Java安全基础：加密与密钥管理

Java

需积分: 32 172 浏览量更新于2024-07-17 收藏 1.57MB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

"Java安全性简介，涵盖Java安全框架、密钥管理、实验室目标与设置，以及一系列关于数据保密性、文件交换安全、代码签名和信任链建立等实践操作的指导。" Java安全性是软件开发中的关键领域，尤其是对于Java平台，它提供了强大的安全机制来保护应用程序和用户数据。以下是对Java安全性的详细介绍： 1. **基本概念** - **基本术语**：在Java安全中，关键术语包括权限、沙箱模型、安全策略、证书、公钥基础设施（PKI）等。这些概念构成了Java安全的基础。 - **Java安全框架**：Java安全模型基于类加载器和安全策略，通过权限类和安全管理器实现对代码的访问控制，确保只有授权的代码才能执行特定操作。 - **密钥管理**：密钥是加密和解密的核心，Java提供API来生成、存储和管理密钥，如KeyPairGenerator和KeyStore类。 2. **实验室目标与设置** - **实验目标**：实验室通常旨在帮助开发者理解和应用Java安全特性，如创建和使用公钥/私钥对，数字证书的生成和验证，以及利用加密技术保护数据。 - **实验设置**：设置可能包括安装必要的Java开发工具，配置安全环境，如设置安全策略文件，以及导入和导出密钥库。 3. **实践操作** - **数据保密性**：通过使用加密算法（如RSA或AES），可以确保数据在传输或存储时的机密性。 - **文件交换安全**：Java Security Utilities允许开发者实现安全的文件传输，例如，通过生成和验证数字签名来防止篡改。 - **代码签名**：通过使用私钥对代码签名，可以确认代码来源并防止恶意修改，提高Applet或JAR文件的安全性。 - **创建信任链**：证书链确保了证书的可信性，通过验证每个证书的签名，直到达到受信任的根证书颁发机构。 - **防护措施**：通过限制不安全的Java应用程序的执行，比如限制Applet的权限，可以保护用户的系统不受攻击。 4. **Java Security API的使用** - **命令行参数**：Java命令行参数可以用来指定安全选项，如设置信任库路径。 - **密钥生成**：使用KeyPairGenerator类可以生成公钥/私钥对，用于加密和解密。 - **数字签名生成**：Signature类用于生成和验证数字签名，确保数据完整性和来源的不可否认性。 - **密钥存储**：KeyStore类用于管理密钥和证书，可以从文件或密钥库中导入和导出。 Java安全性不仅关注代码的执行安全，还涉及网络通信、数据保护等多个层面。开发者需要理解并熟练掌握这些概念和工具，以构建健壮且安全的Java应用程序。

资源详情

资源推荐

4.2 Creating Public/Private Keys and Digital Certificates

1. Launch the Ubuntu VM with username “user” and password 12345678.

2. Start a terminal window in home folder ~ with menu item “Applications|Accessories|Terminal”.

3. Run “cd ~/JavaSecurityLab” to change the work folder to “~/JavaSecurityLab”.

4. Run Java utility “keytool” as in the following line (on the same line, no line break) to create a pair

of public/private keys, assign alias “PaceKey” to this pair of keys, assign key password

“Seidenberg” to this air of keys, create a new keystore file “PaceKeystore” and set its keystore

password to be “Pace” if there is no such a file in the current folder yet, access keystore file

“PaceKeystore” with keystore password “PaceUniversity”, and insert the new key pair in the

keystore.

keytool -genkey -alias PaceKey -keypass Seidenberg -keystore

PaceKeystore -storepass PaceUniversity

When prompted, enter “John Smith” as first and last names, “Seidenberg” for organizational unit,

“Pace University” as organization, “New York” as city, “NY” as state, “US” as name of two-

letter country code, and “y” to confirm your information. The information that you just entered

interactively is called your distinguished-name information. Since you don’t have a keystore file

“PaceKeystore” in the current folder, this file is created in the current folder. This command also

stored in this keystore a pair of new public/private keys and a self-certified digital certificate that

includes the public key and the distinguished-name information. This certificate will be valid for

90 days, the default validity period if you don’t specify a –validity option. The certificate is

associated with the public/private key pair in a keystore entry referred to by the alias “PaceKey”.

user@ubuntu:~/JavaSecurityLab$ keytool -genkey -alias PaceKey -keypass

Seidenberg -keystore PaceKeystore -storepass PaceUniversity

What is your first and last name?

[Unknown]: John Smith

What is the name of your organizational unit?

[Unknown]: Seidenberg

What is the name of your organization?

[Unknown]: Pace University

What is the name of your City or Locality?

[Unknown]: New York

What is the name of your State or Province?

[Unknown]: NY

What is the two-letter country code for this unit?

[Unknown]: US

Is CN=John Smith, OU=Seidenberg, O=Pace University, L=New York, ST=NY,

C=US correct?

[no]: y

If you don’t specify the keystore file name, “keytool” will use the default file “[user

home]/.keystore”.

5. Run the following command to export a copy of your newly generated public key, with alias

“PaceKey”, in a self-certifying digital certificate file “PaceKey.cer”.

keytool -export -keystore PaceKeystore -alias PaceKey -file PaceKey.cer

“keytool” will ask you for the keystore password “PaceUniversity”, and then generate the new

certificate file “PaceKey.cer”.

user@ubuntu:~/JavaSecurityLab$ keytool -export -keystore PaceKeystore

-alias PaceKey -file PaceKey.cer

Enter keystore password: PaceUniversity

Certificate stored in file <PaceKeys.cer>

6. Run “keytool -printcert -file PaceKey.cer” to review the contents of the certificate in file

“PaceKey.cer”, and “keytool” will print out the following information:

user@ubuntu:~/JavaSecurityLab$ keytool -printcert -file PaceKey.cer

Owner: CN=John Smith, OU=Seidenberg, O=Pace University, L=New York, ST=NY,

C=US

Issuer: CN=John Smith, OU=Seidenberg, O=Pace University, L=New York,

ST=NY, C=US

Serial number: 4ca4dd45

Valid from: Thu Sep 30 11:56:05 PDT 2010 until: Wed Dec 29 10:56:05 PST

2010

Certificate fingerprints:

MD5: CA:09:3C:EC:12:D9:5D:20:E8:1E:6A:FB:88:CE:B2:18

SHA1: F7:CD:4B:18:66:55:C8:2B:BB:9E:AD:92:A8:DF:54:9A:F7:96:93:E7

Signature algorithm name: SHA1withDSA

Version: 3

Note the certificate fingerprints in MD5 and SHA1 formats. If you send this certificate to a friend,

you could both run this command to find the fingerprints of this certificate, and compare them to

see whether the certificate (signed public key) has been compromised in transit.

7. If you were doing the real work, you may now contact one of the CAs, send it your self-signed

certificate file “PaceKey.cer” with your payment, and the CA will verify your distinguished-name

information and send back to you your digital certificate signed by the CA. The CA certified

certificate is the one that you are supposed to distribute to your partners. In this tutorial we skip

this step and just distribute the self-certified certificate in file “PaceKey.cer”.

8. In the real situation, your digital certificate should be distributed to your partners, and imported to

your partners’ keystores. In this tutorial you will also act as your partner. You will import the

newly generated digital certificate in file “PaceKey.cer” into a new keystore file named

“receiverKeystore” in the current folder with the following command

keytool -import -alias Pace -file PaceKey.cer -keystore

receiverKeystore

Upon being asked for keystore password, enter “123456”. When being asked whether you trust

this certificate, respond with “y” for yes.

user@ubuntu:~/JavaSecurityLab$ keytool -import -alias Pace -file

PaceKey.cer -keystore receiverKeystore

Enter keystore password: 123456

Re-enter new password: 123456

Owner: CN=John Smith, OU=Seidenberg, O=Pace University, L=New York, ST=NY,

C=US

Issuer: CN=John Smith, OU=Seidenberg, O=Pace University, L=New York,

ST=NY, C=US

Serial number: 4ca4dd45

Valid from: Thu Sep 30 11:56:05 PDT 2010 until: Wed Dec 29 10:56:05 PST

2010

Certificate fingerprints:

MD5: CA:09:3C:EC:12:D9:5D:20:E8:1E:6A:FB:88:CE:B2:18

SHA1: F7:CD:4B:18:66:55:C8:2B:BB:9E:AD:92:A8:DF:54:9A:F7:96:93:E7

Signature algorithm name: SHA1withDSA

Version: 3

Trust this certificate? [no]: y

Certificate was added to keystore

Question 22: What is the more secure way to run keytool to generate the public/private keys?

4.3 Ensuring Data Confidentiality with Cryptography

Protecting confidential data is a very important task of computer security. Most of the labs in this tutorial

focus on identity authentication and data validation and they don’t encode/decode the data files. In this

lab you will try out Prof. Lixin Tao’s implementation of the Simplified DES algorithm described in file

“JavaSecurityLab/cipher-des/C-SDES.pdf”. This implementation aims at helping students understand the

algorithm, which is not the objective of this lab. With the hands-on experience with applying the DES

cipher you could integrate it into the latter labs to add the data confidentiality component into them. DES

is a very fundamental algorithm in cryptography. If you are taking a course in which cryptography is a

topic, make sure your instructor explains this algorithm and you understand its design and my

implementation. I have used extra comments and clear code design to help you read my DES

implementation. But not all students working on this lab needs to read my source code.

1. Launch the Ubuntu VM with username “user” and password 123456.

2. Start a terminal window in home folder ~ with menu item “Applications|Accessories|Terminal”.

3. Run “cd ~/ JavaSecurityLab/cipher-des” to change work folder to “~/JavaSecurityLab/cipher-

des”.

4. Run “javac S_DES_File.java” to compile all the four Java source code files into their

corresponding bytecode files.

5. Run “java S_DES_File” to find out how to run this program.

usage: java S_DES_File inputFile outputFile key-bits [decode]

The program takes one input file and one output file. For encoding with DES, the input file is the

data file, and the output file is its encoded version. For decoding, the input file is the encoded file,

and the output file is the decoded data file. In either case you need to provide “key-bits”, the

secret key in form of 1-10 binary bits (the professional implementation will use much longer

keys; short keys allow you to trace the DES algorithm if you turn on the debugging mode of the

program). Make sure that you use the same key to encode and decode a file. The “decode” switch

is needed only when you decode a file.

6. Run “java S_DES_File GettysburgAddress.txt secret 1010101010” to use the DES algorithm to

encode file “GettysburgAddress.txt” into a binary file “secret” with the secret key 1010101010.

7. Run “more secret” to confirm that you could not figure out the contents of file “secret”.

8. Run “java S_DES_File secret GettysburgAddress2.txt 1010101010 decode” to decode file

“secret” into plain file “GettysburgAddress2.txt” with the same secret key.

9. Run “more GettysburgAddress2.txt” to confirm that you have recovered the original file

contents. Therefore your encode/decode process works correctly.

You can use this program to encode/decode any file of any size no matter it is a binary file or a text file.

剩余45页未读，继续阅读

robsworld2006

粉丝: 0
资源: 2

Java安全基础：加密与密钥管理

wx494社区门诊管理系统小程序-php+vue+uniapp.zip（可运行源码+sql文件+文档）

HTML+CSS+JS+JQ+Bootstrap的家具风格趋势展示响应式网页.7z

高分项目，基于Python+OpenCV的实时疲劳驾驶检测系统，内含源码+演示视频+部署教程

Java窗口按钮安全性加固

Java国密SM9算法的安全性分析

使用Java安全框架加固代码，提高系统安全性

Java内存模型与线程安全性

Java代码安全性规范与最佳实践

java安全漫谈pdf

java代码安全性扫描工具

java安全方面面试题

java语言具有较好的安全性和可移植性及平台无关等特性

java安全编码规范

Java的面向对象，安全性，跨平台，动态性，

java 静态方法 多线程_Java静态方法的线程安全性问题

java安全编码标准 2008 pdf 北京邮电

java 安全编码规范

信息安全行业java

java 安全威胁建模文档

java安全通信系统设计

最新资源

java 静态方法多线程_Java静态方法的线程安全性问题