Java programmers are network programmers and increasingly, network
programmers write applications that need encryption technology. The Internet
is like a huge chat room. Not only is it a worldwide sniffable net, it's
developing its own unique business infrastructure. New virtual services are
required to provide the confidence in business transactions that has been
available through a paper-based system. In addition to privacy, Internet
commerce demands digital forms of signature, currency, notarization, purchase
orders and receipts. Many of the most important Internet applications can be
created only with the support of sophisticated cryptographical techniques.
One of the great things about using Java is that it potentially allows the
developer control over both the client and the server. New crypto classes
will allow creation of applets that can provide security se... (more)
Introduction
Java developers are constantly becoming frustrated because of unexpected
encounters with Java security features. For example, a recent posting on
comp.langs.java.security complained about difficulties in being able to open
a network socket with Java. After reading the security introduction in the
last issue of JDJ, it should be clear that allowing Web content to open
arbitrary network connections on a workstation is highly undesirable. Not
only could this circumvent existing security mechanisms, such as firewalls
and IP address-based access control, but these network... (more)
A New Buzzword
The Java security community has begun to use a new buzz phrase, mobile code',
to describe Web executable content like Java, JavaScript and ActiveX. The
name is meant to distinguish it from non-Web forms of executable content,
such as Microsoft Word macros and PostScript. All executable content has the
potential to cause security problems - MS Word macro viruses have caused more
damage than all other executable content attacks combined. Some future
operating environment, such as Project Spin, may well be robust enough to
resist multiple forms of executable content a... (more)
Decisions
The choice of encryption technologies is not always easy, but fortunately
there are often several equally good options. The first step in choosing an
algorithm is knowing the purpose to which it will be applied. Is it to ensure
privacy, integrity, authenticity or to provide non-repudiation? Will it be
used on a small amount of data or files so large that the encryption process
could result in an unacceptable processing delay? The strength of an
encryption method is dependent upon both the algorithm and the key length and
can be understood in terms of the computational r... (more)
One of the most significant aspects of Java programming is that it creates
applications that have extraordinary relevance to computer security. Few UNIX
administrators would be prepared to allow millions of users to execute
programs as root (the administrative superuser) on their system, yet this
level of potentially total power is what every user cedes when they point
their browser at a URL containing some form of Java executable. Because of
this, knowledge of computer security is becoming a requirement for Java
programmers, and Java developers are being held accountable for the... (more)
Jay Heiser is the Director of Internet Products for HomeCom Internet Security Services, where he is currently providing network security consulting to several major financial institutions and retail chains. He has lectured on information security in the US and Europe at events such as InfoWarCon, The Internet Conference, and FOSE. Jay also has animated several presentations on basic network security topics and made them available on the Web at http://www.homecom.com/services/hiss/LearnAbout.html.
David Lucas
Shaul Efraim
Terence Martin Breslin
Cory Marchand
David Hughes
James Carlini
John Iffert
Dan Stolts
Joe Zeto
