying values onthe runtime stack or by writing to the private data fields of system objects, aprogram can break through the security system of a browser.After all, the compiler would never allow you to generate a class file in which anuninitialized variable is used or in which a private data field is accessed fromanother class.However, the bytecode format used in the class files is well documented.

(Nikita Taneja) 3


4/18

For eg. To construct such an altered class file we start with the programVerifierTest.java.This is a simple program that calls a method and displays themethod result. The program can be run both as a consoleprogram and as anapplet.The fun method itself just computes 1+ 2.

static int fun(){int m;int n;m= 1;n = 2;int r = m+ n;return r;

try to compile the following modification of this program:static int fun()

{int m= 1;int n;m= 1;m= 2;int r = m+ n;return r;

In this case, n is not initialized, and it could have any random value. The compilerdetects that problem and refuses to compile the program. First, run thejavapprogram to find out how the compiler translates the fun method. The command -

javap -c VerifierTestshows the bytecodes in the class file in mnemonic form.

Method int fun ()0 iconst_11 istore_02 iconst_23 istore_14 iload_05 iload_16 iadd7 istore_28 iload_29 ireturn

Using these mnemonic we can find out the actual cause of the problem and thanuse the hex editor that will give us the hexadecimal value corresponding to thesemnemonics.

(Nikita Taneja) 4


5/18


6/18

Java 2 platform securityLocal classes had full permissions, and remote classes were confined to thesandbox. Justlike a child that can only play in a sandbox, remote was onlyallowed to paint on the screen and interact with the user. The applet security

manager denied all access to a local resource. A security policy maps codesources topermission sets. (See fig. below)

A source code has two properties: the code location (for eg, an HTTP URL forremote code, or a file URL for local in a JAR file) & certificates. Certificatesimplies that how code can be certified by trusted parties.A permission is any property that is checked by a security manager. For

example, Filepermission p = new FilePermission("/tmp/* ", "read, write");

The above instance of the FilePermission class states that it is ok to read andwrite any file in the /tmp directory. Fig below shows the hierarchy of permissionclasses that are supplied with jdk 1.2

(Nikita Taneja) 6


7/18

Each class has a protection domain, an object that encapsulate both the codesource and the collection of permissions of the class.When the SecurityManager needs to check a permission it looks at the classes ofall methods currently on the call stack. It then gets the protection domains of allclasses and asks each protection domain if its permission collection allows

the operation that is currently being checked. Ifall domains agree, then the checkpasses. Otherwise, a securityException is thrown.

Security Policy Files

Earlier we discussed how the SecureClassLoader assigns permissions whenloading classes, that is by asking a Policy object to look up the permissions forthe code source of each class. We can install our own Policy class to carry outthe mapping from code sources to permissions.The standard policy reads policy files that contain instructions for mapping code

sources to permissions.Here is a policy file:

grant codeBase http://horstmann.com/classes {

permission java.io.Filepermission /tmp/* , read,write ;}

This file grants permission to read & write files in the /tmp directory to all codethat was downloaded from http://www.horstmann.com/classes.You can install policy files in standard locations. By default there are twolocations:1) The file java.policy in the Java platform home directory.

2) The file .java.policy in the user home directory.

Java applications by default do not install a security manager. Therefore, youwon't see the effect of policy files until you install one. You can add a line

System.setSecurityManager(new SecurityManager());Into your main method.

A policy file contains a sequence of grant entries. Each entry has the followingform:grant codesource{

permission 1;permission2;};

The code source contains a code base (which can be omitted if the entry appliesto code from all sources) and the names of trusted principals and certificatessigners(which can be omitted if signatures are not required for this entry)

The code base is specified as

(Nikita Taneja) 7
http://www.horstmann.com/classeshttp://www.horstmann.com/classeshttp://www.horstmann.com/classes


8/18

codeBase urlIf the URL ends in a /, then it refers to a directory. Otherwise, it is taken to be thename of a JAR file .For example,

grant codeBase www.horstmann.com/classes/{...};grant codeBase www.horstmann.com/classes/MyApp.jar{...};

Custom PermissionsIn this we discuss how we can supply our own permission class that users canrefer to in their policy files.To implement your permission class, you extend the Permission class and supplythe following methods:

A constructor with two String parameters, for the target and the action list .

String getActions()

boolean equals() int hashCode()

boolean implies(Permission other)

Permissions have an ordering, in which more general permissions reply morespecific ones. Consider the file permission

p1=new FilePermission(/tmp/-,read/write);This permission allows reading & writing of any file in the /tmp directory & any ofits subdirectories.A file permission p1 implies another file permission p2 if1) The target file set of p1 contains the target file set of p2.

2) The action set of p1 contains the action set of p2.

Implementation of a Permission ClassHere we implement a new permission for monitoring the insertion

of text into a text area. The program ensures that you cannot add bad wordssuch as sex, drugs, and C++ into a text area. We use a custom permission classso that the list of bad words can be supplied in a policy file.The following subclass of JTextArea asks the security manager whether it is okayto add new text.

Class WordCheckTextArea extends JTextArea

{Public void append(String text){

WordCheckPermission p= new WordCheckPermission(text, insert);SecurityManager manager=System.getSecurityManager();If(manager! =null) manager.checkPermission(p);Super.append(text);

}}

(Nikita Taneja) 8
http://www.horstmann.com/classes//http://www.horstmann.com/classes/MyApp.jar/http://www.horstmann.com/classes//http://www.horstmann.com/classes/MyApp.jar/


9/18

If the security manager grants the WordCheckPermission, then the text isappended. Otherwise, the checkPermission method throws an exception.Word check permissions have 2 possible actions: insert (the permission to inserta specific text) and avoid (the permission to add any text that avoids certain badwords). We should run this program with the following policy file:

grant{Permission WordCheckPermission= sex, drugs, C++, avoid;

}When designing the WordCheckPermission class, we must pay particularattention to the implies method. Here are the rules that control whetherpermission p1 implies permission p2.

1) If p1 has action avoid and p2 has action insert, then the target of p2 mustavoid all words in p1. for example, the permission

WordCheckPermission sex, drugs, C++, avoid

Implies the permission WordCheckPermission Mary had a little lamb ,insert

2) If p1 and p2 both have action avoid, then the word set of p2 must containall words in the word set of p1. for example, the permission

WordCheckPermission sex, drugs, avoid

Implies the permission WordCheckPermission sex, drugs, C++ ,avoid

3) If p1 and p2 both have action insert, then the text of p1 must contain thetext of p2. for example, the permission

WordCheckPermission Mary had a little lamb ,insertImplies the permission

WordCheckPermission a little lamb ,insert

A Custom Security Manager

We monitor file access by overriding the checkPermission method of thestandard security manager class. If the permission isn't a file read permission,then we simply call super.check-Permission. To check that it is permissible toread from a file, we open the file and scan its contents. We grant access to thefile only when it doesn't contain any of the forbidden words.public class WordCheckSecurityManager extends SecurityManager{

public void checkPermission(Permission p){

if (p instanceof FilePermission && p.getActions().equals("read"))

{String fileName = p.getName();if (containsBadWords(fileName))throw new SecurityException("Bad words in " + fileName);

}else super.checkPermission(p);

}. . .

}

(Nikita Taneja) 9


10/18

There is just one catch in our file check scenario. Consider one possible flow ofevents

A method of some class opens a file.

Then, the security manager springs into action and uses its

checkPermission method.

The checkPermission method calls the containsBadWords method.But the containsBadWords must itself read the file to check its contents, whichcalls the security manager again. This would result in an infinite regressionunless the security manager has a way of finding out in which context it wascalled. The getClassContext method is the way to find out how the method wascalled. This method returns an array of class objects that gives all the classeswhose calls are currently pending.The class at index 0 gives the currently executing call, but you only get to see theclasses, not the names of the pending methods.

Digital SignaturesApplets were what started the craze over the Java platform. Applets could not doa whole lot of useful stuff in the JDK 1.0 security model. For eg. because appletsunder JDK 1.0 were so closely supervised, they couldn't do much good on acorporate intranet, even though relatively little risk attaches to executing anapplet from your companys secure intranet.It quickly became clear to Sun that for applets to become truly useful, it wasimportant for users to be able to assign differentlevels of security, depending onwhere the applet originated.To give more trust to an applet, we need to know two things:1. Where did the applet come from?

2. Was the code corrupted in transit?Mathematicians and computer scientists have developed sophisticatedalgorithms for ensuring the integrity of data and for electronic signatures. The

java.security package contains implementations of many of these algorithms.

Message Digests

A message digest is a digital fingerprint of a block of data. A message digest hastwo essential properties:1. If one bit or several bits of the data are changed, then the message digestalso changes.

2. A forger who is in possession of a given message cannot construct a fakemessage that has the same message digest as the original.A number of algorithms have been designed to compute these message digests:The two best-known are SHA1, the secure hash algorithm developed by theNational Institute of Standards and Technology, andMD5, an algorithm invented by Ronald Rivest of MIT. Both algorithms scramblethe bits of a message in ingenious ways.

(Nikita Taneja) 10


11/18

The Java programming language implements both SHA1 and MD5. TheMessageDigest class is a factoryfor creating objects that encapsulate thefingerprinting algorithms. It has a static method, called getInstance, that returnsan object of a class that extends the MessageDigest class.This means the MessageDigest class serves double duty:

As a factory class As the superclass for all message digest algorithms.

For example, here is how you obtain an object that can compute SHAfingerprints.

MessageDigest alg = MessageDigest.getInstance("SHA-1");

Message Signing

Digital signatures can authenticate a message. When a message isauthenticated, you know:

The message was not altered.

The message came from the claimed sender.How digital signatures work:Public key cryptography is based on the notion of a public key and private key.The idea is that you tell everyone in the world your public key. However, only youhold the private key, and it is important that you safeguard it and don't release itto anyone else. The keys are matched by mathematical relationships, but it isbelieved to be practically impossible to compute one from the other. That is, eventhough everyone knows your public key, they can't compute your private key inyour lifetime, no matter how many computing resources they have available.There are two kinds of public/private key pairs: forencryptionand forauthentication.

If anyone sends you a message that was encrypted with your public encryptionkey, then you can decrypt it with your private decryption key, but nobody elsecan. Conversely, if you sign a message with your private authentication key, thenanyone else can verify the signature by checking with your public key. Theverification passes only for messages that you signed, and it fails if anyone elseused his or her key to sign the message.Many cryptographic algorithms, such as RSA and DSA (the Digital SignatureAlgorithm), use this idea. The exact structure of the keys and what it means forthem to match depend on the algorithm. For Eg:Suppose Alice wants to send Bob a message, and Bob wants to know thismessage came from Alice and not an impostor. Alice writes the message and

then signs the message digest with her private key. Bob gets a copy of her publickey. Bob then applies the public key to verifythe signature. If the verificationpasses, then Bob can be assured of two facts:

1. The original message has not been altered.2. The message was signed by Alice, the holder of the private key that matchesthe public key that Bob used for verification.

(Nikita Taneja) 11


12/18

Fig : Public key signature exchange with DSA

If someone steals Alice's private key or if a government can require her to turn itover, then she is in trouble. The thief or a government agent can impersonate herby sending messages, money transfer instructions, and so on, that others willbelieve came from Alice.Let us put the DSA algorithm to work. There are three algorithms:1. To generate a key pair.

2. To sign a message.3. To verify a signature.

Of course, you generate a key pair only once and then use it for signing andverifying many messages. To generate a new random key pair, make sure youuse truly random numbers.

Message AuthenticationSuppose you get a message from a stranger who claims to represent a famoussoftware company, urging you to run the program that is attached to the

message.The stranger even sends you a copy of his public key so you can verify that heauthored the message. You check that the signature is valid. This proves that themessage was signed with the matching private key and that it has not beencorrupted.Anyone could have generated a pair of public and private keys, signed themessage with the private key, and sent the signed message and the public key to

(Nikita Taneja) 12


13/18

you. The problem of determining the identity of the sender is called theauthentication problem.The usual way to solve the authentication problem is simple. Suppose thestranger and you have a common acquaintance you both trust. Suppose thestranger meets your acquaintance in person and hands over a disk with the

public key. Your acquaintance later meets you, assures you that he met thestranger and that the stranger indeed works for the famous software company,and then gives you the disk. (see fig below) That way, your acquaintancevouches for the authenticity of the stranger.

Fig: authentication through a trusted intermediary

Infact, your acquaintance does not actually need to meet you. Instead, he can

apply his private signature to the strangers public key file (see fig below)

(Nikita Taneja) 13


14/18

Fig :Authentication through a trusted intermediary's signature

When you get the public key file, you verify the signature of your acquaintance,and because you trust him, you are confident that he did check the stranger'scredentials before applying his signature.

You will often encounter digital signatures that are signed by one or more entitieswho will vouch for the authenticity, and you will need to evaluate to what degreeyou trust the authenticators.

Code SigningOne of the most important uses of authentication technology is signingexecutable programs.If you download a word processing program, you might want to grant it access toyour printer and to files in a certain subdirectory. However, you may not want togive it the right to make network connections, so that the program cant try to

send your files to a third party without your knowledge. To implement thissophisticated scheme:1) Use authentication to verify where the code came from.2) Then, run the code with a security policy that enforces the permission that youwant to grant the program, depending on its origin.

(Nikita Taneja) 14


15/18

JAR File SigningThere are two scenarios to sign applets and web start applications for use withthe java plug-in software:

1. Delivery in an intranet- In thissystem administrator installs certificatesand policy files on local machines. Whenever the Java Plug-in tool loads

signed code, it consults the keystore for signatures and policy file for thepermissions. Whenever a new program is created or an existing one isupdated, it must be signed and deployed on the webserver.

2. Delivery over the public Internet- In this software vendors obtaincertificates that are signed by certificate authorities such as VeriSign.When an end user visits a website that contains a signed applet, a pop-updialog box identifies the software vendor and gives the end user twochoices :to run the applet with full privileges or to confine it to sandbox.

Encryption

Earlier we discussed an important cryptographic technique that is implemented inthe java security API, namely authentication through digital signature. Asecond important aspect of security is encryption. When information isauthenticated, the information itself is plainly visible. The digital signature merelyverifies that the information has not been changed. In contrast, when informationis encrypted, it is not visible. It can only be decrypted with a matching key.Authentication is sufficient for code signingthere is no need for hiding the code.However, encryption is necessary when applets or applications transferconfidential information, such as credit card numbers and other personal data.

Symmetric Ciphers

The idea of encrypting the message is to change the message intomeaningless form of text called cipher text that will be meaningless to who everintercepts. There are many different ciphers with different algorithms. One of themost known ciphers is the symmetric cipher. The symmetric cipher has a key thatboth the sender and the receiver will keep. The sender uses that key to encryptthe message. The receiver also uses the same key to decrypt the message.Before the message is encrypted it is called plaintext, and it is called ciphertextafter it is encrypted. Plaintext is written with small letters while the ciphertext iswritten with capital letters.

Advantages Disadvantages

Relatively short key size Relatively short lifetime of the key High data throughput Key must remain secret at both ends

The java cryptographic extensions contains a class Cipherthat is the super classfor all encryption algorithms. You can get a cipher object by calling thegetInstance method:

(Nikita Taneja) 15


16/18

Cipher cipher=Cipher.getInstance(algorithmName);OrCipher cipher=Cipher.getInstance(algorithmName, providerName);

The symmetric cipher is one of the oldest ciphers the humans invented, and it

goes back as far back as Ceasar. Here we will talk about the Shift cipher, whichis symmetric cipher

Shift Cipher

Shift cipher encrypts by shifting each plaintext letter by amount (the key)known only by the sender and the authorized recipient. Characters shifted off theend are wrapped around.

For example, shift the plaintext my dog has fleas by 2 letters to becomethe ciphertext as follows

OA FQI JCU HNGCU

In above example, y got pushed off the end and then wrapped back tobecome a.

Shift cipher attack

Shift cipher is bad because it has only 25 possible keys. An attacker caneasily do the decryption operation with all the 25 possible keys and choose thedecryption which makes sense, and since there are 25 possible keys the averagesteps for the attacker to decrypt a message is 13. For example, if an attackerwants to decrypt the following messageYUNWCHXOBDWBQRWNJUUMJH.

He or she needs to chop off the first few letters of the ciphertext and shiftbackward until the attacker sees a message that makes sense.

1. yunwch2. xtmvbg3. wsluaf4. vrktze5. uqjsyd6. tpirxc7. sohqwb8. rngpva9. qmfouz

10.plentySince we see that the last one looks like an english word we will finish

decrypting with key = 9. plenty of sun shine all day

(Nikita Taneja) 16


17/18

Public-key ciphers

The primary problem with symmetric ciphers is not their security but with keyexchange. Once the sender and receiver have exchanged keys, that key can beused to securely communicate, but what secure communication channel was

used to communicate the key itself? In particular, it would probably be mucheasier for an attacker to work to intercept the key than it is to try all the keys inthe key space. Another problem is the number of keys needed. If there are npeople who need to communicate, then n(n-1)/2 keys are needed for each pair ofpeople to communicate privately. This may be ok for a small number of peoplebut quickly becomes unwieldly for large groups of people.

Public-key ciphers were invented to avoid the key-exchange problem entirely. Apublic-key cipher uses a pair of keys for sending messages. The two keys belongto the person receiving the message. One key is a public key and may be givento anybody. The other key is a private key and is kept secret by the owner. A

sender encrypts a message using the public key and once encrypted, only theprivate key may be used to decrypt it.

This protocol solves the key-exchange problem inherent with symmetric ciphers.There is no need for the sender and receiver to agree upon a key. All that isrequired is that some time before secret communication the sender gets a copyof the receiver's public key. Furthermore, the one public key can be used byanybody wishing to communicate with the receiver. So only n keypairs areneeded forn people to communicate secretly with one another,

Public-key ciphers are based on one-way trapdoor functions. A one-way function

is a function that is easy to compute, but the inverse is hard to compute. Forexample, it is easy to multiply two prime numbers together to get a composite,but it is difficult to factor a composite into its prime components. A one-waytrapdoor function is similar, but it has a trapdoor. That is, if some piece ofinformation is known, it becomes easy to compute the inverse. For example, ifyou have a number made of two prime factors, then knowing one of the factorsmakes it easy to compute the second. Given a public-key cipher based on primefactorization, the public key contains a composite number made from two largeprime factors, and the encryption algorithm uses that composite to encrypt themessage. The algorithm to decrypt the message requires knowing the primefactors, so decryption is easy if you have the private key containing one of thefactors but extremely difficult if you do not have it.

As with good symmetric ciphers, with a good public-key cipher all of the securityrests with the key. Therefore, key size is a measure of the system's security, butone cannot compare the size of a symmetric cipher key and a public-key cipherkey as a measure of their relative security.

(Nikita Taneja) 17


18/18

Branch Name: CSE/ITSubject: Advance Java (CSE-404-E)

Session-2009

UNIT-8 (Security)

Lecture-27 to 30

Lecture Content

27) Class Loader

Writing your own Class Loader

Bytecode Verification

28) Security Managers & Permissions Java2 platform security

Policy Files

Custom Permission

29) Digital Signatures

Message Digests

Message Signing

Message Authentication

30) Code Signing & Encryption JAR File Signing

Ciphers

Submited By:Nikita Taneja

(Nikita Taneja) 18

Unit 8 Security

Documents

Transcript of Unit 8 Security