1 Introduction
Key Java platform design is security. At its core, java language itself is type-safe and provides automatic garbage collection, making it increases the robustness of the application code. Safety class loader and verification mechanism to ensure that only valid code can execute.
Early java platform to create a secure environment for the safe operation of independent untrusted code, such as downloaded from the public network java applets. With the growth of platform expansion and the deployment range, Java security architecture evolve accordingly to support the growing set of services. Today, this architecture includes a series of API, tools, and achieve common security algorithms, mechanisms and protocols. This provides a lot of security framework to developers to develop applications, providing a set of tools for security management application user or administrator.
Java Security API range is very wide, Cryptographic and public key infrastructure (PKI ) interface provides the foundation for the development of secure applications. Perform security authentication and access control interface to ensure that application capable of organizing an unauthorized position to secure resources.
The API allows for algorithms and other security services more actionable implementation. Service Provider by the realization, embedded java platform through a standard interface, which makes the application contains the security services without having to know anything about their realization. This allows developers to focus on how to integrate security mechanisms in the service regardless of how sophisticated security mechanisms.
The Java platform provides a number of Providers to access most of the core of the security services. The same page can be allowed to install additional custom Provider. This ensures that developers can use new security mechanisms to extend the platform.
2.Java language bytecode verification and security
Java language starting from the design is type-safe and easy to use. It provides automatic memory management, garbage collection, and data cross-border inspection mechanism. This reduces the pressure of the developer's programming, there are fewer programming errors and a more secure and robust code.
Java defines different modifiers that can be labeled in the class, method, so that the developer on the field can be appropriately restricted access to their classes. Language defines four different access levels: private, protected, public, package ( no special note of words). public is the least restrictive access modifier, anyone can access. private is the most restrictive modifier does not allow external access to the private members. subclasses protected modifier allows access or other types of packages at the same visit. Package-level access only allows access to classes in the same package.
Java compiler will translate java program into machine-independent bytecode representation. Bytecode verification is to ensure the implementation of the legitimate use of Java byte code at run time. Check the bytecode for compliance with the Java language specification, and guilt do not violate the Java language named constraints. Also check the inspection car is memory management issues, whether the stack overflow, illegal data type conversion. Once the byte code by examining, ready to execute their Java runtime.
3. Basic Security Architecture
Java platform defines a set of API to cover a lot of the main range of security, including cryptography, public key infrastructure, authentication, secure communication, and access control. The API can facilitate developers to easily integrate security into their applications. You can use the following rules designed to achieve:
- Achieve independence
application does not need to achieve security, but security services can be called from the Java platform. Security services provider (see below) is implemented, which is embedded into the Java platform via a standard interface. Applications may depend on multiple independent Provider to implement security features. - Interoperability
Providers between applications are interoperable. Applications will not be bound to the specified provider, provider will not be bound to the application. Extension of the algorithm
Java platform includes a number of built-in to achieve a series of common basic security services provider. However, some programs may rely on standards not yet implemented the emerging patent or services. Java platform supports the installation of a custom implementation of such a service provider.Security Providers
Java java.security.Provider Provider class encapsulates the concept of security of the Java platform. Specify the name of Provider and lists the security services he realized. A plurality of Provider same time may be used, in a safe and smooth as the priority lists. When the security service is called, the highest authority of Privider the service will be selected.
Applications that rely on the relevant getInstance methods to obtain security services from the underlying provider. For example, to create a summary of information on behalf of a service provider offers this type. The application calls getInstance method java.security.MessageDigest class to obtain information that implements the specified digest algorithm, such as SHA-256.
MessageDigest md = MessageDigest.getInstance("SHA-256");Program can selectively call a designated provider to achieve, as follows, as specified provider name:
MessageDigest md = MessageDigest.getInstance("SHA-256", "ProviderC");diagram showing an application requesting an SHA-256 algorithem without specifying a provider name
图1 Provider 查找
diagram showing an application requesting an SHA-256 algorithem from a specific provider
FIG 2 specified Provider
FIGS request procedure explained SHA-256 message digest algorithm implemented. The two images have three provider implements message digest algorithm. provider are arranged sequentially from left to right by reference. In Figure 1, the application requests the SHA-256 algorithm without the provider name specified.
provider will be in the order of reference to find, to find the first privider-ProviderB implementation of the algorithm would be returned. In Figure 2, the application requests SHA-256 algorithm, and with a corresponding privider-ProviderC parameters. In this case, the specified Provider returns
even if there is a higher priority ProviderB also provides a SHA-256 implementation.
File Locations (file location)
Certain aspects of Java security mentioned in this article, including the provider's configuration can be customized by setting security properties. You can still set the security properties in the security properties file, by default, this file is installed java.security file lib / security directory directory of Java ™ Runtime Environment (JRE) in. Dynamic security attributes may be provided by an appropriate method (in java.security package) Security class calls.
It referred to herein are tools and commands ~ jre / bin directory, which represents the installation ~ jre JRE. Cacerts file mentioned in section 5 located ~ jre / lib / security in.
4. Cryptography (encryption)
Java Cryptography Architecture is kava access platform developed encryption framework. It contains a wide range of cryptographic services, including:
- Message digest algorithms
- Digital signature algorithms
- Symmetric bulk encryption
- Symmetric stream encryption
- Asymmetric encryption
- Password-based encryption (PBE)
- Elliptic Curve Cryptography (ECC)
- Key agreement algorithms
- Key generators
- Message Authentication Codes (MACs)
- (Pseudo-)random number generators
Due to historical reasons, encryption API in two different packages inside. java.security package comprising control outlet is not restricted (as Signature and MessageDigest). javax.crypto bag mouth class (Cipher and the KeyAgreement) subject to export control limits.
Encryption is a provider-based interfaces, a plurality of encryption to allow interoperable implementation. Some provider may really perform cryptographic operations in software, another may perform operations based on a hardware token. Providing export control Provider service must be digitally signed.
Java provides a number of built-in Provider common cryptographic algorithms, such as: RSA, DSA, ECDSA signature algorithm, etc., DES, AES, ARCFOUR and other encryption algorithm, MD5, SHA-1, SHA -256 message digest algorithm, etc., as well as Diffie- Hellman key agreement algorithms such and ECDH.