Java Security

Ogg-Vorbis format, 16Mbytes

MP3, 16Mbytes

WAV format, 175Mbytes

Security Manager

• From JDK 1.2 onwards, applications can be run with a security manager
• This can be set by the runtime

        java -Djava.security.manager

• A security manager can be set by code

        System.setSecurityManager(new SecurityManager())
        

  This may fail if the current security permisssions do not allow a security manager to be set. If

        System.getSecurityManager()

  is null then a security manager can always be set
• The only subclass of SecurityManager that is in the JDK is RMISecurityManager that allows code to be downloaded across the network - for remote code only. Used by RMI and Jini applications
• A security manager needs a security policy, which can also be set at the command line

        java -Djava.security.policy=someURL

Security Policy

• A security policy says what code is allowed to do
• Example permissions:

        permission java.io.FilePermission "/tmp/*", "read, write";
        permission java.lang.RuntimePermission "exitVM", "true";
        

• If a permission isn't granted, then it is not allowed
• In the example, write permission to the /tmp directory is allowed, but not the FilePermission to write to any other directory
• In the example, permission to exit the JVM is granted, but not the RuntimePermission to stopThread

Code Permissions

• Java classes may come from a variety of sources:
  • Classes in the JDK directory jre/lib/ext. These classes are completely trusted
  • Classes in local class files
  • Classes in local jar files
  • Remote classes
• Permissions may be granted to classes based on origin and/or whether they are signed

Sample permissions

• Grant permission only for certain activities, such as socket access at various levels on particular ports, or access to certain files for reading, writing or execution

  
        grant {
          permission java.net.SocketPermission "224.0.1.85", "connect,accept";
          permission java.net.SocketPermission "*.edu.au:80", "connect";
        }
        

• Grant access only to particular hosts, subdomains or domains

  
        grant codebase "http://sunshade.dstc.edu.au/classes/" {
          permission java.security.AllPermission "", "";
        }
        

• Require digital signatures attached to code

  
        grant signedBy "sysadmin" {
          permission java.security.AllPermission "", "";
        }
        

Keystores

• Public/private keys are kept in keystores
• The keystore should be specified in the policy file

        keystore "url", "keystore-type"
        

  e.g.

        keystore "file:/home/jan/.keystore", "JKS";
        

• Keystores are manipulated using keytool

        keytool -keystore ~jan/.keystore -list # list known keys
        keytool -keystore ~jan/.keystore -storepasswd -new
                 # generate password for store access 
        keytool -keystore ~jan/.keystore -genkey
                 # generate a new private/public key
        keytool -keystore ~jan/.keystore -export
                 # export keys to a file for transmission
        

Signing files

• To sign a jar file, use jarsigner

Some private key algorithms

• A crypto transformation can be specified by algorithm/mode/padding where optional parts use default values

        DES
        DES/CBC/PKCS5Padding
        

Some public/private key algorithms

Class Cipher

• The Cipher class is used by JCE to handle crypto
• Get a new object by a factory method of Cipher

        public static Cipher getInstance(String transformation)
        

• A cipher object must be initialised before use by init()

        init(int opmode, Key key)
        init(opmode, Certificate cert)
        // etc
        

  where opmode is one of ENCRYPT_MODE or DECRYPT_MODE
• Encrypt/decrypt by

        public byte[] doFinal(byte[] input)
        

Example

import java.io.*;
import java.net.*;
import javax.crypto.spec.*;
import javax.crypto.*;
import java.security.*;
import java.security.spec.*;

public class EchoServer {
    
    public static int MYECHOPORT = 8189;

    public static void main(String argv[]) {
	ServerSocket s = null;
	try {
	    s = new ServerSocket(MYECHOPORT);
	} catch(IOException e) {
	    System.out.println(e);
	    System.exit(1);
	}
	while (true) {
	    Socket incoming = null;
	    try {
		incoming = s.accept();
	    } catch(IOException e) {
		System.out.println(e);
		continue;
	    }

	    /*
	    try {
		incoming.setSoTimeout(10000); // 10 seconds
	    } catch(SocketException e) {
		e.printStackTrace();
	    }
	    */

	    try {
		handleSocket(incoming);
	    } catch(InterruptedIOException e) {
		System.out.println("Time expired " + e);
	    } catch(IOException e) {
		System.out.println(e);
	    }

	    try {
		incoming.close();
	    } catch(IOException e) {
		// ignore
	    }
	}  
    }
    
    public static void handleSocket(Socket incoming) throws IOException {
	DataInputStream in =
	    new DataInputStream(incoming.getInputStream());
	DataOutputStream out =
	    new DataOutputStream(incoming.getOutputStream());

	// should get user id first in order to work out which
	// key to use. Here, just use the same key for everyone
	byte[] key = new byte[] {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h'};
	             // should be DESKeySpec.DES_KEY_LEN bytes
	DESKeySpec spec = null;
	try {
	    spec = new DESKeySpec(key);
	} catch(InvalidKeyException e) {
	    e.printStackTrace();
	    return;
	}
	SecretKeyFactory factory = null;
	try {
	    factory = SecretKeyFactory.getInstance("DES");
	} catch(NoSuchAlgorithmException e) {
	    e.printStackTrace();
	    return;
	}
	SecretKey secret = null;
	try {
	    secret = factory.generateSecret(spec);
	} catch(InvalidKeySpecException e) {
	    e.printStackTrace();
	    return;
	}

	Cipher inCipher = null;
	Cipher outCipher = null;
	try {
	    inCipher = Cipher.getInstance("DES");
	    outCipher = Cipher.getInstance("DES");
	} catch( NoSuchAlgorithmException e) {
	    e.printStackTrace();
	    return;
	} catch(NoSuchPaddingException e) {
	    e.printStackTrace();
	    return;
	}

	try {
	    inCipher.init(Cipher.DECRYPT_MODE, secret);
	    outCipher.init(Cipher.ENCRYPT_MODE, secret);
	} catch(InvalidKeyException e) {
	    e.printStackTrace();
	    return;
	}

	while (true) {
	    // read a byte saying how many bytes of data
	    // are coming
	    byte length = in.readByte();
	    byte[] inBytes = new byte[length];
	    int nread = in.read(inBytes);
	    if (nread != length) {
		break;
	    }
	    byte[] inDecrypt = null;
	    try {
		inDecrypt = inCipher.doFinal(inBytes);
	    } catch(IllegalBlockSizeException e) {
		e.printStackTrace();
		break;
	    } catch(BadPaddingException e) {
		e.printStackTrace();
		break;
	    }

	    String inStr = new String(inDecrypt);
	    System.out.println("Read from client: " + inStr);
	    if (inStr.equals("BYE")) {
		break;
	    }

	    // send it back
	    byte[] outCrypt = null;
	    try {
		outCrypt = outCipher.doFinal(inStr.getBytes());
	    } catch(IllegalBlockSizeException e) {
		e.printStackTrace();
		break;
	    } catch(BadPaddingException e) {
		e.printStackTrace();
		break;
	    }

	    out.writeByte((byte) outCrypt.length);
	    out.write(outCrypt);

	}
	incoming.close();
    }
}

SSL (Secure Sockets Layer)

• SSL was introduced by Netscape for encryption of data at the socket layer.
• Services such as HTTPD, IMAP, etc can then be run above SSL to send encrypted HTML, mail documents
• Netscape/IE show a broken key for ordinary HTTP, a completed key for HTTP over SSL
• SSL has been standardised by the IETF as TLS (Transport Layer Security)
• SSL uses
  • Public key identification of parties - in particular the server
  • Exchange of a secret session key
  • Secret key encryption for message exchange
• JSSE (Java Secure Socket Extension) is in JDK 1.4, and is the Java API for using SSL
• An article on getting JSSE to work is at http://www.ddj.com/articles/2001/0102/0102a/0102a.htm?topic=security

Echo Server with SSL/TLS

I can't get this to see any certificates yet

import java.io.*;
import java.net.*;
import javax.net.ssl.*;

public class TLSEchoServer {
    
    public static int MYECHOPORT = 8189;

    public static void main(String argv[]) {
	try {
	    SSLServerSocketFactory factory =
		(SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
	    
	    SSLServerSocket sslSocket =
		(SSLServerSocket) factory.createServerSocket(MYECHOPORT);

	    while (true) {
		Socket incoming = sslSocket.accept();
		new SocketHandler(incoming).start();
	    }  
	} catch(IOException e) {
	    e.printStackTrace();
	    System.exit(30);
	}
    }
}

class SocketHandler extends Thread {

    Socket incoming;

    SocketHandler(Socket incoming) {
	this.incoming = incoming;
    }

    public void run() {
	try {
	    BufferedReader reader =
		new BufferedReader(new InputStreamReader(
				   incoming.getInputStream()));
	    PrintStream out =
		new PrintStream(incoming.getOutputStream());

	    boolean done = false;
	    while ( ! done) {
		String str = reader.readLine();
		if (str == null) 
		    done = true;
		else {
		    System.out.println("Read from client: " + str);
		    out.println("Echo: " + str);
		    if (str.trim().equals("BYE"))
			done = true;
		}
		
	    }
	    incoming.close();
	} catch(IOException e) {
	    e.printStackTrace();
	}
    }
}

Echo Client with SSL/TLS

/**
 * Client.java
 *
 *
 * Created: Fri Jul 20 12:54:51 2001
 *
 * @author <a href="mailto: ">Jan Newmarch</a>
 * @version
 */

import java.io.*;
import java.net.*;
import javax.net.ssl.*;

public class TLSEchoClient{

    public static final int MYECHOPORT = 8189;
    
    public static void main(String[] args){

	if (args.length != 1) {
	    System.err.println("Usage: Client address");
	    System.exit(1);
	}

	InetAddress address = null;
	try {
	    address = InetAddress.getByName(args[0]);
	} catch(UnknownHostException e) {
	    e.printStackTrace();
	    System.exit(2);
	}

	Socket sock = null;
	try {
	    sock = new Socket(address, MYECHOPORT);
	} catch(IOException e) {
	    e.printStackTrace();
	    System.exit(3);
	}
	SSLSocketFactory factory =
	    (SSLSocketFactory) SSLSocketFactory.getDefault();
	
	SSLSocket sslSocket = null;
	try {
	    sslSocket =
	    (SSLSocket) factory.createSocket(sock, args[0], MYECHOPORT, true);
	} catch(IOException e) {
	    e.printStackTrace();
	    System.exit(3);
	}
	
	BufferedReader reader = null;
	PrintStream out = null;

	try {
	    reader = new BufferedReader(new InputStreamReader(
                                    sslSocket.getInputStream()));
	    out = new PrintStream(sslSocket.getOutputStream());
	} catch(IOException e) {
	    e.printStackTrace();
	    System.exit(6);
	}

	String line = null;
	try {
	    // Just send a goodbye message, for testing
	    out.println("BYE");
	    line = reader.readLine();
	} catch(IOException e) {
	    e.printStackTrace();
	    System.exit(6);
	}

	System.out.println(line);
	System.exit(0);
    }
} // Client

Running the client and server

• Create a keystore to hold the private and public keys for the server. e.g.

  
        keytool -genkey -keystore mykeystore -alias "..." -keypass "..."
        

• Export the X509 certificate from this store

  
        keytool -export -alias "..." -keystore keystore -file mycertfile.cer
        

• Import this into a trustStore for the client

  
        keytool -import -alias "..." -keystore mytruststore -file mycertfile.cer
        

• Run the server using the keystore

  
        java -Djavax.net.ssl.keyStore=mykeystore \
             -Djavax.net.ssl.keyStorePassword="..." \
             TLSEchoServer
        

• Run the client using the truststore

  
        java  -Djavax.net.ssl.trustStore=mytruststore \
              -Djavax.net.ssl.trustStorePassword="..." \
              TLSEchoClient localhost
        

• If things don't work out right, add the debugging flag -Djavax.net.debug=ssl

References

1. Li Gong "Inside Java2 Platform Security" Addison-Wesley 1999
2. Java Cryptography Extension http://java.sun.com/products/jce/index-14.html
3. Java Secure Socket Extension http://java.sun.com/products/jsse/index-14.html