Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

159
Dr. Waitak Wong Dr. Waitak Wong Department of Information Management Department of Information Management Chung Hua University, Hsinchu, Taiwan Chung Hua University, Hsinchu, Taiwan
  • date post

    21-Dec-2015
  • Category

    Documents

  • view

    217
  • download

    1

Transcript of Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

Page 1: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

Dr. Waitak Wong Dr. Waitak Wong Department of Information ManagementDepartment of Information Management

Chung Hua University, Hsinchu, TaiwanChung Hua University, Hsinchu, Taiwan

Page 2: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

2

About SecurityAbout Security

Application SecurityApplication Security

Java Security from the Ground UpJava Security from the Ground Up

Standalone Java Application TechniquesStandalone Java Application Techniques

Hacking Java Client-Sever ApplicationHacking Java Client-Sever Application

Java Network Applications: RMIJava Network Applications: RMI

Page 3: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

3

Exploiting Java Web Tier ComponentsExploiting Java Web Tier Components

Web Services SecurityWeb Services Security

Enterprise Java Beans Security Enterprise Java Beans Security

Page 4: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

4

Common Security ThreatsCommon Security Threats

Three concepts of CIA security modelThree concepts of CIA security model

Definition of securityDefinition of security

About SecurityAbout Security

Page 5: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

5

Identity interceptionIdentity interception

Steal your identity and use it as their ownSteal your identity and use it as their own

MasqueradingMasquerading

Grab your identity and use it elsewhere with the Grab your identity and use it elsewhere with the intention of perpetrating fraudintention of perpetrating fraud

Replay attackReplay attack

Capture your request and replay that requestCapture your request and replay that request

Data interception and manipulationData interception and manipulation

Read your data (such as credit card info)Read your data (such as credit card info)

Common Security ThreatsCommon Security Threats

Page 6: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

6

RepudiationRepudiation

Deny your/his completed transactionDeny your/his completed transaction

Denial of ServiceDenial of Service

Terminate the serviceTerminate the service

Common Security ThreatsCommon Security Threats

Page 7: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

7

Three concepts of CIA security modelThree concepts of CIA security modelCConfidentialityonfidentiality

information must not be disclosed to any unauthorized person

IIntegrityntegrityauthorized actions (unauthorized data changes)

separation and protection for resources

error detection and correction (data corruption)

AAvailabilityvailabilitypresence of objects or service in a usable form

capacity to meet service needs

adequate timeliness of a service

Page 8: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

8

Definition of security

DeterDeterGenerate a feasible and believable deterrence

DetectDetectDetect how, when and where intrusion has taken place

ProtectProtectManage people and the Information System in an effective manner so as to protect against unauthorized usage

Page 9: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

9

Definition of security

ReactReactreact to an intrusion

ensure that penetration does not happen again.

vulnerability is eliminated

RecoverRecoverrecover all data and programs from a breach in security

Page 10: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

10

Application SecurityApplication Security - Not just technology; it’s a process… -- Not just technology; it’s a process… -

System-level Security Vs. System-level Security Vs.

Application-level SecurityApplication-level Security

Operating SystemOperating System

JVMJVM

Java/J2EE APIsJava/J2EE APIs

Application codeApplication codeApplication LevelApplication Level{{

System LevelSystem Level{{

Page 11: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

11

System-level Security Vs. System-level Security Vs. Application-level SecurityApplication-level Security

Defeating System-level security may not Defeating System-level security may not provide attackers with appropriate access provide attackers with appropriate access to the application-level data, logic, or to the application-level data, logic, or methods that they seekmethods that they seek

Attacker

Sys

tem

-lev

elS

yste

m-l

evel

sec

uri

tyse

curi

ty

Ap

pli

cati

on

-A

pp

lica

tio

n-

leve

lle

vel

Sec

uri

tyS

ecu

rity

En

terp

rise

En

terp

rise

Dat

aD

ata

Page 12: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

12

System-level Security Vs. System-level Security Vs. Application-level Security (cont.)Application-level Security (cont.)

Work together to build a secure Work together to build a secure system/application combinationsystem/application combination

Attacker

S

yste

m-l

evel

Sys

tem

-lev

el s

ecu

rity

secu

rity

Ap

pli

cati

on

-A

pp

lica

tio

n-

leve

lle

vel

Sec

uri

tyS

ecu

rity

En

terp

rise

En

terp

rise

Dat

aD

ata

Attacker

Page 13: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

13

System-level Security Vs. System-level Security Vs. Application-level Security (cont.)Application-level Security (cont.)

It is more efficient to push some security It is more efficient to push some security responsibilities up to the application level responsibilities up to the application level instead of handling them at the operating-instead of handling them at the operating-system levelsystem level

OS (Solaris)OS (Solaris)

JVM (Solaris)JVM (Solaris)

Java/J2EE APIsJava/J2EE APIs

Application codeApplication code

OS (IBM AIX)OS (IBM AIX)

JVM (IBM AIX)JVM (IBM AIX)

Java/J2EE APIsJava/J2EE APIs

Application codeApplication code

OS (MS Window)OS (MS Window)

JVM (MS Window)JVM (MS Window)

Java/J2EE APIsJava/J2EE APIs

Application codeApplication code

Page 14: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

14

Java Security from the Ground UpJava Security from the Ground Up

Java Language Safety FeaturesJava Language Safety Features

Java Security ModelJava Security Model

Java Security ArchitectureJava Security Architecture

Page 15: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

15

Java Language Safety FeaturesJava Language Safety Features

Objects have access levels:Objects have access levels:

private: Accessible by defining classprivate: Accessible by defining class

package (default): Accessible by classes in package (default): Accessible by classes in the same packagethe same package

protected: Same as package, with addition protected: Same as package, with addition of access by any subclassof access by any subclass

public: Accessible by any classpublic: Accessible by any class

Page 16: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

16

Java Language Safety FeaturesJava Language Safety Features

Access methods are strictly adhered toAccess methods are strictly adhered to

No pointers (no access to arbitrary memory No pointers (no access to arbitrary memory and automatic garbage collection)and automatic garbage collection)

““final” methods or variables cannot be final” methods or variables cannot be changedchanged

Variables MUST be initialized before useVariables MUST be initialized before use

Array bounds are enforcedArray bounds are enforced

Strict object casting rulesStrict object casting rules

Page 17: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

17

Java Security EnforcementJava Security Enforcement

Page 18: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

18

Java Security EnforcementJava Security Enforcement

Enforcement happens at different timesEnforcement happens at different times

Compile time enforcementCompile time enforcement

Class load time enforcementClass load time enforcement

Runtime enforcementRuntime enforcement

Page 19: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

19

Compile Time EnforcementCompile Time Enforcement

Java Source

Java CompilerBytecode

Class Loader BytecodeVerifier

Java Virtual MachineRuntime

Page 20: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

20

Compile Time EnforcementCompile Time Enforcement

Validate language syntaxValidate language syntax

Enforce method and variable access Enforce method and variable access rulesrules

Enforce variable initializationEnforce variable initialization

Enforce some casting operationsEnforce some casting operations

Page 21: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

21

Class Load Time EnforcementClass Load Time Enforcement

Java Source

Java CompilerBytecode

Class Loader BytecodeVerifier

Java Virtual MachineRuntime

Page 22: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

22

Class Load Time EnforcementClass Load Time Enforcement

Bytecode verificationBytecode verification

Verifies class file formatVerifies class file format

Accesses objects as correct typeAccesses objects as correct type

Final classes are not subclassedFinal classes are not subclassed

Final methods are not overriddenFinal methods are not overridden

Every class has a single superclass Every class has a single superclass Verify that casting legality checks are in Verify that casting legality checks are in placeplace

Page 23: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

23

Class Load Time EnforcementClass Load Time Enforcement

No operand stack overflows or No operand stack overflows or underflowsunderflows

All field and method accesses are legalAll field and method accesses are legal

Method calls use correct number & Method calls use correct number & types of argumentstypes of arguments

Page 24: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

24

Runtime EnforcementRuntime Enforcement

Java Compiler

Java Source

BytecodeClass Loader Bytecode

Verifier

Java Virtual MachineRuntime

Java Compiler

Page 25: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

25

Runtime EnforcementRuntime Enforcement

Array bounds checkingArray bounds checking

Throws Throws ArrayIndexOutOfBoundsExceptionArrayIndexOutOfBoundsException

Object castingObject casting

Throws ClassCastExceptionThrows ClassCastException

Security ManagerSecurity Manager

Throws SecurityExceptionThrows SecurityException

Depends on the Access ControllerDepends on the Access Controller

Page 26: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

26

Java Security ModelJava Security Model

Page 27: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

27

Java Security ModelJava Security Model

Sandbox – a strictly defined arena where they cannot affect other system resources. It provides virtually no flexibility.

Page 28: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

28

Java Security Model (cont.)Java Security Model (cont.)

Page 29: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

29

Components work with SandboxComponents work with Sandbox

Class loaderClass loaderfirst link in the security chain

enforces the name space hierarchy

Byte code verificationByte code verificationchecks that there are violations like stack overflows, name space violations, illegal data type casts, etc.

Security managerSecurity managerIt enforces the boundary of the sandbox

Page 30: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

30

Java Security Model (cont.)Java Security Model (cont.)

Applets either received unlimited access or were confined to the sandbox – there was no option for selective access to resources.

JDK 1.1 security model

Page 31: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

31

Java Security Model (cont.)Java Security Model (cont.)

Page 32: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

32

Java Security Model (cont.)Java Security Model (cont.)

Page 33: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

33

Java Security Model (cont.)Java Security Model (cont.)

Page 34: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

34

Java Security Model (cont.)Java Security Model (cont.)

Page 35: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

35

Java Security Model (cont.)Java Security Model (cont.)

Page 36: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

36

Java Security Model (cont.)Java Security Model (cont.)

Page 37: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

37

Java Security Model (cont.)Java Security Model (cont.)

Page 38: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

38

Java Security Model (cont.)Java Security Model (cont.)

Introduces the concept of a ProtectionDomain, which permits a highly flexible security policy decoupled from its implementation

Page 39: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

39

Java Security Model (cont.)Java Security Model (cont.)

Page 40: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

40

Java Security Model (cont.)Java Security Model (cont.)

Page 41: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

41

Java Security Model (cont.)Java Security Model (cont.)

Page 42: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

42

Java Security Model (cont.)Java Security Model (cont.)

Page 43: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

43

Java Security Model (cont.)Java Security Model (cont.)

Page 44: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

44

Java Security Model (cont.)Java Security Model (cont.)

Page 45: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

45

Java Security Model (cont.)Java Security Model (cont.)

Page 46: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

46

Java Security ArchitectureJava Security Architecture

The J2SE 1.3 introduced The J2SE 1.3 introduced policy-based access controlpolicy-based access controlX.509 v3 implementation of certificate X.509 v3 implementation of certificate interfacesinterfacestools for creating and managing security tools for creating and managing security keys and certificateskeys and certificates

Page 47: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

47

Java Security ArchitectureJava Security Architecture

J2SE 1.4 continued by adding J2SE 1.4 continued by adding Java Authentication and Authorization Java Authentication and Authorization Service (JAAS)Service (JAAS)Java Cryptography Extension (JCE)Java Cryptography Extension (JCE)Java Secure Socket Extension (JSSE)Java Secure Socket Extension (JSSE)Features for Kerberos communicationFeatures for Kerberos communication

Page 48: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

48

Java Security Architecture Road MapJava Security Architecture Road Map

1

2

3

4

5

6

7

Page 49: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

49

Java Security ArchitectureJava Security Architecture

Page 50: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

50

Java Cryptographic ArchitectureJava Cryptographic Architecture

Page 51: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

51

Java Cryptographic Architecture (cont.)Java Cryptographic Architecture (cont.)

Page 52: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

52

JCE ArchitectureJCE Architecture

Extension to JCAExtension to JCAFramework for multiple CSPsFramework for multiple CSPsSun distributes a JCE providerSun distributes a JCE providerDesigned for exportDesigned for exportProvide a framework for encryption and Provide a framework for encryption and decryption, key generation, key decryption, key generation, key agreement, and Message Authentication agreement, and Message Authentication Code (MAC).Code (MAC).Encryption allows symmetric, Encryption allows symmetric, asymmetric, block, and stream ciphers, asymmetric, block, and stream ciphers, with addition support for secure streams with addition support for secure streams and sealed objects. and sealed objects.

Page 53: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

53

JCA & JCEJCA & JCE

Page 54: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

54

JCE v1.2.1JCE v1.2.1

Page 55: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

55

JCE v1.2.1JCE v1.2.1

Unapproved providers cannot plug-inUnapproved providers cannot plug-in

Providers unusable without frameworkProviders unusable without framework

Crypto strength is configured in Crypto strength is configured in jurisdiction policy filesjurisdiction policy files

Page 56: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

56

JCA & JCEJCA & JCE

Page 57: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

57

JCA & JCE (cont.)JCA & JCE (cont.)

Page 58: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

58

JCA & JCE (cont.)JCA & JCE (cont.)

Page 59: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

59

JAAS ArchitectureJAAS Architecture

Provides a Java security API to perform Provides a Java security API to perform authentication and authorization security authentication and authorization security service for Java applicationservice for Java application

JAAS is designed to be pluggable.

Pluggable authentication

User-based authorization

Fine-grained access control capabilities

Framework for single sign-on

Page 60: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

60

JAAS Architecture (cont.)JAAS Architecture (cont.)

Page 61: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

61

JAAS Architecture (cont.)JAAS Architecture (cont.)

Page 62: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

62

JAAS Architecture (cont.)JAAS Architecture (cont.)

Page 63: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

63

JAAS Architecture (cont.)JAAS Architecture (cont.)

Page 64: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

64

JAAS Architecture v1.0 JAAS Architecture v1.0

Page 65: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

65

JAAS Architecture v1.0 (cont.)JAAS Architecture v1.0 (cont.)

Page 66: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

66

Java Secure Sockets ExtensionJava Secure Sockets Extension

Provides Secure Socket Layer (SSL) Provides Secure Socket Layer (SSL) connections over TCP/IP sockets. connections over TCP/IP sockets.

Page 67: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

67

Java Secure Sockets Extension (cont.)Java Secure Sockets Extension (cont.)

JSSE is a set of Java packages that enables secure Internet communications.

Standard socket APIs for SSL and TLSStandard socket APIs for SSL and TLS

Transport level Authentication, Integrity, and Transport level Authentication, Integrity, and PrivacyPrivacy

Supports standard cipher suitesSupports standard cipher suites

Includes https URL handlerIncludes https URL handler

Page 68: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

68

JSSE v1.0.1JSSE v1.0.1

Page 69: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

69

J2SE v1.4 "Merlin": Security

CertPath APICertPath API

GSSAPI “Java Bindings”GSSAPI “Java Bindings”

Public Key Cryptography Standards (PKCS)Public Key Cryptography Standards (PKCS)

Page 70: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

70

J2SE v1.4 "Merlin" : Cert Path

Validation of Certification PathsValidation of Certification Paths

Building of Certification PathsBuilding of Certification Paths

Creation of Certification PathsCreation of Certification Paths

Retrieval of certs/CRLsRetrieval of certs/CRLs

Page 71: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

71

J2SE v1.4 "Merlin": Cert Path

Page 72: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

72

J2SE v1.4 "Merlin": Cert Path

SPI (service provider interface) layer

Page 73: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

73

J2SE v1.4 "Merlin": Kerberos

Network Authentication System

Internet Standard (RFC 1510)

Access via JAAS, JGSS, maybe JSSE

Page 74: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

74

J2SE v1.4 "Merlin": Kerberos Features

Single Sign-on in a Kerberized Single Sign-on in a Kerberized environmentenvironment

Credential cache integrates with platform Credential cache integrates with platform KerberosKerberos

Interoperate with Solaris™ 8 software, Interoperate with Solaris™ 8 software, Windows 2000, and MIT distributionsWindows 2000, and MIT distributions

Page 75: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

75

J2SE v1.4 "Merlin": Kerberos

Page 76: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

76

J2SE v1.4 "Merlin": PKCS

De-facto standards widely used todayDe-facto standards widely used today

Evolved to cover technologies from Evolved to cover technologies from encryption to smartcardsencryption to smartcards

Utilizes public key technologyUtilizes public key technology

Page 77: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

77

J2SE v1.4 "Merlin": PKCS (cont.)

Page 78: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

78

Road Map: Security

End-to-end security

Integrated Security Services

Evolve with standards

Further performance improvements

Page 79: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

79

Standalone Java Application SecurityStandalone Java Application SecurityTechniquesTechniques

Encryption and secure digesting of sensitEncryption and secure digesting of sensitive data using JCEive data using JCELogging and auditing using the Java LogLogging and auditing using the Java Logging APIging API

Page 80: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

80

Encryption and secure digesting of Encryption and secure digesting of sensitive data using JCEsensitive data using JCE

- - ,。、;:!?「『(【#%】)』」&*,。、;:!?「『(【#%】)』」&*※○◎□㊣※○◎□㊣+-+- ×÷×÷<>=$¥<>=$¥€€ --

Defeat a casual unauthorized read or Defeat a casual unauthorized read or write attemptwrite attempt

Adding salt to the data Adding salt to the data

Generating a secret keyGenerating a secret key

Encrypt the dataEncrypt the data

Data verification with message digestsData verification with message digests

Page 81: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

81

Encryption and secure digesting of Encryption and secure digesting of sensitive data using JCE (cont.)sensitive data using JCE (cont.)

DataData

SaltSalt

KeyKey

LockedLockedEncryptEncrypt

DigestingDigesting

EncodingEncoding

MessageMessageDigestDigest

Account Account Encrypted BalanceEncrypted Balance Message DigestMessage Digest12345 R/cT9Xhe44QwZEo+5yruroGmJOLljQTI vMY6nlyuZcFsdHWphVmPxAu1V3o= 12345 R/cT9Xhe44QwZEo+5yruroGmJOLljQTI vMY6nlyuZcFsdHWphVmPxAu1V3o= 54321 RIerr4ua0qatf/TYzVVMHpzARJJ+vQL4 Pc9XQrnv+tR7MD9I4KcsjN3xat0= 54321 RIerr4ua0qatf/TYzVVMHpzARJJ+vQL4 Pc9XQrnv+tR7MD9I4KcsjN3xat0=

AccountAccount BalanceBalance12345 300.312345 300.3 54321 1000.5254321 1000.52

Page 82: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

82

Logging and auditing using the Java Logging and auditing using the Java Logging APILogging API

Modification of data by an unauthorized Modification of data by an unauthorized user with an authorized user’s credentialsuser with an authorized user’s credentials

Log security-related messages and direct Log security-related messages and direct the log messages to a file, a database, a the log messages to a file, a database, a network socket, or even the consolenetwork socket, or even the console

Page 83: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

83

Logging and auditing using Logging and auditing using the Java Logging API (cont.)the Java Logging API (cont.)

Decide what to logDecide what to log

Successful and unsuccessful login Successful and unsuccessful login attemptattempt

Logouts and application shutdownsLogouts and application shutdowns

Successfully accessing functionalitySuccessfully accessing functionality

Unsuccessfully attempting to access any Unsuccessfully attempting to access any functionalityfunctionality

Severe application exceptions that could Severe application exceptions that could affect the integrity of application data or affect the integrity of application data or functionalityfunctionality

Page 84: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

84

Hacking Java Client/Server Hacking Java Client/Server Application Application

Attacking a client-server application Attacking a client-server application (network) is easier than attacking a (network) is easier than attacking a standalone application (physical access)standalone application (physical access)

A two-tier application can be attacked A two-tier application can be attacked

Outside of the application – Outside of the application – Attack the database server Attack the database server

The network – The network – Attack the data as it transits Attack the data as it transits

Application itself – Application itself – Attack the client sideAttack the client side

Page 85: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

85

Attack the database serverAttack the database server

Application-level Database credentialApplication-level Database credential

Using application userid and pwd Using application userid and pwd database credentials database credentials

No way to track the attackerNo way to track the attacker (semi-anonymous)(semi-anonymous)

Page 86: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

86

Attack the database server (cont.) Attack the database server (cont.)

JDBC Data Sources with JNDI JDBC Data Sources with JNDI authentication and embedded credentialauthentication and embedded credential

Hiding the DatabaseHiding the Database

Authenticate a particular user’s access to Authenticate a particular user’s access to the Data Source with that user’s the Data Source with that user’s credentials.credentials.

Page 87: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

87

Attack the database server (cont.)Attack the database server (cont.)

User-level Database passwords and JCE User-level Database passwords and JCE for encryptionfor encryption

Encrypt sensitive data, write it to Encrypt sensitive data, write it to database, and generate a message digest database, and generate a message digest for each data record.for each data record.

User-level database passwords and User-level database passwords and Stored Procedures or callable statements Stored Procedures or callable statements for access controlfor access control

No users or application can directly No users or application can directly access the application tablesaccess the application tables

Page 88: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

88

Attack the data as it transits Attack the data as it transits

Packet sniffingPacket sniffing

Solution: Solution:

Secure the Database connectionSecure the Database connection

Page 89: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

89

Packet Sniffing – Packet Sniffing – Mysql Login PacketMysql Login Packet

Page 90: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

90

Packet Sniffing – Packet Sniffing – Mysql Request PacketMysql Request Packet

Page 91: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

91

Packet sniffing – Packet sniffing – Mysql Response PacketMysql Response Packet

Page 92: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

92

Secure the Database connectionSecure the Database connection

Use a secure JDBC driverUse a secure JDBC driver

Use a secure SSL tunnelUse a secure SSL tunnel

Use JSSE to implement an SSL TunnelingUse JSSE to implement an SSL Tunneling Client and Server Client and Server

Use JCE to encrypt the data at the Use JCE to encrypt the data at the Application LevelApplication Level

Page 93: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

93

Use JSSE to implement an SSL Use JSSE to implement an SSL Tunneling Client and ServerTunneling Client and Server

Page 94: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

94

Attack the client sideAttack the client side

Applets and WebStart applications, where Applets and WebStart applications, where remote class loading is a necessityremote class loading is a necessity

Attackers might succeed in placing Attackers might succeed in placing unwanted or dangerous files on our client.unwanted or dangerous files on our client.

Remote codeRemote code

Remote codeRemote code

Client codes that Client codes that need remote need remote class loadingclass loading

Page 95: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

95

Attack the client side (cont.)Attack the client side (cont.)

Solution:Solution:

Securing JAR filesSecuring JAR files

Specify the Specify the classpathclasspath on the command line on the command line

Protecting Applet-based clientProtecting Applet-based client

Page 96: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

96

Securing JAR filesSecuring JAR files

JAR file – a mechanism for distributing JAR file – a mechanism for distributing application code in an encapsulated formapplication code in an encapsulated form

Jar signer – To associate a digital Jar signer – To associate a digital signature with a JAR file, and to later signature with a JAR file, and to later verify the signature vs. an entry in verify the signature vs. an entry in keystorekeystore

Sealing package within a JAR fileSealing package within a JAR file

Notify JVM that the packages contained in Notify JVM that the packages contained in the JAR file are atomic.the JAR file are atomic.

Remark: keystore – a physical repository for the digital certificates Remark: keystore – a physical repository for the digital certificates that are used to verify that a file was sent by the entity you expectedthat are used to verify that a file was sent by the entity you expected

Page 97: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

97

Specify the classpath on the Specify the classpath on the command linecommand line

Don’t rely on the CLASSPATH Don’t rely on the CLASSPATH environment variable, because that opens environment variable, because that opens a door for attackers to insert their own a door for attackers to insert their own classesclasses

A good practice to always specify your A good practice to always specify your application’s classpath on the command application’s classpath on the command line in a read only startup script.line in a read only startup script.

Page 98: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

98

Protecting Applet-based clientProtecting Applet-based client

Type confusion attack – attacker would Type confusion attack – attacker would develop bycode that could confuse as to develop bycode that could confuse as to the type of the object at a particular the type of the object at a particular memory locationmemory location

Took advantage of flaws (failure to stop Took advantage of flaws (failure to stop illegal class casting or accessing an illegal class casting or accessing an object’s private instance variables) in the object’s private instance variables) in the bytecode verifiers embedded in particular bytecode verifiers embedded in particular VMs.VMs.

Page 99: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

99

Protecting Applet-based client (cont.)Protecting Applet-based client (cont.)

Problem: flaws in an underlying VMProblem: flaws in an underlying VM

Solution: Use the Java Plug-inSolution: Use the Java Plug-in

When the browser sees a special tag When the browser sees a special tag embedded in an HTML page indicating embedded in an HTML page indicating that a Java applet is presented, it ignores that a Java applet is presented, it ignores the browser’s built-in VM and invokes the the browser’s built-in VM and invokes the Java Plug-in, which uses Sun’s JREJava Plug-in, which uses Sun’s JRE

With Java Plug-in, applets will run with With Java Plug-in, applets will run with the default Java Security manager.the default Java Security manager.

Page 100: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

100

Protecting WebStart-based ClientProtecting WebStart-based Client

Java WebStart Java WebStart Java Network Java Network Launching Protocol (JNLP) and APILaunching Protocol (JNLP) and API

Combine the benefits of applet-based Combine the benefits of applet-based deployment with the benefits of deployment with the benefits of standalone applications (no need for a standalone applications (no need for a web browser or applet container)web browser or applet container)

WebStart code is loaded remotely WebStart code is loaded remotely it is it is vulnerable to well known hacking vulnerable to well known hacking technique such as Server spoofing, class technique such as Server spoofing, class replacement, and tricking replacement, and tricking unknowledgable users into granting wide-unknowledgable users into granting wide-ranging system access.ranging system access.

Page 101: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

101

Protecting WebStart-based Client Protecting WebStart-based Client (cont.)(cont.)

Solution:Solution:

Regulated via the SignedBy attribute in Regulated via the SignedBy attribute in javaws.policy file or the system policy filejavaws.policy file or the system policy file

Two additional security settings defined Two additional security settings defined in the JNLP file for the application: in the JNLP file for the application: AllPermissions attribute and the J2EE-AllPermissions attribute and the J2EE-Client attribute.Client attribute.

Including the JNLP files in the signed JAR Including the JNLP files in the signed JAR filefile

Page 102: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

102

Java Network Applications: RMIJava Network Applications: RMI

The Dangers of RMIThe Dangers of RMI

Unauthorized Use of Server Side Unauthorized Use of Server Side FunctionsFunctions

Loading class and jar files remotelyLoading class and jar files remotely

Page 103: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

103

The Dangers of RMI The Dangers of RMI

RMI makes all method calls across RMI makes all method calls across network in plain text without any network in plain text without any authentication.authentication.

Information could be read in transit by a Information could be read in transit by a packet snifferpacket sniffer

Page 104: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

104

The Dangers of RMI (cont.)The Dangers of RMI (cont.)

Solution:Solution:

Selective encryptionSelective encryption

Encrypting the Account number and Encrypting the Account number and BalanceBalance

Encrypted communication channelEncrypted communication channel

Using SSL connection between Client and Using SSL connection between Client and ServerServer

Page 105: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

105

Unauthorized Use of Server Side Unauthorized Use of Server Side FunctionsFunctions

Solution:Solution:

Alter the remote methods so that the Alter the remote methods so that the server can verify the user’s identityserver can verify the user’s identity

Authenticated communication channelAuthenticated communication channel

Create an authenticated socket classCreate an authenticated socket class

Create a socket factory so that RMI can Create a socket factory so that RMI can use the new socketuse the new socket

Page 106: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

106

Loading class and jar files remotelyLoading class and jar files remotely

RMI allows the class and JAR files to be RMI allows the class and JAR files to be loaded from a remote location for loaded from a remote location for application distribution application distribution

Hackers could modify the JAR code and Hackers could modify the JAR code and convince the users to run it. Then they convince the users to run it. Then they could control the system.could control the system.

Solution:Solution:

Alter the remote methods so that the Alter the remote methods so that the server can verify the user’s identityserver can verify the user’s identity

Page 107: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

107

Exploiting Java Web Tier Exploiting Java Web Tier ComponentsComponents

A Java web application utilizes several A Java web application utilizes several technologies:technologies:

JSP and ServletsJSP and Servlets

Static HTML contentStatic HTML content

The Tomcat web container / web serverThe Tomcat web container / web server

Page 108: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

108

Exploiting Java Web Tier Exploiting Java Web Tier Components (cont.)Components (cont.)

System-level security is extremely System-level security is extremely important for any web applicationimportant for any web application

You can apply the following security You can apply the following security measures to the web application:measures to the web application:

Passing servlet parameters in the URL Passing servlet parameters in the URL instead of in the HTTP headerinstead of in the HTTP header

Configuring certain servlets to deny HTTP Configuring certain servlets to deny HTTP GET requestGET request

Page 109: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

109

Exploiting Java Web Tier Exploiting Java Web Tier Components (cont.)Components (cont.)

Implementing a solid web application Implementing a solid web application exception handlingexception handling

Overriding container defaults for Overriding container defaults for directory listing and servlet invocationdirectory listing and servlet invocation

Implementing a form-based Implementing a form-based authentication schemeauthentication scheme

Resist “session stealing” attacksResist “session stealing” attacks

Implementing and requiring HTTPS via Implementing and requiring HTTPS via SSL to be used for all browsers to SSL to be used for all browsers to container connectioncontainer connection

Page 110: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

110

Exploiting Java Web Tier Exploiting Java Web Tier Components (cont.)Components (cont.)

Page 111: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

111

Exploiting Java Web Tier Exploiting Java Web Tier Components (cont.)Components (cont.)

Page 112: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

112

Web Services SecurityWeb Services Security

Web ServicesWeb Services

Web Service TechnologiesWeb Service Technologies

Quick Comparison Related TechnologiesQuick Comparison Related Technologies

The Java Web Services Developer PackThe Java Web Services Developer Pack

Web Services Application VulnerabilitiesWeb Services Application Vulnerabilities

Securing Web Services ApplicationSecuring Web Services Application

Web Services Security SchemeWeb Services Security Scheme

Page 113: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

113

Web ServicesWeb ServicesThe ability to publish, discover, or invoke a set The ability to publish, discover, or invoke a set of services in a platform-independent manner, of services in a platform-independent manner, using XML and standard, web-based protocols using XML and standard, web-based protocols for transport.for transport.

Page 114: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

114

Web Services TechnologiesWeb Services Technologies

Simple Object Access Protocol (SOAP)Simple Object Access Protocol (SOAP)Provide a platform neutral, XML-based Provide a platform neutral, XML-based mechanism to request servicesmechanism to request services

Web Services Description Language Web Services Description Language (WSDL)(WSDL)

The interface description of the serviceThe interface description of the service

Page 115: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

115

Web Services Technologies (cont.)Web Services Technologies (cont.)

Universal Description Discovery and Universal Description Discovery and Integration (UDDI)Integration (UDDI)

The naming service, where service The naming service, where service providers can advertise their services to providers can advertise their services to prospective clientsprospective clients

Page 116: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

116

Quick Comparison to Related Quick Comparison to Related TechnologiesTechnologies

FunctionFunction CORBACORBA JAVA RMIJAVA RMI Web Web ServicesServices

Naming Naming ServiceService

COSNamingCOSNaming rmiregistryrmiregistry UDDIUDDI

Interface Interface DescriptionDescription

IDLIDL extends extends java.rmi.Remotejava.rmi.Remote

WSDLWSDL

Wire Wire ProtocolProtocol

IIOPIIOP JRMP or JMI-JRMP or JMI-IIOPIIOP

SOAPSOAP

Page 117: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

117

The Java Web Services Developer The Java Web Services Developer PackPack

Java technologies for web servicesJava technologies for web services

JAXMJAXM

A Java Interface to generate SOAP A Java Interface to generate SOAP messagesmessages

JAX-RPCJAX-RPC

An interface on top of JAXM provides An interface on top of JAXM provides RMI-like interface to web servicesRMI-like interface to web services

Page 118: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

118

The Java Web Services Developer The Java Web Services Developer Pack (cont.)Pack (cont.)

JAXRJAXR

Java access to UDDI-based registriesJava access to UDDI-based registries

A Host for Web Services EndpointsA Host for Web Services Endpoints

A reference implementation using A reference implementation using servlets running on Jakarta Tomcatservlets running on Jakarta Tomcat

Page 119: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

119

Web Services Application Web Services Application VulnerabilitiesVulnerabilities

The transport data is viewable or The transport data is viewable or changeable with a common text editorchangeable with a common text editor

The WSDL metadata to invoke the service The WSDL metadata to invoke the service is usually available to the general publicis usually available to the general public

Propagation of security identity or Propagation of security identity or credentials between the client and service credentials between the client and service is not standard and can be quite is not standard and can be quite problematic, especially in a workflow-problematic, especially in a workflow-based architecturebased architecture

Page 120: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

120

Watching SOAP Request and Response with tcpmon

Page 121: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

121

Securing Web Services ApplicationSecuring Web Services Application

Securing the client/server connectionSecuring the client/server connection

Connecting web services via secure Connecting web services via secure tunneling over SSLtunneling over SSL

Authentication with web servicesAuthentication with web services

Implementing declarative authorization Implementing declarative authorization for web servicesfor web services

Implementing programmatic authorization Implementing programmatic authorization for web servicesfor web services

Page 122: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

122

Securing Web Services Application Securing Web Services Application (cont.)(cont.)

Confidentiality and integrity of payload Confidentiality and integrity of payload informationinformation

Propagation of credential informationPropagation of credential information

Page 123: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

123

Securing the client/server connectionSecuring the client/server connection

Use SSL/TLS for All Non-public Web Use SSL/TLS for All Non-public Web Service PortsService Ports

J2EE provides an option for all J2EE provides an option for all communication with the application to communication with the application to use SSL/TLS or notuse SSL/TLS or not

Page 124: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

124

Page 125: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

125

Page 126: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

126

Page 127: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

127

Page 128: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

128

XML Key Management Spec.XML Key Management Spec.

Page 129: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

129

XML Key Management Spec.XML Key Management Spec.

Page 130: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

130

XML Key Management Spec.XML Key Management Spec.

Page 131: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

131

eXtensible Access Control eXtensible Access Control

Page 132: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

132

Security Assertion Markup Language

Page 133: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

133

Security Assertion Markup Language

Page 134: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

134

Page 135: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

135

Page 136: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

136

Enterprise Java Beans SecurityEnterprise Java Beans Security

Page 137: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

137

J2EE Security ArchitectureJ2EE Security Architecture

Covers both web-tier and EJB-tiers. At Web-tier, the access control is performed against each web resource which is represented in the form of an URL

At EJB-tier, the access control can be applied against each business method of a bean.

The container can enforce access control based on roles defined in the web-tier and EJB-tier.

Page 138: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

138

J2EE Security ArchitectureJ2EE Security Architecture

A security role represents a grouping of principals and is associated with permissions, or authorization within the application.A principal is assigned a role, and a role is granted permission to execute specific methods.User credentials are represented in the form of Principal objects. The Principal objects are created from the actual user identity information that was entered by user.

Page 139: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

139

Page 140: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

140

Page 141: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

141

Page 142: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

142

Page 143: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

143

Page 144: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

144

Page 145: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

145

EJB Security ArchitectureEJB Security Architecture

EJBs have two options for managing EJBs have two options for managing securitysecurity

Declarative securityDeclarative securityDeclarations made in the deployment Declarations made in the deployment descriptor dictate the security of the descriptor dictate the security of the components.components.Security boundaries are based on the Security boundaries are based on the beans and the methods provided by the beans and the methods provided by the beansbeansSecurity is based on which roles are Security is based on which roles are allowed to use which beans and which allowed to use which beans and which methods they are allowed to execute methods they are allowed to execute within the beans.within the beans.

Page 146: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

146

EJB Security ArchitectureEJB Security Architecture

Programmatic securityProgrammatic securityThe EJB API provides several methods The EJB API provides several methods that indicate the role of the caller and the that indicate the role of the caller and the principal of the caller to control the principal of the caller to control the execution of application securityexecution of application security

Page 147: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

147

Page 148: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

148

Page 149: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

149

Page 150: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

150

Page 151: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

151

Page 152: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

152

J2EE Protection DomainJ2EE Protection Domain

Page 153: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

153

Page 154: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

154

Page 155: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

155

Page 156: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

Dr. Waitak WongDr. Waitak WongEmail: [email protected] Email: [email protected]

Phone: 03-5186529Phone: 03-5186529

Department of Information ManagementDepartment of Information ManagementChu Hua UniversityChu Hua University

No. 707, Sec. 2, WuFu Rd., No. 707, Sec. 2, WuFu Rd., Hsinchu, TaiwanHsinchu, Taiwan

Contact Details:Contact Details:

Page 157: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

157

GrossaryGrossary

CSP – Cryptographic Service ProviderCSP – Cryptographic Service Provider

EJB – Enterprise Java BeanEJB – Enterprise Java Bean

IDL – Interface Description LanguageIDL – Interface Description Language

IIOP – Internet Inter-ORB ProtocolIIOP – Internet Inter-ORB Protocol

JAAS – Java Authentication and JAAS – Java Authentication and Authorization ServiceAuthorization Service

JCE – Java Cryptography ExtensionJCE – Java Cryptography Extension

JDBC – Java Database ConnectivityJDBC – Java Database Connectivity

JNLP – Java Network Launching ProtocolJNLP – Java Network Launching Protocol

Page 158: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

158

Grossary (cont.)Grossary (cont.)

JRMP – Java Remote Method ProtocolJRMP – Java Remote Method Protocol

JSSE – Java Secure Socket Extension JSSE – Java Secure Socket Extension

JWSDP – Java Web Services Developer JWSDP – Java Web Services Developer PackPack

MAC – Message Authentication CodeMAC – Message Authentication Code

PKCS – PKCS – Public Key Cryptography System

RMI – Remote method InvocationRMI – Remote method Invocation

SSL – Secure Socket LayerSSL – Secure Socket Layer

TLS – Transport Layer SecurityTLS – Transport Layer Security

Page 159: Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan.

159

The End of the SessionThe End of the Session