Security
`
`O'REILLYTN
`
`Scott Oaks
`
`Page 1 of 482
`
`GOOGLE EXHIBIT 1028
`
`

`

`THE
`JAVA..
`SERIES
`
`Java 1.2
`
`O'REILLY"
`
`Page 2 of 482
`
`

`

`J ava™ Security
`Java" Security
`
`Page 3 of 482
`
`Page 3 of 482
`
`

`

`THE
`JAVA,.
`SERIES
`
`Exploring Java'"
`Java'" Threads
`Java'" Network Programming
`Java'" Virtual Machine
`Java'" A WT Reference
`Java'" Language Reference
`Java'" Fundamental Classes Reference
`Database Programming with JDBC'" and Java'"
`Developing Java Beans'"
`Java'" Distributed Computing
`
`Also from O'Reilly
`
`Java'" in a Nutshell
`Java'" in a Nutshell, Deluxe Edition
`Java'" Examples in a Nutshell
`Netscape IFC in a Nutshell
`
`Page 4 of 482
`
`

`

`J avaTM Security
`
`Scott Oaks
`
`Cambridge
`
`• Koln
`
`• Paris
`
`O'REILLY'"
`• Sebastopol
`• Tokyo
`
`Page 5 of 482
`
`

`

`Java™ Security
`by Scott Oaks
`
`Copyright © 1998 O'Reilly & Associates, Inc. All rights reserved.
`Printed in the United States of America.
`
`Published by O'Reilly & Associates, Inc., 101 Morris Street, Sebastopol, CA 95472.
`
`Editor: Mike Loukides
`
`Production Editor: Jane Ellin
`
`Printing History:
`May 1998:
`
`First Edition
`
`Nutshell Handbook and the Nutshell Handbook logo are registered trademarks and The
`JavaTM Series is a trademark of O'Reilly & Associates, Inc. The association of the image of a
`bird's nest with the topic of Java ™ security is a trademark of O'Reilly & Associates, Inc. JavaTM
`and all Java-based trademarks and logos are trademarks or registered trademarks of Sun
`Microsystems, Inc., in the United States and other countries. O'Reilly & Associates, Inc. is
`independent of Sun Microsystems.
`
`Some material from Chapter 2 appeared previously in a different form in The java Report.
`
`Many of the designations used by manufacturers and sellers to distinguish their products are
`claimed as trademarks. Where those designations appear in this book, and O'Reilly &
`Associates, Inc. was aware of a trademark claim, the designations have been printed in caps
`or initial caps.
`
`While every precaution has been taken in the preparation of this book, the publisher assumes
`no responsibility for errors or omissions, or for damages resulting from the use of the
`information contained herein.
`
`@
`
`This book is printed on acid-free paper with 85% recycled content, 15% post-consumer waste.
`O'Reilly & Associates is committed to using paper with the highest recycled content available
`consistent with high quality.
`
`ISBN: 1-56592-403-7
`
`Page 6 of 482
`
`

`

`Table ofContents
`
`Preface ............................................................................................................................. ix
`
`l. Java Application Security ............................................................................ 1
`What Is Security? ................................................................................................... 1
`The Java Sandbox .................................................................................................. 4
`Applications, Applets, and Programs .................................................................. 6
`Running aJavaApplication ..... : ........................................................................... 9
`Summary .............................................................................................................. 15
`
`2. Java Language Security ............................................................................. 17
`Java Language Security Constructs ................................................................... 18
`Enforcement of the Java Language Rules ........................................................ 23
`Summary .............................................................................................................. 30
`
`3. Java Class Loaders ....................................................................................... 31
`Security and the Class Loader ........................................................................... 32
`Anatomy of a Class Loader ................................................................................ 35
`Loading Classes ................................................................................................... 40
`Implementing a Class Loader ............................................................................ 43
`Extensions to the Class Loader ......................................................................... 51
`Miscellaneous Class Loading Topics ................................................................ 59
`Summary .............................................................................................................. 61
`
`v
`
`Page 7 of 482
`
`

`

`vi
`
`TABLE OF CONTENTS
`
`4. The Security Manager Class ..................................................................... 62
`Overview of the Security Manager .................................................................... 62
`Trusted and Untrusted Classes .......................................................................... 67
`Using the Security Manager ............................................................................... 68
`Summary ............................................................................................................. ". 89
`
`5. The Access Controller .................................................................................. 90
`The CodeSource Class ........................................................................................ 92
`Permissions .......................................................................................................... 93
`The Policy Class ................................................................................................. 108
`Protection Domains .......................................................................................... 114
`The AccessController Class .............................................................................. 116
`Guarded Objects ............................................................................................... 121
`Summary ............................................................................................................ 122
`
`6. Implementing Security Policies ............................................................. 124
`Protected Methods of the Security Manager ................................................. 125
`Security Managers and the Class Loader ....................................................... 138
`Implementation Techniques ........................................................................... 140
`Running Secure Applications .......................................................................... 158
`Summary ............................................................................................................ 161
`
`7. Introduction to Cryptography ............................................................... 162
`The Need for Authentication .......................................................................... 163
`The Role of Authentication ............................................................................. 168
`Cryptographic Engines ..................................................................................... 169
`Summary ............................................................................................................ 175
`
`8. Security Providers ....................................................................................... 177
`The Architecture of Security Providers .......................................................... 178
`The Provider Class ............................................................................................ 183
`The Security Class ............................................................................................. 187
`The Architecture of Engine Classes ................................................................. 192
`Summary ............................................................................................................ 194
`
`Page 8 of 482
`
`

`

`TABLE OF CONTENTS
`
`vii
`
`9. Message Digests ............................................................................................ 195
`Using the Message Digest Class ....................................................................... 196
`Message Digest Streams .................................................................................... 201
`Implementing a MessageDigest Class ............................................................. 204
`Summary ............................................................................................................ 209
`
`10. Keys and Certificates ................................................................................. 210
`Keys ................................................................................................... · .................. 211
`The KeyPairGenerator Class ............................................................................ 215
`The Key Factory Class ........................................................................................ 220
`Certificates ......................................................................................................... 227
`Keys, Certificates, and Object Serialization ................................................... 240
`Summary ............................................................................................................ 241
`
`11. Key Management ......................................................................................... 243
`Overview of Key Management ......................................................................... 244
`Identities ............................................................................................................ 245
`The KeyS tore Class ............................................................................................ 253
`A Key Management Example .......................................................................... 260
`Summary ............................................................................................................ 265
`
`12. Digital Signatures ....................................................................................... 266
`The Signature Class .......................................................................................... 266
`Signed Classes ..................................................................................................... 277
`Implementing a Signature Class ..................................................................... 283
`Summary ............................................................................................................ 287
`
`13. Encryption ....................................................................................................... 289
`Export Restrictions ........................................................................................... 289
`The Sun Security Provider in the JCE ............................................................ 292
`Key Types in the JCE ......................................................................................... 293
`Secret Key Engines ............................................................................................ 296
`Encrypting Data ................................................................................................. 302
`Cipher Streams .................................................................................................. 315
`Symmetric Key Agreement ............................................................................... 320
`Sealed Objects ................................................................................................... 326
`Summary ............................................................................................................ 327
`
`Page 9 of 482
`
`

`

`viii
`
`TABLE OF CONTENTS
`
`A. Security Tools ................................................................................................ 329
`
`B. Identity-Based Key Management .......................................................... 349
`
`C. Security Resources ...................................................................................... 366
`
`D. Quick Reference ........................................................................................... 375
`
`Index ............................................................................................................................. 437
`
`Page 10 of 482
`
`

`

`Preface
`
`When I first mentioned to a colleague of mine that I was writing a book on Java™
`security, he immediately starting asking me questions about firewalls and Internet
`DMZs. Another colleague overheard us and started asking about electronic
`commerce, which piqued the interest of a third colleague who wanted to hear all
`about virtual private networks. All this was interesting, but what I really wanted to
`talk about was how a Java applet could be allowed to read a file.
`
`Such is the danger of anything with the word "security" in its title: security is a
`broad topic, and everyone has his or her own notion of what security means.
`Complicating this issue is the fact that Java security and network security
`(including Internet security) are complementary and sometimes overlapping
`topics: you can send encrypted data over the network with Java, or you can set up
`a virtual private network that encrypts all your network traffic and remove the
`need for encryption within your Java programs.
`
`This is a book about security from the perspective of a Java program. In this book,
`we discuss the basic platform features of Java that provide security-the class
`loader, the bytecode verifier, the security manager-and we discuss recent addi(cid:173)
`tions to Java that enhance this security model-digital signatures, security
`providers, and the access controller. The ideas in this book are meant to provide
`an understanding of the architecture of Java's security model and how that model
`can be used (both programmatically and administratively).
`
`ix
`
`Page 11 of 482
`
`

`

`X
`
`PREFACE
`
`Who Should Read This Book?
`This book is intended primarily for programmers who want to write secure Java
`applications. Much of the book is focused on various APis within Java that provide
`security; we discuss both how those APis are used by standard Java-enabled
`browsers and how they can be used in your own Java applications. From a
`programming perspective, this latter case is the most interesting: Java-enabled
`browsers have each adopted particular security models, but there's not much a
`programmer or administrator can do to alter those models. However, this is begin(cid:173)
`ning to change, as technologies like Sun Microsystems' Activator bring Sun's basic
`security model to popular browsers.
`
`For the end user or system administrator who is interested in Java security, this
`book will provide knowledge of the facilities provided by the basic Java platform
`and how those facilities are used by Java-enabled browsers and by Java applica(cid:173)
`tions. We do not delve into the specific security features of any Java-enabled
`browser, although we do point out along the way which security features of Java
`are subject to change by the companies that provide Java-enabled browsers.
`Hence, end users and system administrators can read this book (and skip over
`many of the programming examples) to gain an understanding of the funda(cid:173)
`mental security features of the Java platform, and they can understand from each
`of its parts how the security feature might be administrated (especially for Java
`applications). This is particularly true for end users and administrators who are
`interested in assessing the risk of using Java: we give full details of the implementa(cid:173)
`tion of Java's security model not only so that you can program within that model
`(and adjust it if necessary), but also so that you have a deep understanding of how
`it works and can assess for yourself whether or not Java meets your definition of
`security.
`
`From a programming perspective, we assume that developers who read this book
`have a good knowledge of how to program in Java, and in particular how to write
`Java applications. When we discuss advanced security features and cryptographic
`algorithms, we do so assuming that the programmer is primarily interested in
`using the API to perform certain tasks. Hence, we explain at a rudimentary level
`what a digital signature is and how it is created and used, but we do not explain
`the cryptographic theory behind a digital signature or prove that a digital signa(cid:173)
`ture is secure. For developers who are sufficiently versed in these matters, we also
`show how the APis may be extended to support new types of cryptographic algo(cid:173)
`rithms, but again we
`leave the mathematics and rigorous definitions of
`cryptography for another book.
`
`Page 12 of 482
`
`

`

`PREFACE
`
`xi
`
`Versions Used in This Book
`Writing a book onJava security has been a challenge for a number of reasons, not
`the least of which is that the security APis have been radically changing over the
`past year. Java 1.1 introduced many of the APis we'll be discussing in this book,
`including the notion of a security provider that supplies an implementation of the
`security package. Java 1.2 introduced significant changes to the security package
`as well as a new fundamental security object called the "access controller," which
`takes on much of the responsibility that has resided with the security manager
`sinceJava 1.0.
`
`For the most part, we assume that developers using this book will be using Java
`1.2, and our primary focus will be on the 1.2 release of the Java Development Kit
`QDK) from Sun Microsystems. However, for developers using 1.1, we will provide
`full details of what's available in 1.1, and what has changed in 1.2; in some cases,
`this information has changed so radically that the information is relegated to an
`appendix. The information in this book is based on the 1.2 beta release; there
`may be slight differences in the 1.2 FCS release.
`
`For the most part, we do not track changes between 1.0 and 1.1 in this book.
`
`Most of the examples used in this book are available via ftp from the O'Reilly web
`site, www.oreilly.com. A few of the examples have been withheld from the online
`distribution because of U.S. restrictions on the export of cryptography.
`
`Conventions Used in This Book
`Constant width font is used for:
`
`• Code examples
`
`• Class, variable, and method names within the text
`
`Italicized font is used for:
`
`•
`
`Filenames
`
`• Host and domain names
`
`• URLs
`
`When a new method or class is introduced, its definition will appear beginning
`with italicized text like this:
`
`public void checkAccess(Thread t)
`Check whether the current thread is allowed to modify the state of the param(cid:173)
`eter thread.
`
`Page 13 of 482
`
`

`

`xii
`
`PREFACE
`
`In addition, one of the following symbols may appear next to a definition:
`
`* Indicates that the method/ class is available only in 1.2.
`
`-k
`
`Indicates that the method/ class has been deprecated in 1.2.
`
`There are some examples of commands scattered through the book, especially in
`sections and appendices that deal with administration. By convention, all exam(cid:173)
`ples are shown as they would be executed on a Unix system, e.g.:
`
`piccolo% keytool -export -alias sdo -file /tmp/sdo.cer
`******
`Enter keystore password:
`Certificate stored in file </tmp/sdo.cer>
`
`In these examples, the text typed by the user or administrator is always shown in
`bold font; the remaining text is output from the command (the string piccolo%
`indicates a command prompt). On other systems, the names of the files would
`have to be changed to conform to that system (e.g., C:\sdo.cer for a Windows
`system). However, note that while Windows systems often use a forward-slash (/)
`for command-line options, Java tools (even on those systems) universally use a
`hyphen (-) to indicate command-line options. In these examples, then, only the
`filenames are different between platforms.
`
`Organization ofThis Book
`This book is organized in a bottom-up fashion: we begin with the very low-level
`aspects of Java security and then proceed to the more advanced features.
`
`Chapter 1, Java Application Security
`
`This chapter gives an overview of the security model (the Java sandbox) used
`in Java applications and sets the stage for the rest ofthe book.
`
`Chapter 2,]ava Language Security
`
`This chapter discusses the memory protections built into the Java language,
`how those protections provide a measure of security, and how they are
`enforced by the bytecode verifier.
`
`Chapter 3, java Class Loaders
`
`This chapter discusses the class loader, which is the class that reads in Java
`class files and turns them into classes. From a security perspective, the class
`loader is important in determining where classes originated and whether or
`not they were digitally signed (and if so, by whom), so the topic of class load(cid:173)
`ers appears throughout this book.
`
`Page 14 of 482
`
`

`

`PREFACE
`
`xiii
`
`Chapter 4, The Security Manager Class
`
`This chapter discusses the security manager, which is the primary interface to
`application-level security in Java. The security manager is responsible for arbi(cid:173)
`trating access to all local resources: files, the network, printers, etc.
`
`Chapter 5, The Access Controller
`
`The access controller is the basis for security manager implementations in
`Java 1.2. This chapter discusses how to use the access controller to achieve
`fine-grained levels of security in your application.
`
`Chapter 6, Implementing Security Policies
`
`This chapter ties together the information on the security manager and the
`access controller and shows how to implement one or both to achieve a
`desired security policy in your application.
`
`Chapter 7, Introduction to Cryptography
`
`This chapter provides an overview to the cryptographic algorithms of the Java
`security package. It provides a background for the remaining chapters in the
`book.
`
`Chapter 8, Security Providers
`
`This chapter discusses the architecture of the Java security package, and how
`that architecture may be used to extend or supplant the default cryptographic
`algorithms that come with the JDK
`
`Chapter 9, Message Digests
`
`This chapter discusses message digests: how to create them, how to use them,
`and how to implement them.
`
`Chapter 10, Keys and Certificates
`
`This chapter discusses the APis available to model cryptographic keys and cer(cid:173)
`tificates, and how those keys and certificates may be electronically transmitted.
`
`Chapter 11, Key Management
`
`This chapter discusses how keys can be managed within a Java program: how
`and where they may be stored and how they can be retrieved and validated.
`
`Chapter 12, Digital Signatures
`
`This chapter discusses how to create, use, and implement digital signatures.
`This chapter also contains a discussion of signed classes.
`
`Page 15 of 482
`
`

`

`xiv
`
`Chapter 13, Encryption
`
`PREFACE
`
`This chapter discusses the Java Cryptography Extension, which allows develop(cid:173)
`ers to encrypt and decrypt arbitrary streams of traffic.
`
`Appendix A, Security Tools
`
`This appendix discusses the administrative tools that come with Java that
`enable end users and administrators to work with the Java security model:
`keytool, jarsigner, and policytool.
`
`Appendix B, Identity-Based Key Management
`
`Key management in Java 1.1 was radically different than the systems we
`explored in the main text. This appendix discusses how key management was
`handled in Java 1.1; it uses classes that are still present (but not often used) in
`1.2.
`
`Appendix C, Security Resources
`
`This appendix discusses how to keep up-to-date with information about
`Java's security implementation, including a discussion of Java security bugs
`and general resources for further information.
`
`Appendix D, Quick Reference
`
`This appendix is a simple reference guide to the classes that are discussed in
`this book.
`
`Acknowledgments
`I am grateful to the many people who have helped me with this book along the
`way; this book is as much a reflection of their support as anything else. I offer my
`heartfelt thanks to Mike Loukides for stewarding me through the editorial process.
`
`Various drafts of this book were foisted upon my colleagues Mark Bordas, Charles
`Francois, David Plotkin, and Henry Wong; I am indebted to each of them for
`their feedback and support, and to Wendy Talmont for all her support. In addi(cid:173)
`tion, I was extremely fortunate to receive technical assistance from a highly
`talented group of individuals: to Jim Farley, Li Gong, Jon Meyer, Michael
`Norman, and especially to David Hopwood, I offer my deepest thanks for all your
`input. Finally, I must thank Roland Schemers for handling my last-minute barrage
`of questions with patience and insight.
`
`The staff at O'Reilly & Associates was enormously helpful in producing this book,
`including Jane Ellin, the Production Editor; Robert Romano, who created the
`figures; Seth Maislin, who wrote the index; Hanna Dyer, the cover designer;
`
`Page 16 of 482
`
`

`

`PREFACE
`
`XV
`
`Nancy Priest, the interior designer; Mike Sierra for Tools support; and Claire
`Cloutier LeBlanc, Nancy Wolfe Kotary, and Sheryl Avruch for quality control.
`
`Finally, I must offer my thanks to James for all his patience and support, and for
`putting up with my continual state of distraction during phases of this process.
`
`Feedback for the Author
`I welcome any comments on the text that you might have; despite the contribu(cid:173)
`tions of the people I've just listed, any errors or omissions in the text are my
`responsibility. Please send notice of these errors or any other feedback to
`scott. oaks@sun. com.
`
`Page 17 of 482
`
`

`

`I
`
`Java Application
`Security
`
`When Java was first released by Sun Microsystems, it attracted the attention of
`programmers throughout the world. These developers were attracted to Java for
`different reasons: some were drawn to Java because of its cross-platform capabili(cid:173)
`ties, some because of its ease of programming (especially compared to object(cid:173)
`oriented languages like C++), some because of its robustness and memory
`management, some because of Java's security, and some for still other reasons.
`
`Just as different developers came to Java with different expectations, so too did
`they bring different expectations as to what was meant by the ubiquitous phrase
`'Java is secure." Security means different things to different people, and many
`developers who had certain expectations about the word "security" were surprised
`to find that their expectations were not necessarily shared by the designers of Java.
`
`This book discusses the features of Java that make it secure. In this book, we'll
`discuss why Java is said to be secure, what that security means (and doesn't mean),
`and-most importantly-how to use the security features of the Java platform
`within your own programs. This last point is actually the focus of this book: while
`some of Java's security features are automatically a part of all Java programs, many
`of them are not. In this book, we'll learn about all those features, and how to
`utilize them in our own Java applications.
`
`What Is Security?
`The first thing that we must do to facilitate our discussion of Java security is to
`discuss just what Java's security goals are. The term "security" is somewhat vague
`
`1
`
`Page 18 of 482
`
`

`

`2
`
`CHAPTER 1: jAVA APPLICATION SECURITY
`
`unless it is discussed in some context; different expectations of the term "security"
`might lead us to expect that Java programs would be:
`
`•
`
`•
`
`•
`
`•
`
`•
`
`Safe from malevolent programs: Programs should not be allowed to harm a user's
`computing environment. This includes Trojan horses as well as harmful pro(cid:173)
`grams that can replicate themselves-computer viruses.
`
`Non-intrusive: Programs should be prevented from discovering private infor(cid:173)
`mation on the host computer or the host computer's network.
`
`Authenticated: The identity of parties involved in the program should be veri-
`fied.
`
`Encrypted: Data that the program sends and receives should be encrypted.
`
`Audited: Potentially sensitive operations should always be logged.
`
`• Well-defined: A well-defined security specification would be followed.
`
`•
`
`Verified: Rules of operation should be set and verified.
`
`• Well-behaved: Programs should be prevented from consuming too many system
`resources.
`
`•
`
`C2 or Bl certified: Programs should have certification from the U.S. govern-
`ment that certain security procedures are included.
`
`In fact, while all of these features could be part of a secure system, only the first
`two were within the province of Java's 1.0 default security model. Other items in
`the list have been introduced in later versions of Java: authentication was added in
`1.1, encryption is available as an extension to 1.2, and auditing can be added to
`any Java program by providing an auditing security manager. Still others of these
`items will be added in the future. But the basic premise remains that Java security
`was originally and fundamentally designed to protect the information on a
`computer from being accessed or modified (including a modification that would
`introduce a virus) while still allowing the Java program to run on that computer.
`
`The point driving this notion of security is the new distribution model for Java
`programs. One of the driving forces behind Java, of course, is its ability to down(cid:173)
`load programs over a network and run those programs on another machine
`within the context of a Java-enabled browser (or within the context of other Java
`applications). Coupled with the widespread growth of Internet use-and the
`public-access nature of the Internet-Java's ability to bring programs to a user on
`an as-needed, just-in-time basis has been a strong reason for its rapid deployment
`and acceptance.
`
`The nature of the Internet created a new and largely unprecedented requirement
`for programs to be free of viruses and Trojan horses. Computer users had always
`been used to purchasing shrink-wrapped software. Many soon began downloading
`
`Page 19 of 482
`
`

`

`WHAT Is SECURITY?
`
`3
`
`software via ftp or other means and then running that software on their machines.
`But widespread downloading also led to a pervasive problem of malevolent
`attributes both in free and (ironically) in commercial software (a problem which
`continues unabated). The introduction of Java into this equation had the poten(cid:173)
`tial to multiply this problem by orders of magnitude, as computer users now
`download programs automatically and frequently.
`
`For Java to succeed, it needed to circumvent the virus/trojan horse problems that
`plagued other models of software distribution. Hence, the early work on Java
`focused on just that issue: Java programs are considered safe because they cannot
`install, run, or propagate viruses, and because the program itself cannot perform
`any action that is harmful to the user's computing environment. And in this
`context, safety means security. This is not to say that the other issues in the above
`list are not important-each has its place and its importance (in fact, we'll spend
`a great deal of time in this book on the third and fourth topics in that list). But
`the issues of protecting information and preventing viruses were considered most
`important; hence, features to provide that level of security were the first to be
`adopted. Like all parts of Java, its security model is evolving (and has evolved
`through its various releases); many of the notions about security in our list will
`eventually make their way into Java.
`
`One of the primary goals of this book, then, is to explain Java's security model
`and its evolution through releases. In the final analysis, whether or not Java is
`secure is a subjective judgment that individual users will have to make based on
`their own requirements. If all you want from Java is freedom from viruses, any
`release of Java should meet your needs. If you need to introduce authentication
`or encryption into your program, you'll need to use a 1.1 or later release of Java.
`If you have a requirement that all operations be audited, you'll need to build that
`auditing into your applications. If you really need conformance with a U.S. govern(cid:173)
`ment-approved definition of security, Java is not the platform for you. We take a
`very pragmatic view of security in this book: the issue is not whethe