• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

This Weeks Giveaway

 
Sheriff
Posts: 3341
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This Week we are giving away four copies of the book "Professional Java Security".
And the best part... The Authors, Jess Garms and Daniel Somerfield, will be online to answer your questions!
For details, check out JavaRanch Book Promotion Page.
Let's all give Jess and Dan a warm JavaRanch welcome!
Remember, your UserName must meet the requirements of [http://www.javaranch.com/name.jsp]Naming Policy[/url] and the post you make has to deal with the Other Java API's.
Thanks to Wrox for the books
 
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you for joining us today. It is always nice to have an oportunity to win a free book. I never do, but one day I will get lucky :> )
I may have some java security questions soon in the future.
The program that I am working on now will adventually require the users to login to determine thier user priviliages. We are using Win2000 as our operating system. We are even using the jdk1.4 beta version because of certian required methods that are not in the 1.3 version.
Where would you think that I should start my research on how I should implement this security issue in my java program?
Would you recommend a certain package that I can import and use?
Does your book cover logging in and establishing users from a java program?
------------------
 
Ranch Hand
Posts: 15304
6
Mac OS X IntelliJ IDE Chrome
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, thanks for taking the time to talk to everyone today. I am coding an application with a client/server. I have a couple of questions.
First, how much JAVA cryptology does your book cover, if any, and what do you believe to be the best way to secure your class files? I realize that there is always a way to hack into anything, but I might as well make it as tough as possible.
Thanks for any help.
Gregg
 
Ranch Hand
Posts: 1365
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is RMI safe?
 
Sheriff
Posts: 17644
300
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Just wondering what kind of coverage this book gives on security in J2EE applications. I'm looking for some discussion on various strategies for securing a J2EE application and pros and cons of the strategies. Any feedback would be greatly appreciated.
 
Author
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the welcome. Of course the first place I'd recommend you look for Java security info is our book.
For what you're doing, it sounds like you'd be most interested in JAAS, the Java Authentication and Authorization Service. It's an optional package for JDK 1.3, but is included in 1.4. You can read the Sun documentation at http://java.sun.com/products/jaas/. Our book covers it, but somewhat briefly, as it had just been released when we were writing the book.
JAAS allows you to, as the name suggests, authenticate and authorize users to perform certain actions.

Originally posted by Jamie Young:
Thank you for joining us today. It is always nice to have an oportunity to win a free book. I never do, but one day I will get lucky :> )
I may have some java security questions soon in the future.
The program that I am working on now will adventually require the users to login to determine thier user priviliages. We are using Win2000 as our operating system. We are even using the jdk1.4 beta version because of certian required methods that are not in the 1.3 version.
Where would you think that I should start my research on how I should implement this security issue in my java program?
Would you recommend a certain package that I can import and use?
Does your book cover logging in and establishing users from a java program?



------------------
 
Jess Garms
Author
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Gregg Bolinger:
First, how much JAVA cryptology does your book cover, if any, and what do you believe to be the best way to secure your class files? I realize that there is always a way to hack into anything, but I might as well make it as tough as possible.


The book's main focus is using cryptography in Java for encryption and authentication. There are also chapters on using secure protocols, like SSL.
The best way to secure class files depends on your goal. If you're writing server-side code, you may not need to do anything because your classes are never exposed. If you're shipping a product or an applet though, you may want to use a byte-code obfuscator.
Obfuscators aren't realy protection though. They just make it more difficult to decompile your code. When you're implementing security in your programs, make sure that exposing the code wouldn't compromise the application. That is, try to keep the real security in a key or password that only an authorized user would have.
If you're looking for a free obfuscator, check out Retroguard: http://www.retrologic.com/

------------------
 
Jess Garms
Author
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by David Garland:
Is RMI safe?


By default, RMI isn't particularly safe, especially if used over the internet. All data is sent in clear text, and it is possible to spoof messages.
You can increase security when using RMI, however, by tunneling it over SSL, adding encryption and authentication to the communication. Sun includes an example of this with the JSSE download (http://java.sun.com/products/jsse/), which is their implementation of SSL for Java. Our book also contains some examples of tunneling RMI over SSL.

------------------
 
Jess Garms
Author
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by JUNILU LACAR:
Just wondering what kind of coverage this book gives on security in J2EE applications. I'm looking for some discussion on various strategies for securing a J2EE application and pros and cons of the strategies. Any feedback would be greatly appreciated.


Our book covers some J2EE security, but it's not the main focus. J2EE is fairly new, and people are still struggling to find the best way to secure J2EE applications. The first thing to look into is JAAS, which is being bundled into J2EE as a way to provide pluggable authentication and authorization.
I would still consider our book to be useful for J2EE security development, because we look at application security in general, in addition to specific APIs and pre-existing architectures. There are a number of techniques that apply to any server-side application, whether it's servlet- or J2EE-based.
------------------
 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Do you have any idea when a production-quality release of J2SE 1.4 with JAAS will be coming out? I couldn't find it on Sun's site...
Thanks in advance,
Gina
 
Ranch Hand
Posts: 334
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Jess and others,
If I use only JSP/Servlet as server-side programs, my system would can not be as secue as a system built with EJB's since EJB technology gives you more chances/places to implement security protocols.
Is it correct ? This means with EJB you can have a more secure system.
Thanks,
Ruilin
 
Ranch Hand
Posts: 365
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Re: IS RMI Safe.
I was suprised to read Jesse's answer to this. I thought with Java2 and the use of policy files that RMI would be relatively (the magic word) secure.
Max Tomlinson
 
Author
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Actually, that isn't really the case. Rather than thinking that extra tiers give you more places to implement security, think of each tier as a potential weak point where you NEED to implement security. Every time you go over the network, for example, you are exposing your data to attack.
EJB servers do provide you with some APIs for implementing security, such as method-level access control and JAAS. However, there really isn't anything there that you can't either write yourself, or download seperately.
If you are only using Servlet/JSP then SSL with client authentication and some sort of security model either based on the Java Security APIs or a simpler home-brewed solution.
Assuming you use a separate database, you also have to worry about securing that connection. Our book has a couple of strategies for doing just that. Some databases have built-in encryption and authentication functionality which will save you some work. Finally, you can partition off the database with network infrastructure, preventing outside connections.
Overall, EJB isn't going to help you much with these problems. It just adds an extra tier that needs to be protected.

Originally posted by ruilin yang:
Jess and others,
If I use only JSP/Servlet as server-side programs, my system would can not be as secue as a system built with EJB's since EJB technology gives you more chances/places to implement security protocols.
Is it correct ? This means with EJB you can have a more secure system.
Thanks,
Ruilin



------------------
Daniel Somerfield
Author of Professional Java Security
 
ruilin yang
Ranch Hand
Posts: 334
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks a lots Daniel. I learnt a lots.
 
Jess Garms
Author
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Gina Peers:
Do you have any idea when a production-quality release of J2SE 1.4 with JAAS will be coming out? I couldn't find it on Sun's site...


Last I heard, the plan was to release 1.4 by the end of the year. I would imagine that means December.

------------------
 
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is JCE & JSSE bundled with the current version of J2EE.
 
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have been trying for more then a year to make the sample JSSE example work. if you look at sample\sockets\server\ClassFileServer.java
Theoretically you should be able to start this service and then access it over https, but I have not suceeded in doing this. Earlier it used to get stuck while doing the Handshake.
Now it throws
java.security.NoSuchAlgorithmException: Algorithm TLS not available
at com.sun.net.ssl.b.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.SSLContext.getInstance([DashoPro-V1.2-120198])
at ClassFileServer.getServerSocketFactory(ClassFileServer.java:138)
at ClassFileServer.main(ClassFileServer.java:115)
Exception in thread "main" java.lang.NullPointerException
at ClassFileServer.main(ClassFileServer.java:116)

Can anybody help me with this..
 
Ranch Hand
Posts: 5040
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

<wishpering>Welcome, Jess and Daniel. </wishpering>
thats secrure info...
ssshhhhhh!!!
- satya
 
Ranch Hand
Posts: 128
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, It's nice to have a good book on security !
I planed to take SCEA and will be nice to win this book !!!
Thanks
 
Jess Garms
Author
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by David Bejjam:
Is JCE & JSSE bundled with the current version of J2EE.


I believe that JSSE is included in J2EE, but not the JCE. JDK 1.4 will contain both though, so once J2EE upgrades to that, it will automatically contain the JCE as well.
------------------
Jess Garms
Author of "Professional Java Security"
 
ruilin yang
Ranch Hand
Posts: 334
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Jess/Daniel,
When we implement security to an application/system what kind of granuality should you recommend ? I mean what is the guideline to design a security system for an application ? Are there any pattern to follow ?
My question may appear to be silly since I do not know a lots about the topic.
Thanks,
Ruilin
 
Jess Garms
Author
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by mohit joshi:
I have been trying for more then a year to make the sample JSSE example work. if you look at sample\sockets\server\ClassFileServer.java
Theoretically you should be able to start this service and then access it over https, but I have not suceeded in doing this. Earlier it used to get stuck while doing the Handshake.
Now it throws
java.security.NoSuchAlgorithmException: Algorithm TLS not available
at com.sun.net.ssl.b.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.SSLContext.getInstance([DashoPro-V1.2-120198])
at ClassFileServer.getServerSocketFactory(ClassFileServer.java:138)
at ClassFileServer.main(ClassFileServer.java:115)
Exception in thread "main" java.lang.NullPointerException
at ClassFileServer.main(ClassFileServer.java:116)

Can anybody help me with this..


It's possible that you don't have the JSSE provider registered. Try the following line of code before connecting:
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
Also make sure all three of the JSSE jars are on your classpath.

------------------
Jess Garms
Author of "Professional Java Security"
 
mohit joshi
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thanks for the prompt reply. However I have statically registered the provider as follows in the file:
<java-home>\lib\security\java.security
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
which should have the same effect? Or do you think Dynamic registration might help in my case?
Also I do have the three jar files in my classpath..., since I am able to compile the sample files.
Regards
Mohit Joshi
[This message has been edited by mohit joshi (edited August 22, 2001).]
 
Jess Garms
Author
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by mohit joshi:
thanks for the prompt reply. However I have statically registered the provider as follows in the file:
<java-home>\lib\security\java.security
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
which should have the same effect? Or do you think Dynamic registration might help in my case?
Also I do have the three jar files in my classpath..., since I am able to compile the sample files.
Regards
Mohit Joshi
[This message has been edited by mohit joshi (edited August 22, 2001).]


Go ahead and try dynamically adding the provider and let us know what happens. Sometimes there are several VMs installed on a machine, and java_home isn't where you might expect it to be.

------------------
Jess Garms
Author of "Professional Java Security"
 
Jess Garms
Author
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by ruilin yang:
Jess/Daniel,
When we implement security to an application/system what kind of granuality should you recommend ? I mean what is the guideline to design a security system for an application ? Are there any pattern to follow ?


Well, this is a pretty enormous topic, and it's difficult to provide a comprehensive response in a short space. To determine the granularity you need, you have to ask yourself what are you trying to protect? If it's a single network connection to a database, then it's easy: protect that one connection with SSL or network infrastructure.
Typically though, things aren't that simple. Perhaps you have multiple users of the system who each might have sensitive information. Then at the very least, you need to implement security that's granular enough to distinguish between users. Alternatively, maybe there are only two *types* of users: regular and administrative. Then your job is easier: you only need to deal with those two types in your application.
One of the things to remember when implementing security is to keep it simple. The more complex your security gets, the more likely you or some other programmer is to route around it in order to accomplish a task when time is tight. By keeping things as straight-forward as possible, people are much more likely to use the system as it was intended.


------------------
Jess Garms
Author of "Professional Java Security"
 
Ranch Hand
Posts: 58
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Jess/Daniel
Is Java the best language for implementation security,
and is the Book u guys wrote is for beginners or is it for above beginners,

And Does it tells how to implement security in effecient way, b'cos some books doesn't tell how we can improve our performance while coding for Security,
i guess anyone can implement security in their applications by using Java API's, but how do we implement the security is the real problem i guess,

Thanks for joining us,

 
mohit joshi
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hello Jess,
I tried dynamically adding the provider and it is working now. Also there is no Handshake problem now, Thanks for the help.

Regards
Mohit Joshi
 
mohit joshi
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Now I am trying to run the sample client to connect to the SSLServer on local machine. It is throwing the following exception while doing the handshake ( It is not recognizing the certificate produced by the Server. In case of a browser, you can click on an option and accept a certificate, but how can we do it with the Sample client? any feedback..)

D:\jdk1.2\jsse\samples\sockets\client>java SSLSocketClient
before handshake
javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198
])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPr
o-V1.2-120198])
at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2
-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120
198])
at java.io.OutputStream.write(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V
1.2-120198])
at SSLSocketClient.main(SSLSocketClient.java:58)
I guess one way to solve this is to install the certificate with the client, but I suppose there would be an option to accept unknown certificates.
[This message has been edited by mohit joshi (edited August 22, 2001).]
 
mohit joshi
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Figured out a way of doing it..
One has to define a new TrustManager and use it while creating the SSLSocketFactory as follows..
SSLContext sc = SSLContext.getInstance("TLS");
TrustManager []tma = {new MyX509TrustManager()};
sc.init(null, tma , null );
SSLSocketFactory factory = sc.getSocketFactory();
SSLSocket socket =
(SSLSocket)factory.createSocket("localhost", 443);
The MyX509TrustManager class can be defined as..
class MyX509TrustManager implements X509TrustManager
{
public boolean isClientTrusted
(java.security.cert.X509Certificate [] chain)
{return true;
}
public boolean isServerTrusted
(java.security.cert.X509Certificate [] chain)
{return true;
}
public java.security.cert.X509Certificate[]
getAcceptedIssuers ()
{return null;
}
}
Of course these methods could be more elaborate depending on your requirements...
Regards
Mohit Joshi
 
Jess Garms
Author
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by ravi bask:
Jess/Daniel
Is Java the best language for implementation security,
and is the Book u guys wrote is for beginners or is it for above beginners,

And Does it tells how to implement security in effecient way, b'cos some books doesn't tell how we can improve our performance while coding for Security,
i guess anyone can implement security in their applications by using Java API's, but how do we implement the security is the real problem i guess,


I think Java is the best language for implementing secure applications, but I'm pretty biased. I like the fact that the most common server security problem, buffer overruns, are impossible in Java due to the language itself.
Our book is for intermediate to advanced Java programmers. You don't need any security knowledge to understand it, but you will need to know Java pretty well.
In answer to your question about efficiency, we discuss it at various times throughout the book. Security implementation is often limited by what is computationally feasible, and you need to be cognizant of that when writing your applications.

------------------
Jess Garms
Author of "Professional Java Security"
 
Jess Garms
Author
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That will do the trick, but you're no longer checking the server's certificate for authenticity. This means it might be possible for someone to mount a man-in-the-middle attack on your communications. A more secure solution would be to install the server's certificate in the client's trust store, or to use a certificate signed by a certificate authority like Verisign.
Of course, if you're just looking to test out some JSSE stuff, and not planning on putting it into production, this is a fine solution.

Originally posted by mohit joshi:
Figured out a way of doing it..
One has to define a new TrustManager and use it while creating the SSLSocketFactory as follows..
SSLContext sc = SSLContext.getInstance("TLS");
TrustManager []tma = {new MyX509TrustManager()};
sc.init(null, tma , null );
SSLSocketFactory factory = sc.getSocketFactory();
SSLSocket socket =
(SSLSocket)factory.createSocket("localhost", 443);
The MyX509TrustManager class can be defined as..
class MyX509TrustManager implements X509TrustManager
{
public boolean isClientTrusted
(java.security.cert.X509Certificate [] chain)
{return true;
}
public boolean isServerTrusted
(java.security.cert.X509Certificate [] chain)
{return true;
}
public java.security.cert.X509Certificate[]
getAcceptedIssuers ()
{return null;
}
}
Of course these methods could be more elaborate depending on your requirements...
Regards
Mohit Joshi



------------------
Jess Garms
Author of "Professional Java Security"
 
mohit joshi
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
well I was just trying to simulate what happens when a browser points to a https site. Usually the user is presented with the certificate information and if he decides to trust the certificate, he can install it on his machine. To implement this would require further work on my part..
Thanks for your comments
Mohit Joshi
 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Does the book cover Java security in relation with some of the authentication systems like Kerberos.
Also one more basic question is? Is there a way to decode a MD5 Hashed string, using the MessageDigest class.
 
Jess Garms
Author
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by PAVAN KUMAR99:
Does the book cover Java security in relation with some of the authentication systems like Kerberos.
Also one more basic question is? Is there a way to decode a MD5 Hashed string, using the MessageDigest class.


The book covers authentication using SSL and custom solutions, but not Kerberos.
There is no way to decode a message digest. It's a one-way transformation.

------------------
Jess Garms
Author of "Professional Java Security"
 
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
does the book cover java security on mobile phones?
thanks,
dirk
 
mister krabs
Posts: 13974
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As regular visitors to the "Meaningless Drivel" forum know, book covers are a serious topic of discussion. Jesse and Daniel may wish to drop in here:

http://www.javaranch.com/ubb/Forum32/HTML/000817-4.html
[This message has been edited by Thomas Paul (edited August 23, 2001).]
 
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If I remember correctly, one uses MD5 or SHA to create a digest. Then, you can send the digest along with a file, so the receiver can create its own digest and compare. If the digests match, then the file is unadulterated.

Originally posted by PAVAN KUMAR99:
Does the book cover Java security in relation with some of the authentication systems like Kerberos.
Also one more basic question is? Is there a way to decode a MD5 Hashed string, using the MessageDigest class.


 
Daniel Somerfield
Author
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Dirk Trompetter:
Hi,
does the book cover java security on mobile phones?
thanks,
dirk


No, I am afraid not. Some of the server-side APIs we cover are perfectly valid whether you are using mobile phones or some other client, but we don't talk about phones specificially.
I should say that I don't think the processors on phones (or the Palm for that matter) aren't really fast enough for PKI yet. They can do symmetric encryption relatively well, but are a little pokey for asymmetric.

------------------
Daniel Somerfield
Author of Professional Java Security
 
ruilin yang
Ranch Hand
Posts: 334
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Jess/Daniel
Some architecture design can solve some security problems. In order to get a good security implementation on a system, it is better to start from architecture design with combination of security consideration.
How much does your book cover/discuss the archetecture design in terms of a better security. I mean some security problems can be solved purely by a proper architecture design. Sometime we have to do a trade-off between architecture design, performance consideration, and security. I would like to get some comments from you - experts.
Thanks in advance.
Ruilin
 
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
�There are desing patterns for security?
 
reply
    Bookmark Topic Watch Topic
  • New Topic