Reading in English Week 4 Day 1 Página 1 de 6

Thematic: Java Security

The JDK is designed with a strong emphasis on security. At its core, the Java language itself
is type-safe and provides automatic garbage collection, enhancing the robustness of
application code. A secure class loading and verification mechanism ensures that only
legitimate Java code is executed. The Java security architecture includes a large set of
application programming interfaces (APIs), tools, and implementations of commonly-used
security algorithms, mechanisms, and protocols.

The Java security APIs span a wide range of areas. Cryptographic and public key
infrastructure (PKI) interfaces provide the underlying basis for developing secure
applications. Interfaces for performing authentication and access control enable applications
to guard against unauthorized access to protected resources.

The APIs allow for multiple interoperable implementations of algorithms and other security
services. Services are implemented in providers, which are plugged into the JDK through a
standard interface that makes it easy for applications to obtain security services without
having to know anything about their implementations. This allows developers to focus on
how to integrate security into their applications, rather than on how to actually implement
complex security mechanisms.

The JDK includes a number of providers that implement a core set of security services. It
also allows for additional custom providers to be installed. This enables developers to extend
the platform with new security mechanisms.

The JDK is divided into modules. Modules that contain security APIs include the following:

Diagram taken from Oracle help center

 Reading in English Week 4 Day 1 Página 2 de 6

Java Language Security and Bytecode Verification

The Java language is designed to be type-safe and easy to use. It provides automatic
memory management, garbage collection, and range-checking on arrays. This reduces the
overall programming burden placed on developers, leading to fewer subtle programming
errors and to safer, more robust code.

A compiler translates Java programs into a machine-independent bytecode representation.

A bytecode verifier is invoked to ensure that only legitimate bytecodes are executed in the
Java runtime. It checks that the bytecodes conform to the Java Language Specification and
do not violate Java language rules or namespace restrictions. The verifier also checks for
memory management violations, stack underflows or overflows, and illegal data typecasts.
Once bytecodes have been verified, the Java runtime prepares them for execution.

In addition, the Java language defines different access modifiers that can be assigned to
Java classes, methods, and fields, enabling developers to restrict access to their class
implementations as appropriate. The language defines four distinct access levels:

• private: Most restrictive modifier; access is not allowed outside the particular class
in which the private member (a method, for example) is defined.
• protected: Allows access to any subclass or to other classes within the same
package.
• Package-private: If not specified, then this is the default access level; allows access
to classes within the same package.
• public: No longer guarantees that the element is accessible everywhere; accessibility
depends upon whether the package containing that element is exported by its
defining module and whether that module is readable by the module containing the
code that is attempting to access it.

Basic Security Architecture

The JDK defines a set of APIs spanning major security areas, including cryptography, public
key infrastructure, authentication, secure communication, and access control. The APIs
allow developers to easily integrate security into their application code.

The APIs are designed around the following principles:

Implementation independence
Applications do not need to implement security themselves. Rather, they can request
security services from the JDK. Security services are implemented in providers (see the
section Security Providers), which are plugged into the JDK via a standard interface. An
application may rely on multiple independent providers for security functionality.
 Reading in English Week 4 Day 1 Página 3 de 6

Implementation interoperability
Providers are interoperable across applications. Specifically, an application is not bound to
a specific provider if it does not rely on default values from the provider.

Algorithm extensibility
The JDK includes a number of built-in providers that implement a basic set of security
services that are widely used today. However, some applications may rely on emerging
standards not yet implemented, or on proprietary services. The JDK supports the installation
of custom providers that implement such services.

Java Cryptography

The Java cryptography architecture is a framework for accessing and developing

cryptographic functionality for the Java platform.

It includes APIs for a large variety of cryptographic services, including the following:

• Message digest algorithms

• Digital signature algorithms

• Symmetric bulk and stream encryption

• Asymmetric encryption

• Password-based encryption (PBE)

• Elliptic Curve Cryptography (ECC)

• Key agreement algorithms

• Key generators

• Message Authentication Codes (MACs)

• Secure Random Number Generators

 Reading in English Week 4 Day 1 Página 4 de 6

For historical (export control) reasons, the cryptography APIs are organized into two distinct
packages:

• The java.security and java.security.* packages contains classes that are not subject
to export controls (like Signature and MessageDigest)
• The javax.crypto package contains classes that are subject to export controls
(like Cipher and KeyAgreement)

The cryptographic interfaces are provider-based, allowing for multiple and interoperable
cryptography implementations. Some providers may perform cryptographic operations in
software; others may perform the operations on a hardware token (for example, on a smart
card device or on a hardware cryptographic accelerator). Providers that implement export-
controlled services must be digitally signed by a certificate issued by the Oracle JCE
Certificate Authority.

The Java platform includes built-in providers for many of the most commonly used
cryptographic algorithms, including the RSA, DSA, and ECDSA signature algorithms, the
AES encryption algorithm, the SHA-2 message digest algorithms, and the Diffie-Hellman
(DH) and Elliptic Curve Diffie-Hellman (ECDH) key agreement algorithms. Most of the built-
in providers implement cryptographic algorithms in Java code.

The Java platform also includes a built-in provider that acts as a bridge to a native PKCS#11
(v2.x) token. This provider, named SunPKCS11, allows Java applications to seamlessly
access cryptographic services located on PKCS#11-compliant tokens.

On Windows, the Java platform includes a built-in provider that acts as a bridge to the native
Microsoft CryptoAPI. This provider, named SunMSCAPI, allows Java applications to
seamlessly access cryptographic services on Windows through the CryptoAPI.

Public Key Infrastructure

Public Key Infrastructure (PKI) is a term used for a framework that enables secure exchange
of information based on public key cryptography. It allows identities (of people,
organizations, etc.) to be bound to digital certificates and provides a means of verifying the
authenticity of certificates. PKI encompasses keys, certificates, public key encryption, and
trusted Certification Authorities (CAs) who generate and digitally sign certificates.

The Java platform includes APIs and provider support for X.509 digital certificates and
Certificate Revocation Lists (CRLs), as well as PKIX-compliant certification path building
and validation. The classes related to PKI are located in
the java.security and java.security.cert packages.
 Reading in English Week 4 Day 1 Página 5 de 6

Key and Certificate Storage

The Java platform provides for long-term persistent storage of cryptographic keys and
certificates via key and certificate stores. Specifically, the java.security.KeyStore class
represents a key store, a secure repository of cryptographic keys and/or trusted certificates
(to be used, for example, during certification path validation), and
the java.security.cert.CertStore class represents a certificate store, a public and potentially
vast repository of unrelated and typically untrusted certificates. A CertStore may also store
CRLs.

KeyStore and CertStore implementations are distinguished by types. The Java platform
includes the standard PKCS11 and PKCS12 key store types (whose implementations are
compliant with the corresponding PKCS specifications from RSA Security). It also contains
a proprietary file-based key store type called JKS (which stands for Java Key Store), and a
type called DKS (Domain Key Store) which is a collection of keystores that are presented
as a single logical keystore.

The Java platform includes a special built-in key store, cacerts, that contains a number of
certificates for well-known, trusted CAs. The keytool utility is able to list the certificates
included in cacerts.

The SunPKCS11 provider mentioned in the section Java Cryptography includes a

PKCS11 KeyStore implementation. This means that keys and certificates residing in secure
hardware (such as a smart card) can be accessed and used by Java applications via
the KeyStore API. Note that smart card keys may not be permitted to leave the device. In
such cases, the java.security.Key object returned by the KeyStore API may simply be a
reference to the key (that is, it would not contain the actual key material). Such a Key object
can only be used to perform cryptographic operations on the device where the actual key
resides.

The Java platform also includes an LDAP certificate store type (for accessing certificates
stored in an LDAP directory), as well as an in-memory Collection certificate store type (for
accessing certificates managed in a java.util.Collection object).

Public Key Infrastructure Tools

There are two built-in tools for working with keys, certificates, and key stores:

• keytool creates and manages key stores. Use it to perform the following tasks:
• Create public/private key pairs

• Display, import, and export X.509 v1, v2, and v3 certificates stored as
files
 Reading in English Week 4 Day 1 Página 6 de 6

• Create X.509 certificates

• Issue certificate (PKCS#10) requests to be sent to CAs

• Create certificates based on certificate requests

• Import certificate replies (obtained from the CAs sent certificate

requests)

• Designate public key certificates as trusted

• Accept a password and store it securely as a secret key

• jarsigner signs JAR files and verifies signatures on signed JAR files. The Java
ARchive (JAR) file format enables the bundling of multiple files into a single file.
Typically, a JAR file contains the class files and auxiliary resources associated with
applets and applications.

Authentication

• Authentication is the process of determining the identity of a user. In the context of

the Java runtime environment, it is the process of identifying the user of an executing
Java program.

• The Java platform provides APIs that enable an application to perform user
authentication via pluggable login modules. Applications call into
the LoginContext class (in the javax.security.auth.login package), which in turn
references a configuration. The configuration specifies which login module (an
implementation of the javax.security.auth.spi.LoginModule interface) is to be used to
perform the actual authentication.

• Since applications solely talk to the standard LoginContext API, they can remain
independent from the underlying plug-in modules. New or updated modules can be
plugged in for an application without having to modify the application itself.

Reference: Oracle Help center