Java Reference
In-Depth Information
CHAPTER 6
Security and Cryptography
Security is one of the key features that has made Java as successful as it has been.
The Java security architecture includes access control mechanisms that allows
untrusted programs, such as applets, to be executed safely, without fear that they
will cause malicious damage, steal company secrets, or otherwise wreak havoc.
The access control mechanisms used by Java have changed substantially between
Java 1.0 and 1.2; we'll discuss the Java 1.2 mechanisms in this chapter.
Access control is only one half of the Java security architecture, however. The
other half is authentication. The java.security package and its subpackages
allow you to create and verify cryptographic checksums and digital signatures to
prove whether a Java class file (or any other file) is authentic; that is whether it
truly comes from the source that it purports to be from. The authentication API has
also changed as Java has evolved, and I cover the Java 1.2 API here.
The access control and authentication aspects of the Java security architecture are
closely coupled. Access control is about granting privileges only to trusted code.
But what code should you trust? If you know which people and organizations to
trust (which is ultimately a social, not a technological, problem), you can use
authentication technologies, such as digital signatures, to allow you to trust the
Java class files from those people and organizations.
Cryptography is clearly an important piece of the Java security architecture.
Because of strict U.S. export regulations, however, encryption and decryption tech-
nologies are not part of the standard Java distribution. The Java Cryptography
Extension™ (JCE) is available as an extension, though, to support encryption and
decryption.
This chapter contains examples that show how you can use the access control,
authentication, and cryptographic APIs of Java and the JCE.
 
Search WWH ::




Custom Search