One of the most significant aspects of Java programming is that it creates
applications that have extraordinary relevance to computer security. Few UNIX
administrators would be prepared to allow millions of users to execute
programs as root (the administrative superuser) on their system, yet this
level of potentially total power is what every user cedes when they point
their browser at a URL containing some form of Java executable. Because of
this, knowledge of computer security is becoming a requirement for Java
programmers, and Java developers are being held accountable for the security
implications of their code. Java experts who can speak authoritatively on
security issues will be in greater demand.
This short series of articles won't dwell on the relative advantage or
disadvantage of Java as a programming language, although it assumes that Java
will be increas... (more)
Decisions
The choice of encryption technologies is not always easy, but fortunately
there are often several equally good options. The first step in choosing an
algorithm is knowing the purpose to which it will be applied. Is it to ensure
privacy, integrity, authenticity or to provide non-repudiation? Will it be
used on a small amount of data or files so large that the encryption process
could result in an unacceptable processing delay? The strength of an
encryption method is dependent upon both the algorithm and the key length and
can be understood in terms of the computational r... (more)
Java programmers are network programmers and increasingly, network
programmers write applications that need encryption technology. The Internet
is like a huge chat room. Not only is it a worldwide sniffable net, it's
developing its own unique business infrastructure. New virtual services are
required to provide the confidence in business transactions that has been
available through a paper-based system. In addition to privacy, Internet
commerce demands digital forms of signature, currency, notarization, purchase
orders and receipts. Many of the most important Internet application... (more)
Introduction
Java developers are constantly becoming frustrated because of unexpected
encounters with Java security features. For example, a recent posting on
comp.langs.java.security complained about difficulties in being able to open
a network socket with Java. After reading the security introduction in the
last issue of JDJ, it should be clear that allowing Web content to open
arbitrary network connections on a workstation is highly undesirable. Not
only could this circumvent existing security mechanisms, such as firewalls
and IP address-based access control, but these network... (more)
The JDK 1.1 includes a new Java Security API which supports several important
new security features, the most significant of which may turn out to be
signed applets. Properly implemented, digital signatures will provide the
additional trust needed to allow Java applets greater access to client system
capabilities, thereby supporting more powerful Web-based applications.
What Does Everyone Want To Do?
Current browsers, which are based on the JDK 1.0 toolkit, support a very
limited subset of system capability when running Java applets. Sun has taken
a conservative approach and desig... (more)
Jay Heiser is the Director of Internet Products for HomeCom Internet Security Services, where he is currently providing network security consulting to several major financial institutions and retail chains. He has lectured on information security in the US and Europe at events such as InfoWarCon, The Internet Conference, and FOSE. Jay also has animated several presentations on basic network security topics and made them available on the Web at http://www.homecom.com/services/hiss/LearnAbout.html.
Scott Sellers
Anthony Franco
Daniel Morris
Wayne Walls
Niki Acosta
Jereme Hancock
Oren Michels
Marvin Wheeler
Douglas Kim
Ken Guiberson
