Security also is pervasive in that it touches all aspects of the computing technology, including hardware, software, operating system, software libraries, communication software, network
Trang 1International Technical Support Organization
http://www.redbooks.ibm.com
Java 2 Network Security
Marco Pistoia, Duane F Reller
Deepak Gupta, Milind Nagnur, Ashok K Ramani
Trang 3Java 2 Network Security
Marco Pistoia, Duane F Reller
Deepak Gupta, Milind Nagnur, Ashok K Ramani
Foreward by Li Gong
Distinguished Engineer and Chief Java Security Architect
Sun Microsystems, Inc
June 1999
SG24-2109-01
International Technical Support Organization
Trang 4© Copyright International Business Machines Corporation 1997 1999 All rights reserved.
Note to U.S Government Users – Documentation related to restricted rights – Use, duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule Contract with IBM Corp.
Second Edition (June 1999)
This edition applies to Java 2 SDK, Standard Edition, V 1.2
Comments may be addressed to:
IBM Corporation, International Technical Support Organization
Dept HZ8 Building 678
P.O Box 12195
Research Triangle Park, NC 27709-2195
When you send information to IBM, you grant IBM a non-exclusive right to use or distribute the information in any way it believes appropriate without incurring any obligation to you
Before using this information and the product it supports, be sure to read the general information in Appendix F, “Special Notices” on page 659
Take Note!
Trang 5© Copyright IBM Corp 1999 3
Foreword
As the person who led the JavaSoft team that developed the Java security technology discussed in this book, it is extremely gratifying to see people spend their precious time writing about our technology and products Every engineer’s dream is to have his or her technology deployed and used by thousands of others, and this book is a great help to Java developers who write security-aware applications
Security is a difficult subject to write about On the one hand, security is in people’s daily consciousness so that it appears easy to get across (to the reader) some of the basic concepts On the other hand, security applied to computer and networking is often subtle and unexpected Security also is pervasive in that it touches all aspects of the computing technology, including hardware, software, operating system, software libraries, communication software, networking infrastructure, application software, user interface, and management software In order to understand security in any situation, one has to understand the entire system under consideration as well as each individual component so that one can identity their strengths and weaknesses and design the appropriate solutions
Java security is one of the more recent additions to the family of security technologies Ever since Sun Microsystems announced Java technology in the spring of 1995, there has been strong and growing interest (in industry, research laboratories, and academia) around the security of the Java platform
as well as new security issues raised by the deployment of Java technology.Such close attention being paid to security is almost unprecedented in that new computing technologies normally ignore security considerations when they emerge initially Most of them remain unsecured forever In the few cases where efforts are made to secure them later, the efforts are typically not very successful because retrofitting security is usually very difficult, if possible at all, and often causes backward compatibility problems
Therefore, it is extremely fortunate that the Java technology had security as a primary design goal from the very beginning (Hats off to the original Java development team I joined JavaSoft only in 1996.) Although the initial security model was very simplistic, it enabled later improvements in the security architecture
The Java language is a general-purpose object-oriented programming language and is specifically designed to be platform independent so that application developers can write a program once and then run it securely
Trang 64 Java 2 Network Security
everywhere on the Internet To achieve this platform independence, a Java program is compiled to a bytecode instruction set and binary format defined
in the Java Virtual Machine Specification The Java platform consists of the Java language and its associated tools (such as compilers), together with the Java Virtual Machine (JVM) and its associated libraries that define a rich set
of application programming interfaces (APIs)
Security for the Java platform has multiple layers First of all, the Java language is strongly typed and does not include any unsafe constructs, such
as array accesses without index checking, because such unsafe constructs may result in unspecified and unpredictable program behavior that can lead to security compromises Type safety is checked both at the time a piece of bytecode is loaded into the JVM and throughout the lifetime of the bytecode (that is, during run time) until it is no longer used and garbage collected Second, mechanisms (for example, class loaders) are in place to ensure a sufficient degree of separation between multiple Java programs so that they
do not interfere with each other in undesirable ways
Third, access to crucial system resources is mediated by the JVM A security manager is installed to deny all requests for unauthorized access The access control model, in the initial release of the Java Development Kit (JDK 1.0), was to grant full access to local code (that is, trust such code and let it do anything it wants) and to grant very restricted access to code loaded over the network because such code (often referred to as applets) may not be trusted JDK 1.1 introduced a notion of trusted applets and granted full access to these applets The latest release, JDK 1.2 (also called Java 2), incorporates a new security architecture that supports policy-driven, fine-grained, flexible, and extensible access control (For design rationales of this architecture, as well as difficulties and subtleties we encountered during JDK 1.2
development, please refer to my book Inside Java 2 Platform Security.)
On top of type safety and access control, there are the Java Cryptography Architecture (implemented in JDK 1.2 and in the Java Cryptography Extension 1.2), support for secure communication (the Java Secure Socket Extension), and a framework for user-based authentication and access control (the Java Authentication and Authorization Service) These technologies are at various stages in the development and release cycle Finally, applications can provide their own specific security features and can customize security features that are built into the Java platform
Our colleagues at IBM, among other industrial partners, have been closely involved with the recent development of Java security technology They have supported our efforts in many ways, and have provided excellent technical suggestions This latest book from IBM is a comprehensive guidebook that
Trang 7provides the programmer/reader with well-organized details of the Java security APIs and their usage The book is also broad in its coverage of the wider security context and related issues
I am very excited to see such a good book being published on Java security It will contribute greatly toward making the Java platform the most popular deployment environment for secure computing
Trang 86 Java 2 Network Security
Trang 9© Copyright IBM Corp 1997 1999 vii
Contents
Foreword 3
Preface xvii
The Team That Wrote This Redbook xvii
Comments Welcome xix
Part 1 Introduction to Java and Security 1
Chapter 1 An Overview of Java and Security 3
1.1 Java Is Not Just a Language 3
1.2 What Java Does 3
1.3 Java Is Not an Island: Java as a Part of Security 5
1.3.1 Safety and Security 7
1.3.2 Java as an Aid to Security 8
1.3.3 Java as a Threat to Security 9
1.3.4 Writing Secure Java 10
1.3.5 Staying One Jump Ahead 11
1.3.6 The Vigilant Web Site 12
1.4 Understanding Java 2 Security 12
1.4.1 An Example of Applet Security in Java 2 14
1.4.2 An Example of Application Security in Java 2 26
1.5 Summary 33
Chapter 2 Attack and Defense 35
2.1 Components of Java 35
2.1.1 The Development Environment 36
2.1.2 The Execution Environment 44
2.1.3 Interfaces and Architectures 50
2.2 Java 2 and Cryptography 53
2.2.1 Cryptographic Tools in Brief 54
2.2.2 Java Cryptography Architecture 56
2.2.3 United States Export Rules for Encryption 57
2.2.4 Signed Code 58
2.2.5 The Other Side of the Coin – Access Control 59
2.3 Attacking the World of Java 59
2.3.1 Perils in the Life of Remote Code 59
2.3.2 Vulnerabilities in Java Applications 66
2.4 Summary 68
Chapter 3 The New Java Security Model 69
3.1 The Need for Java Security 69
Trang 10viii Java 2 Network Security
3.2 Evolution of the Java Security Model 70
3.2.1 The JDK 1.0 Sandbox Security Model 70
3.2.2 The Concept of Trusted Code in JDK 1.1 72
3.2.3 The Fine-Grained Access Control of Java 2 74
3.2.4 A Comparison of the Three Java Security Models 78
3.3 Java 2 Protection Domain and Permissions Model 80
3.4 New Class Search Path 83
3.4.1 Boot Class Path 84
3.4.2 Extensions Framework 86
3.4.3 Application Class Path 88
3.4.4 Class Search Paths in Summary 89
3.5 Java 2 Class Loading Mechanism 89
3.5.1 Run-Time Access Controls 91
3.6 The Policy File 93
3.6.1 The Default System-Wide Policy File 96
3.7 Security Manager vs Access Controller 98
3.8 Security Management with Java 2 98
3.8.1 Applying a Security Manager to Applets and Applications 99
3.8.2 Applying a User-Defined Security Policy 99
3.8.3 Java Security Debugging 100
3.9 Summary 106
Part 2 Under the Hood 107
Chapter 4 The Java Virtual Machine 109
4.1 The Java Virtual Machine, Close Up 109
4.1.1 The Class Loader 110
4.1.2 The Class File Verifier 112
4.1.3 The Heap 112
4.1.4 The Class Area 112
4.1.5 The Native Method Loader 113
4.1.6 The Security Manager 113
4.1.7 The Execution Engine 113
4.1.8 Just-in-Time Compilers 113
4.2 Summary 115
Chapter 5 Class Files in Java 2 117
5.1 The Traditional Development Life Cycle 117
5.2 The Java Development Life Cycle 119
5.3 The Java 2 Class File Format 124
5.3.1 Decompilation Attacks 126
5.4 The Constant Pool 129
5.4.1 Beating the Decompilation Threat 134
Trang 115.5 Java Bytecode 136
5.5.1 A Bytecode Example 136
Chapter 6 The Class Loader and Class File Verifier 145
6.1 Class Loaders 145
6.1.1 Loading Classes from Trusted Sources 146
6.1.2 Loading Classes from Untrusted Sources 147
6.1.3 Beyond What the JVM Provides 148
6.1.4 The Class Loading Process 150
6.1.5 Should You Build Your Own Class Loader 155
6.2 The Class File Verifier 168
6.2.1 An Example of Class File Verification 169
6.2.2 The Duties of the Class File Verifier 175
6.2.3 The Four Passes of the Class File Verifier 176
6.3 The Bytecode Verifier in Detail 180
6.3.1 The Data Flow Analyzer 181
6.4 An Incompleteness Theorem for Bytecode Verifiers 183
6.5 Summary 184
Chapter 7 The Java 2 SecurityManager 187
7.1 What SecurityManager Does 187
7.2 Operation of the Security Manager 190
7.2.1 Interdependence of the Three JVM Security Elements 192
7.3 Attacking the Defenses of Java 192
7.3.1 Types of Attack 193
7.3.2 Malicious Applets 195
7.4 Avoiding Security Hazards 204
7.4.1 How to Test 205
7.5 Examples of Security Manager Extensions 206
7.5.1 First Example – Overriding checkWrite() 206
7.5.2 Second Example – Overriding checkPermission() 211
7.5.3 Third Example – Overriding checkRead() and checkWrite() 218
7.6 Summary 224
Chapter 8 Security Configuration Files in the Java 2 SDK 225
8.1 A Note on java.home and the JRE Installation Directory 225
8.2 Keystores 230
8.2.1 The Certificates KeyStore File cacerts 233
8.3 The Security Properties File, java.security 234
8.4 Security Policy Files 242
8.4.1 keystore Entry 242
8.4.2 grant Entries 243
8.5 An Example of Security Settings in the Java 2 Platform 248
8.5.1 The Count Application Source Code 248
Trang 12x Java 2 Network Security
8.5.2 A Sample Text File 249
8.5.3 Compiling the Application 249
8.5.4 Running the Application without a Security Manager 250
8.5.5 Running the Application with the Default Security Manager 250
8.5.6 Policy File Modification 250
8.6 File Read Access to Files in the Code Base URL Directory 252
8.7 Security Properties and Policy File Protection 252
8.8 How to Implement a Policy Server 252
Chapter 9 Java 2 SDK Security Tools 259
9.1 Key and Certificate Management Tool 259
9.1.1 keytool Syntax 259
9.1.2 Store and Private Key Password 261
9.1.3 Commands and Options Associated with keytool 262
9.1.4 An Example of keytool Usage 269
9.2 Java Archive Tool 270
9.2.1 Options of the jar Command 271
9.2.2 Running a JAR File 274
9.3 JAR Signing and Verification Tool 275
9.3.1 jarsigner Scenario 280
9.3.2 Observations on the jarsigner Verification Process 284
9.3.3 Tampering with a Signed JAR File 286
9.4 Policy File Creation and Management Tool 288
9.4.1 Observations on the Use of the Policy Tool 295
Chapter 10 Security APIs in Java 2 297
10.1 The Package java.security 297
10.1.1 Principals 297
10.1.2 Guard Interface and GuardedObject Class 298
10.1.3 Providers 299
10.1.4 The Security Class 301
10.1.5 Access Control APIs 304
10.1.6 Key Management 305
10.1.7 Message Digests and DIgital Signatures 311
10.1.8 Secure Random Number Generation 316
10.1.9 The SignedObject Class 316
10.1.10 Permission APIs 317
10.1.11 Code Source 318
10.1.12 Protection Domain 321
10.1.13 Policy 321
10.1.14 Secure Class Loader 322
10.1.15 Algorithm Parameters 322
10.2 The Package java.security.spec 322
Trang 1310.3 The Package java.security.cert 323
10.4 Package java.security.interfaces 324
10.5 The Package java.security.acl 324
10.6 Examples Using the Java 2 Security APIs 325
10.6.1 Signature and Signature Verification 325
10.6.2 Using Keystores 332
10.7 The Permission Classes 339
10.7.1 How to Create New Permissions 344
10.7.2 Working with Signed Permissions 348
10.8 How to Write Privileged Code 350
10.8.1 First Case – No Return Value, No Exception Thrown 351
10.8.2 Second Case – Return Value, No Exception Thrown 352
10.8.3 Third Case – Return Value, Exception Thrown 353
10.8.4 Accessing Local Variables 353
10.8.5 An Example of Privileged Blocks Usage 354
10.8.6 General Recommendations on Using the Privileged Blocks 358
Chapter 11 The Java Plug-In 359
11.1 Main Features of Java Plug-In 360
11.2 What Does the Java Plug-In Do? 364
11.3 Java Plug-In HTML Changes 364
11.3.1 Changes Supported by Navigator 364
11.3.2 Changes Supported by Internet Explorer 365
11.3.3 Changes Supported by Both Navigator and Internet Explorer 366 11.3.4 All the Web Browsers 367
11.3.5 Java Plug-in Software HTML Converter 369
11.4 Java Plug-In Control Panel 370
11.4.1 The Basic Panel 370
11.4.2 The Advanced Panel 371
11.4.3 The Proxies Panel 373
11.5 Java Plug-In Security Scenario 374
11.5.1 First Step – Without Using the Java Plug-in 374
11.5.2 Second Step – Using the Java Plug-in 377
Chapter 12 Java Gets Out of Its Box 385
12.1 JAR Files and Applet Signing 385
12.1.1 Manifest File 387
12.1.2 Signature File 392
12.1.3 Signature Block File 392
12.2 Signed Code Scenario in JDK 1.1 and Sun HotJava 393
12.2.1 Creating the CA Key Database 393
12.2.2 Creating the Server Key Database 395
12.2.3 Creating and Signing a JAR File 397
Trang 14xii Java 2 Network Security
12.2.4 Running the Applet 399
12.2.5 Creating the Client Key Database 399
12.3 Signed Code Scenario in Java 2 SDK, Standard Edition, V1.2 400
12.3.1 Creating a Keystore for Certification Authorities 401
12.3.2 Creating the Server Certificate 402
12.3.3 Creating and Signing a JAR file 406
12.3.4 Granting the Permissions and Running the Applet 407
12.4 Signed Code Scenario in Netscape Communicator 409
12.4.1 Using the netscape.security Package 410
12.4.2 Installing Keys and Certificates in Netscape Communicator 415
12.4.3 Signing JAR Files with Netscape Signing Tool 418
12.5 Signed Code Scenario in Microsoft Internet Explorer 437
12.5.1 First Example with Signed CAB Files 438
12.5.2 A More Complex Signed CAB File Example 450
12.6 The JAR Bug – Fixed In Java 2 SDK, Standard Edition, V1.2.1 461
12.6.1 The Solution in Java 2 SDK, Standard Edition, V1.2.1 470
12.7 Future Developments 470
Part 3 Beyond the Island of Java – Surfing into the Unknown 473
Chapter 13 Cryptography in Java 2 475
13.1 Security Questions, Cryptographic Answers 475
13.1.1 Public Key Certificates 478
13.2 The Java Cryptography Architecture Framework 480
13.2.1 JCE and United States Export Considerations 481
13.2.2 Relationship between Java 2 SDK, JCA and JCE APIs 482
13.3 JCA Terms and Definitions 483
13.3.1 The Provider Concept in the JCA 485
13.3.2 Engine Classes 487
13.3.3 Algorithms 489
13.4 Java Cryptography Extension 493
13.4.1 JCE – Packages and Their Contents 493
13.4.2 The Cipher Class 495
13.4.3 The Cipher Stream Classes 495
13.4.4 Secret Key Interfaces and Classes 495
13.4.5 The KeyGenerator Class 495
13.4.6 The KeyAgreement Class 496
13.4.7 The SealedObject Class 496
13.5 Java Cryptography in Practice 496
13.5.1 First Scenario 496
13.5.2 Second Scenario 496
13.6 Asymmetric Encryption with the Java 2 SDK and JCE 1.2 497
13.6.1 Using Asymmetric Encryption 497
Trang 1513.7 How to Implement Your Own Provider 497
13.7.1 Write the Service Implementation Code 498
13.7.2 Give the Provider a Name 498
13.7.3 Write a Master Class 498
13.7.4 Compile the Code 498
13.7.5 Install and Configure the Provider 498
13.7.6 Test if the Provider Is Ready 498
13.7.7 Algorithm Aliases 498
13.7.8 Dependencies on Other Algorithms 499
13.7.9 Default Initializations 499
13.7.10 A Sample Master Class 499
Chapter 14 Enterprise Java 501
14.1 Browser Add-On Applets 501
14.2 Networked Architectures 501
14.2.1 Applying the Java 2 Access Control Mechanisms 502
14.2.2 Two-Tier Architecture 503
14.2.3 Three-Tier Architecture 503
14.2.4 Network Security 506
14.3 Secure Clients and Network Computers 509
14.4 Server-Side Java 510
14.4.1 The Cost of Server-Side Java 511
14.5 Servlets 512
14.5.1 Advantages of Servlets 514
14.5.2 Servlets and CGI-BINs 515
14.5.3 Java Servlet APIs 516
14.5.4 Servlet Life Cycle 518
14.5.5 IBM WebSphere Application Server 520
14.5.6 A Sample Servlet 522
14.5.7 The Current Servlet Security Model 530
14.6 Distributed Object Architectures – RMI 537
14.6.1 Stubs and Skeletons 539
14.6.2 RMI Registry 540
14.6.3 A Sample RMI Program 542
14.6.4 The Security of RMI 553
14.7 Enterprise JavaBeans 554
Chapter 15 Java and Firewalls – In and Out of the Net 557
15.1 What Is a Firewall? 557
15.2 What Does a Firewall Do? 558
15.2.1 Inside a TCP/IP Packet 558
15.2.2 How Can Programs Communicate through a Firewall? 561
15.3 Detailed Example of TCP/IP Protocol 562