Relative Danger | Books |
Java Security | Learning More |
Digital Signing And Encryption Schemes | Links |
Security Holes |
The most dangerous things are at the top:
Because installing apps is so common, most people think it is the safest. Not so. An installer or installed app can do anything it wants to any file on your computer. Because of rumours and misunderstanding, people are most afraid of unsigned Java Applets, which are actually the safest form of code. They are much safer than signed Applets. Signed Applet because the identity of the author is assured, are trusted to do almost anything an exe file can do. Unsigned Applets are severely restricted by the sandbox they run in. The restrictions are so onerous that many programmers complained they were too strict. Conversely they think installed exe file must be the safest, simply because they are so common. The industry should have a rating system easy for consumers to understand.
There are many digital signing and encryption protocols. Here is a summary based on a table on page 218 of Web Security & Commerce.
System | What is it? | Algorithms | Provides |
---|---|---|---|
DNSSEC | Secure Domain Name System | RSA (Rivest, Shamir and Adelman), MD5 (Message Digest algorithm 5) | Authentication, integrity |
IPsec and IPv6 (Internet Protocol Version 6) | Low-level protocol for encrypting IP (Internet Protocol) packets | Diffie-Hellman and others | Confidentiality (optional), authentication, integrity |
JCE | (Java Cryptography Extension) API (Application Programming Interface) from Sun | RSA (signature and encryption), RC2, RC5, SHA-0, SHA-1 (Secure Hash Algorithm 1), MD5, DES (Data Encryption Standard) , ECB (Electronic Codebook mode), CBC (Cipher Block Chaining mode), IDEA, Blowfish, Twofish. | Allows Java to encrypt and sign files |
Kerberos | Network security service for securing higher-level applications | DES | Email passwords, Telnet logins, Confidentiality, authentication |
PCT (Private Communication Technology) | Protocol for encrypting TCP (Transmission Control Protocol) , IP transmissions. | RSA, MD5, RCZ, RC4 and others | Confidentiality, authentication, integrity, nonrepudiation |
PGP (Pretty Good Privacy) | Application program for encrypting electronic mail | IDEA, RSA, MD5 | Email signing and encryption, File encryption, Confidentiality, authentication, integrity, nonrepudiation |
S-HTTP | Protocol for encrypting HTTP (Hypertext Transfer Protocol) requests and responses | RSA, DES and others | Confidentiality, authentication, integrity, nonrepudiation; however, it’s obsolete |
S/MIME (Secure Multipurpose Internet Mail Exchange) | Format for encrypting electronic mail | User-specified | E-mail signing and encryption, Confidentiality, authentication, integrity, nonrepudiation |
SET and CyberCash | Protocols for sending secure payment instructions over the Internet | RSA, MD5, RC2 | Confidentiality of credit card numbers, but nothing else; integrity of entire message; authentication of buyer and seller; nonrepudiation of transactions |
SSH (Secure Shell) | Encrypted remote terminal | RSA, Diffie-Hellman, DES , Triple-DES, Blowfish and others | Telnet encryption and login, Confidentiality, authentication |
SSL (Secure Sockets Layer) v3 | Protocol for encrypting TCP/IP (Transmission Control Protocol/Internet Protocol) transmissions | RSA, RCZ, RC4, MD5 , and others | Website commerce, compression, Confidentiality, authentication, integrity, nonrepudiation |
TLS (Transport Layer Security) 1 | Protocol for encrypting TCP/IP transmissions | a 128-bit improvement on SSL v3. Handles all the SSL v3 protocols including RSA, RCZ, RC4 and MD5. | Opera browser, Website commerce, compression, Confidentiality, authentication, integrity, nonrepudiation |
Asymmetric Key | Uses private and public keys for encryption and signing | RSA, DSA (Digital Signature Algorithm) and Diffie Hellman | Code signing, encryption, authentication. DSA is the DSA, not used for encryption. |
Symmetric Key | Uses only secret keys for encryption. | DES, Blowfish, TripleDES | encryption, authentication. Same key used for encryption must be used for decryption. |
Most of the panic news items about the latest security holes do not concern you. The usual simple preventive measures still apply:
You can browser for security at Symantec Find out for example if your browser is secretly blabbing your email address to every website it visits.
Your Java security is only as good as the OS security backing it up. These two websites will probe your OS for security holes and report them back to you. www.DSLREPORTS.com (pay) and grc.com (free). When I ran the GRC (Gibson Research Corporation) ’s report my hair stood on end about all the information NT was blabbing to the universe without my permission.
Windows NT/2000 has over 1000 known security holes. There are ways of plugging some of them. Stat is a tool for managing this giant piece of Swiss cheese.
recommend book⇒The CERT Oracle Secure Coding Standard for Java | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
by | Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda | 978-0-321-80395-5 | paperback | |||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
publisher | Addison-Wesley Professional | 978-0-13-288284-2 | WebBook | |||||||||||||||||||||||||||||||||||||||||||||||||||||
published | 2011-09-18 | B005LVNX5W | kindle | |||||||||||||||||||||||||||||||||||||||||||||||||||||
(SEI Series in Software Engineering) The CERT Oracle Secure Coding Standard for Java provides rules designed to eliminate insecure coding practices that can lead to exploitable vulnerabilities. Application of the standard’s guidelines will lead to higher-quality systems — robust systems that are more resistant to attack. Such guidelines are required for the wide range of products coded in Java — for devices such as PCs, game players, mobile phones, home appliances and automotive electronics. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Greyed out stores probably do not have the item in stock. Try looking for it with a bookfinder. |
recommend book⇒Web Security, Privacy and Commerce, second edition | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
by | Simson Garfinkel | 978-0-596-00045-5 | paperback | |||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
publisher | O’Reilly | 978-1-4493-0524-6 | eBook | |||||||||||||||||||||||||||||||||||||||||||||||||||||
published | 2002-01-15 | B004V9MQZS | kindle | |||||||||||||||||||||||||||||||||||||||||||||||||||||
Good for overview, not practical detail. The shark book. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Greyed out stores probably do not have the item in stock. Try looking for it with a bookfinder. |
This page is posted |
http://mindprod.com/jgloss/security.html | |
Optional Replicator mirror
|
J:\mindprod\jgloss\security.html | |
Please read the feedback from other visitors,
or send your own feedback about the site. Contact Roedy. Please feel free to link to this page without explicit permission. | ||
Canadian
Mind
Products
IP:[65.110.21.43] Your face IP:[3.144.242.149] |
| |
Feedback |
You are visitor number | |