This week's book giveaway is in the Design forum.
We're giving away four copies of Design for the Mind and have Victor S. Yocco on-line!
See this thread for details.
Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Structure of Book - Enterprise Java 2 Security

 
Xie Ruchang
Ranch Hand
Posts: 160
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I have learnt that the basic concepts of security are covered by these four areas.
1. Authentication
2. Authorisation
3. Confidentiality
4. Non-repudiation
(Pls comment if I missed out other basic security concepts)
I would like to find out whether the book relates the security APIs or features with regard to these basic security concepts or it is oriented using another framework.
Another question related to non-repudiation, I found it confusing after reading a few books on security. Does digital certificates address this issue adequately. Is it covered in the book?
Best Regards
 
Warren Dew
blacksmith
Ranch Hand
Posts: 1332
2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm thinking a general table of contents for the book could be really useful....
 
Marco Pistoia
Author
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Frankie. My answers below.
I have learnt that the basic concepts of security are covered by these four areas.
1. Authentication
2. Authorisation
3. Confidentiality
4. Non-repudiation
(Pls comment if I missed out other basic security concepts)
ANSWER: I would add access control to your list.
I would like to find out whether the book relates the security APIs or features with regard to these basic security concepts or it is oriented using another framework.
ANSWER: Absolutely: we show all the security APIS that can be used to achieve the security requirements above. We go over all the topics you listed in a very deep details, with lots of sample code.
Another question related to non-repudiation, I found it confusing after reading a few books on security. Does digital certificates address this issue adequately. Is it covered in the book?
ANSWER: Yes, non-repudiation is covered in the book. We talk about two types of non-repudiation: the sender of a message cannot deny having sent the message, and the receiver of a message cannot deny having received the message. For this to work, cryptographic functions need to be applied.
I hope this helps,
Marco
P.S. The Table of Contents of the book is available online at http://www.aw-bc.com/catalog/academic/product/0,4096,0321118898-TOC,00.html
 
Xie Ruchang
Ranch Hand
Posts: 160
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank Marco for the quick reply.
In response to the fifth added to the list, access control. I thought that is the same as authorisation. Could you please explain the difference between access control and authorisation.
Best Regards
 
Nicholas Cheung
Ranch Hand
Posts: 4982
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In addition to the 5th elements you added, there is one more: Data Integrity, which means data has not been changed during transmission.
Nick
 
Nicholas Cheung
Ranch Hand
Posts: 4982
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Could you please explain the difference between access control and authorisation.

I would say they are similar thing.
Access Contrl List (ACL) usually is a complete list of resources in the system among all users. When a user access to resource X, the system checks with the ACL to see whether the user can access that resource. Thus, I feel access control may even be a subset of authorization in certain means.
Nick
 
Xie Ruchang
Ranch Hand
Posts: 160
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nick,
Isn't Data Integrity and Confidentiality the same thing?
Best Regards,
 
Nicholas Cheung
Ranch Hand
Posts: 4982
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No.
Data Integrity and Confidentiality refers to different things.
For Data Integrity, A just wanna to make sure that the message sends to B does not change by a hacker X. The message can be public, everyone can read it. For example, a public notice is put on the board, but A need to make sure that the content of notice does not be changed.
For Confidentiality, A sends B a message, but A dont wanna persons other than B can read the message. Thus, the message is private to B ONLY. An example can be some legal documents, or contracts.
Nick
 
Nicholas Cheung
Ranch Hand
Posts: 4982
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In addition, confidentiality does not necessary means the content cannot be changed.
A wants send a message to B, A can encrypt the message using B's public key. However, a bad guy, X, can capture this message from the network. X can then create a fake message, and encrypt this message using B's public key and sends it to B, pretenting that this message is sent by A.
As a result, the A's message is keep confidential, becos X cannot decrypt it and get its content, however, the message received by B is NOT the one actually sent by A.
To avoid such case, in addition to encrypt the message with B's public key, A needs to sign on the encrypted message with his private key, so that B knows the message is actually from A, and the content does not change.
Nick
 
bas duijzings
Ranch Hand
Posts: 83
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
this is all nice, but a real question. How many of us/you have gone beyond authentication / authorisation / access control lists and maybe ssl for security ?
I assume we are still talking web application, so what sort of applications are actually using these technologies.
Please note, I do not mean that these technologies should not be used. I am only asking it out of curiosity
bas
 
Nicholas Cheung
Ranch Hand
Posts: 4982
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

How many of us/you have gone beyond authentication / authorisation / access control lists and maybe ssl for security ?

I think those are already the most common security measurements. Most of the system will use these measurements or their variance.

I assume we are still talking web application, so what sort of applications are actually using these technologies.

Any applications that need a user login requires Authentication.
Applications that provide different information or services to different users will use Authorization. Like Amazon's customers can only view book info and purchase book, but they cannot add a new book to the book list. Actions that can be performed by a certain user is governed by ACL.
Applications that need exchanging sensitive data point to point may require SSL. Data within the channel are encrypted, and so, secure the transmission. Such as sending login name and password over the Internet to logon to the system.
Secure Electronic Transaction (SET) is used when you checkout books from Amazon using Credit Card.
There are many places that need security measurements, especially E-commerce systems.
Nick
 
bas duijzings
Ranch Hand
Posts: 83
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thanks for getting it out of context. I know what the different security measures entail. I wanted to know how many of us/you have gone beyond authentication / authorisation / access control lists and maybe ssl for security ?
Your remark :
Secure Electronic Transaction (SET) is used when you checkout books from Amazon using Credit Card.

still stands, but only if you worked on it yourself which I doubt.
baz
 
Nicholas Cheung
Ranch Hand
Posts: 4982
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

still stands, but only if you worked on it yourself which I doubt.

There are 2 ways for implementing SET. One has been suggested by you that we need to implement it by ourselves.
We have 4 parties, customer, amazon, customer's bank and amazon's bank. Of course, we can always implements the protocol by working around with the authentication of digital certificates, and perform the transaction.
Another way is that, we have a payment gateway, this gateway obtains the necessary info, and do the rest of things (according to SET protocol) for us.
We send credit card info to Amazon, in fact, Amazon may not carry out the $ transfer, it may simply pass the card into to customer's bank, as well as Amazon's bank to a payment gateway. This gateway, can be either a trusted third party, like Visa or Master, or the customer's bank. Then, SET is performed by that gateway, while Amazon does not involve. It will only be notified whether the transaction succeed.
In such sense, we may not really need to implement SET protocol in our own programs or systems, if we make use of a third party.
Nick
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic