35 Understanding Java Security

Pravin Jain

epgp books

 

Introduction 

 

Welcome to this module on Understanding java Security. Earlier we have seen, most of the things required in developing a web application. Web applications are a very important part of distributed application development. We have covered all java technologies Servlets, JSPs , MVC architecture etc and various components that can be created. But another aspect which is important is security.

 

Security is important in any kind of application, it may be a web application or a non- web application. For, any enterprise application security is very important. We will be talking about security in this and the subsequent module. In this module we concentrate on the basic security related elements which are available in the JAVA API itself and in the next module we will see is regarding the web related security.

 

Basic Concepts 

 

Lets begin with looking at various concepts related to security.

 

We will cover some common terminologies related to security, like digital signature, digital certificate, there is something called digitally signed documents or PDFs. As far as java technology is concerned once we have developed a class, a set of classes forms an application. An application may not have only one class. These set of classes are distributed in form of a JAR file. So we have a concept of digitally signing a JAR file. So what are these terms? What do we mean by a digital signature?

 

Lets start with looking at those aspects. What is the exact requirement here?

 

The requirement is you have some application and then it needs to be determined that this application is something  that has  been distributed by a person or some organization. There is some identity, which needs to be associated with some code or in case of a document when someone says, that I have digitally signed the document the idea here is, I have seen the document and I endorse it. That is what is meant by digitally signing a document. “This application is from me, I endorse this application”, that is your requirement. Now how does this all work?How do we have a mechanism of digitally signing, where someone says this is something which is digitally signed and it is very authentic that the other person should be able to verify that its exactly signed by that person only.

 

What is Public Key Infrastructure 

 

So to build all this kind of infrastructure we have public key encryption interface. Lets see the components which are required in the public key interface. Lets talk a little bit about what is encryption and decryption.

 

Understanding Encryption and Decryption 

 

In earlier days for communication purpose, when there was some secret communication, even if someone sees the message in transit, the one who is seeing it, if he is not authorized to see the message he should not be able to make out what the message is. Only the recipient should be able to figure out what the message is about. So in old days there was a Ceasar code which was used. Suppose person A wants to communicate with person B, what they have in common is a key (Infact a key pair). So what was Ceasar code? For every letter we have a particular value or offset to it. For example let me add 3. So for every letter in the message I will just add 3 letters to it, and create the message. When I put this message across, the recipient should be knowing that this has been encrypted using 3 and so I need to subtract 3 and I will get the original message. So we have encryption done by adding 3 and then there is decryption done by subtracting 3. So how is it a key pair? Here we have a common algorithm used by both. Both use an algorithm called add. There is a key called plus 3 and the opposite key is minus 3. If you encode using one, then the other key is used to decoding. So you encrypt and decrypt. Here the algorithm is so simple that if you know one of the keys you can easily determine  the  other key and therefore in this kind of encryption if someone knows the key for encryption then they can easily determine the key for decryption. So such things would not work. But the principle is same.

 

Key Pairs 

 

What we have is we have got special algorithms based on key pair concept. A key for encryption and key for decryption. If you encrypt using a key of the key pair then you decrypt using the other key. So there is always a key pair. The kind of mechanism developed is something like this: Its not a simple algorithm like the add algorithm. We have much better and complicated algorithms. Complicated in the sense that the important aspect for the key pair is, that the algorithm are such that if you know one of the key you can’t determined the other key. These are such algorithms. The common algorithms like the RSA, the DSA etc used for encryption and decryption. The key pair mechanism is used here. The key pair generated is going to be such that given one of the keys of the key pairs, it is going to take years of computing to determine the opposite key. So that is the security aspect.

 

Public key and private key 

 

So if A wants to send something to B or if he wants to publish something, then what is happening in this kind of scenario is that every participant is having a key pair. And in this key pair one of the key is designated as a public key and other is private key. The private key is only known to the entity or the person who using it. And the public key is known to all the people. Now if A wants to send something to B , he can use his private key, encode it and since his public key is known to B. So B can decode it. But then in transit anyone who get the message in transit they know the public key and can get the message. What can be done is that A can use the public key of B, to encode then B has his private key which is the only thing that can decode it. So we use the public key of recipient for encoding. But there is another aspect. If A is sending something to B how can B be sure if the information is created by A only. Anyone could have posed as A and sent a message to B. So to have this kind of integrity we have two levels of encryption. First A would use his private key to encode first, whatever is the cipher text coming out of encryption that would again be encoded using public key of B. When it reaches to B he will first use his private key to get to the first level and whatever is the output of decryption to that B applies the public key of A. Because it was encoded using private key of A, it would turn out to be the correct message. Because the thing which B has got has been obtained using the public key of A, he can be sure that it has been sent by A. No one else could have encoded using private key of A. Private key is something which only with A.

 

One-way Hash and digitally signing 

 

There are other uses of this. Now, suppose you have a document. You have endorsed this document. But then after someone has endorsed the document someone else makes changes in that. So we need some kind of mechanism which says this is something endorsed by A and there have been no changes. So the integrity of the document is as A have seen this document. For this another kinds of algorithms are available. Algorithm for hashing. So what we do is we don’t encrypt the entire document. It is about signing a document. So if A wants to sign a document, what he will do is, he will take the document and then take a one-way hash of the document. It will be very costly to encrypt the entire document. So we take a one-way hash, a fingerprint. There are lot of one-way hash algorithms like SHA1, MD5, SHA256 etc. The idea of a one-way hash algorithm is, you have a document, create a one-way hash, if there is any change taking place in the document, the source, then the one-way hash generated for the changed document is completely different from the previous hash. And given the one-way hash values, it is impossible to generate the entire document. Its just a fingerprint of the document its not the whole thing. So one-way hash are these kind of algorithms. There would be number generated of specific size. For example if we have MD5 algorithm it would be 128 bits, for SHA1 it would be 160 bits, SHA256 has 256 bits etc. Now we can understand that the role of this hashing algorithm in digitally signing the document. So if someone wants to digitally sign the document, he will take the one- way hash of the document using any of the algorithm, and after the hash is generated, he will apply the private key on the one-way hash. When he generates an encryption this value is stored along with the document. This is the document which is digitally signed.

 

Verifying digitally signed data

 

So we can see here that how the integrity checks can be applied. It can always be verified. If there is any change in the document, its hash value will change. So if someone wants to verify if the document  is signed by someone  and if this digital signature of the person is endorsed by the person and whether it has been altered after the signing, the mechanism which is applied is as follows. The one who wants to verify, what he does is, he takes the one-way hash of the entire document again using the same hashing algorithm. He also has the digital signature also which was obtained by applying the private key of the signer on the one-way hash. So what he does is apply the public key of the signer on this digital signature. So he gets the one-way hash value. So we just need to verify that the one-way hash obtained by applying the public key of the signer on the digital signature  is same as the one-way hash obtained by using the algorithm on the document. So we know that this document did not change and it has been endorsed by this person only. This is what is meant by digital signing of the document. We have two algorithms in it – hashing and encryption.

 

So we can sign a JAR file. JAVA gives us mechanism of signing a JAR file and also gives mechanism for verifying the JAR file. JDK has a utility called jarsigner, which is used for both the purpose, ie. Digitally signing a Jar file and verifying a digitally signed jar file.

 

Now how to generate a one-way hash from the JAVA application itself. For this we have the java.security package having a class called MessageDigest. The MessageDigest is a very simple class. It can very easily be used. We have the static method getInstance() in order to create an object of MessageDigest. In this method what you need to specify, is the algorithm to be used for hashing. So you can say MessageDigest.getInstance( ‘ specify the hashing algorithm like md5, SHA1 etc ‘ ). Once you get the object of MessageDigest, which is initially blank, you need to keep on updating all the bytes from your document. In case of a JAR file, for every individual file, it would create a separate one-way hash, it would be encrypted and a digital signature would be created and stored separately for every file. So the integrity for each and every individual file can be verified. There is a META-INF folder where this file will be created which contain the digital signatures and the associated information which can be used to verify if this file is digitally signed or not. In the MessageDigest class we have a method called update where you push in those bytes and generate the hash value. So just keep on calling the update method. In the update method you can give a single byte or a byte array or a segment of a byte array. This update method can be called on the object obtained from the getInstance() method. Then when you want to know the hash, we can generate hash for all the bytes that we have pushed using the method called digest which returns a byte array. That byte array has size depending on the algorithm we are using like for md5 we will get 16 bytes, for SHA1 we get 20 bytes. So that’s something you could easily try out, getting a one-way hash. So digital signing is just taking the one-way hashes and applying encryption on them.

 

Some common JDK tools for security 

 

Now in JAVA, in jdk there are easy tools available for this kind of things. Some of the things that are needed for security, is a tool for creating a key pairs. So to create a key pair we have a tool called keytool. We have a keytool where we can say -generate key have a alias, so we can say -alias, you can even specify which key algorithm to use and then the key pair can be generated. Public key – private key are generated but then where do we keep them. So the key pairs are stored in something called as keystore. So we got keystore files. There are types of keystores. The general type of keystore supported by java is called JKS – Java Key Store. So we can create the files of type jks. This can be created from the keytool. In keytool we can manage key pairs having the keys. Now the keystore can have several kind of entries. One of the entries is the key entries and other kind of entries are the certificate entries. What is the certificate?

 

What is a Certificate? 

 

So when we create a public key and distribute the public key, how can someone say that this is your public key? So just creating a public key anywhere and trying to use it is not the thing. What we have is authorities which actually authorize and give us the public key. They authorize the public key and say I endorse that this is the public key of this person. So we have this authorizing agency called the CA’s – certifying authorities. There are a lot of CA’s like thawte, Entrust etc. Then what you have to do is give all your information to the CA’s so that they can verify that this is yourself only, that you can be authenticated, and then they can issue a certificate. Now this CA’s have their own key pairs. They have their own public key and private key. Now their private key have to be very secure. They will be maintaining their private key very securely. So they pick up all your information needed for the certificate like the organization you work with, your country name, your name etc. and with this information they keep your public key. So your public key would be a part of the certificate. So they do a one-way hash on all this information and then they use their private key on it. What is generated is the certificate. So we have this kind of certificate entries which go in a key store.

 

Thus the key store has two kind of entries – key entry and certificate entry. And then we have the key tool which is used to manage the entries in the key store. In Java we have a class called KeyStore which can be used to manage entries in the keystore. So you can refer to the API in java.security package we have a class called KeyStore.

 

So in the  keystore we  would be  managing our key entries and also managing the certificate entries for others. Because you would like to verify anything you receive from others. All those people from where you receive  something  secure, you should be having their public keys. And since the public keys are again signed by the CA’s you should be having the public keys of all the CA’s. So that is also being managed in the keystore. We have separate keystores actually when we have jdk and even browsers manage the public keys of CA’s. So the public key of CA’s are managed in order to verify that the certificates are correct. There is a file called cacerts in the jre/lib/security which contains the self signed certificates for the CA’s.

 

Then we have another tool called the jarsigner. It can be used for signing a jar file. So if you have a jar file it can be signed using the jarsigner command. The jarsigner command can also be used to verify the integrity of a received jar file and to know whether it has been signed by a particular person.

 

So we have this two important tools available – the keytool and the jarsigner. Jarsigner for verification and keytool for generating the key pairs and managing the key store. From java application there is a class called KeyStore which can be used for managing entries in a keystore.

 

In the next module we will be looking at the security of a web application.

you can view video on Understanding Java Security

Suggested Reading:

  1. Core Java Volume 2 by Cay Horstmann & Gary Cornell, Ninth Edition, Pearson Education.
  2. Java Security by Scott Oaks, 2nd Edition O’Reilly Media
  3. https://docs.oracle.com/javase/tutorial/security/