The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

All information submitted is secure.

My developerWorks:

My notifications:

Sign out

Select a language:

Java security: Java security, Part 1: Crypto basics

Brad Rubin (BradRubin@BradRubin.com), Principal, Brad Rubin & Associates Inc.

Brad Rubin is principal of Brad Rubin & Associates Inc., a computer-security consulting company specializing in wireless network and Java application security and education. Brad spent 14 years with IBM in Rochester, MN, working on all facets of the AS/400 hardware and software development, starting with its first release. He was a key player in IBM's move to embrace the Java platform, and was lead architect of IBM's largest Java application, a business application framework product called SanFrancisco (now part of WebSphere). He was also chief technology officer for the Data Storage Division of Imation Corp., as well as the leader of its R&D organization.

Brad has degrees in Computer and Electrical Engineering, and a Doctorate in Computer Science from the University of Wisconsin, Madison. He currently teaches the Senior Design course in Electrical and Computer Engineering at the University of Minnesota, and will develop and teach the university's Computer Security course in Fall 2002.

Summary: The Java platform, both its base language features and library extensions, provides an excellent base for writing secure applications. In this tutorial, the first of two parts on Java security, Brad Rubin guides you through the basics of cryptography and how it is implemented in the Java programming language, using plenty of code examples to illustrate the concepts.

Date: 19 Jul 2002
Level: Introductory
PDF: A4 and Letter (112 KB | 32 pages)Get Adobe® Reader®

Activity: 86392 views
Comments:

About this tutorial

What is this tutorial about?

There is perhaps no software engineering topic of more timely importance than application security. Attacks are costly, whether the attack comes from inside or out, and some attacks can expose a software company to liability for damages. As computer (and especially Internet) technologies evolve, security attacks are becoming more sophisticated and frequent. Staying on top of the most up-to-date techniques and tools is one key to application security; the other is a solid foundation in proven technologies such as data encryption, authentication, and authorization.

The Java platform, both the basic language and library extensions, provides an excellent foundation for writing secure applications. This tutorial covers the basics of cryptography and how it is implemented in the Java programming language, and it offers example code to illustrate the concepts.

In this first installment of a two-part tutorial, we cover material in the library extensions -- now part of the JDK 1.4 base -- known as Java Cryptography Extension (JCE) and Java Secure Sockets Extension (JSSE). In addition, this tutorial introduces the CertPath API, which is new for JDK 1.4. In Part 2 (see Resources), we'll expand the discussion to encompass access control, which is managed in the Java platform by the Java Authentication and Authorization Service (JAAS).

Should I take this tutorial?

This is an intermediate-level tutorial; it assumes you know how to read and write basic Java programs, both applications and applets.

If you are already a Java programmer and have been curious about cryptography (topics such as private and public key encryption, RSA, SSL, certificates) and the Java libraries that support them (JCE, JSSE), this tutorial is for you. It does not assume any previous background in cryptography, JCE, or JSSE.

This tutorial introduces the basic cryptographic building block concepts. Each concept is followed by the Java implementation considerations, a code example, and the results of the example execution.

Tools, code samples, and installation requirements

You'll need the following items to complete the programming exercises in this tutorial:

JDK 1.4, Standard Edition
The tutorial source code and classes, JavaSecurity1-source.jar, so that you can follow the examples as we go along
The Bouncy Castle Crypto library for the RSA example
A browser that supports the Java 1.4 plug-in

You can use JDK 1.3.x, but you must install JCE and JSSE yourself.

A note on the code examples

The code examples dump encrypted data directly to the screen. In most cases, this will result in strange-looking control characters, some of which may occasionally cause screen-formatting problems. This is not good programming practice (it would be better to convert them to displayable ASCII characters or decimal representations), but has been done here to keep the code examples and their output brief.

In most cases in the example execution sections, the actual strings have been modified to be compatible with the character set requirements of this tutorial. Also, in most examples, we look up and display the actual security provider library used for a given algorithm. This is done to give the user a better feel of which libraries are called for which functions. Why? Because, in most installations, there are a number of these providers installed.

Comments