Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Key Points

  1. Java supports full security management - stores, certificates, keys in different key stores


References

Reference_description_with_linked_URLs_______________________Notes______________________________________________________________










https://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----Overview

m Java Security Certificate Mgt

Java keystore types


Java Passkeys for webauthn-and-passkeys-for-java-developers/ ***













Key Concepts



Java provides a set of tools to manage security

https://docs.oracle.com/javase/9/tools/security-tools-and-commands.htm#JSWOR691


Spring frameworks also add Security features any Java solution can use


Identity Management



Certificate Management

https://docs.oracle.com/javase/9/tools/security-tools-and-commands.htm#JSWOR691


You use specific JDK security tools and commands to set security policies on your local system and create applications that can work within the scope of the security policies set at remote sites.

The following sections describe the security tools and commands used to set security policies and to create applications:

  • keytool: You use the keytool command and options to manage a keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates.

  • jarsigner: You use the jarsigner tool to sign and verify Java Archive (JAR) files.

  • policytool: You use policytool to read and write a plain text policy file based on user input through the utility GUI.

    Note:

    The policytool tool has been deprecated in JDK 9 and might be removed in the next major JDK release.

The following sections describe the Kerberos security tools and commands for Windows systems:

  • kinit: You use the kinit tool and its options to obtain and cache Kerberos ticket-granting tickets.

  • klist: You use the klist tool to display the entries in the local credentials cache and key table.

  • ktab: You use the ktab tool to manage the principal names and service keys stored in a local key table.


PKI - Public Key Infrastructure - X509 and PKCS standards



NIST PKI Glossary

https://csrc.nist.gov/glossary/term/public_key_infrastructure


Tech Target - PKCS standards

https://www.techtarget.com/searchsecurity/definition/Public-Key-Cryptography-Standards


Entrust on PKI Concepts

https://www.entrust.com/resources/certificate-solutions/learn/what-is-pki#:~:text=PKI%20is%20an%20acronym%20for,identity%20and%20provides%20certain%20allowances.


https://www.youtube.com/watch?v=5OqgYSXWYQM


  • PKI Overview: Paul Turner introduces Public Key Infrastructure (PKI), explaining it as a system to secure communications between parties like Bob with his web server (Bob.com) and users like Sally who wants to securely connect and share sensitive data, ensuring authenticity and security through digital certificates.
  • Certificate Authorities and Registration: The process involves a Certificate Authority (CA) issuing digital certificates after verifying the requestor's legitimacy through a Registration Authority (RA), which could be a person or an automated system. This RA confirms the requestor's control over the domain or resource.
  • Certificate Trust and Verification: When Sally connects to Bob.com, she relies on the website's certificate to ensure its authenticity. Her trust is based on certificates embedded in her software by the CA, with root certificates from Root Certificate Authorities providing a higher level of security and trustworthiness.
  • Certificate Revocation and Status Checking: The PKI system includes mechanisms for revoking certificates, such as Certificate Revocation Lists (CRLs), and checking the current status of a certificate through Online Certificate Status Protocol (OCSP) or Certificate Transparency, ensuring ongoing trustworthiness of certificates.
  • PKI Infrastructure and Attack Surface: The PKI ecosystem comprises various components like policy documents, practice statements, and software tools, all forming part of the attack surface. The system's robustness is critical as attackers may target any weak link, from key pair generation to certificate validation, to compromise security.


https://www.youtube.com/watch?v=L1GkEnftoRQ


  • Introduction to Certificate Issuance: Paul Turner of Benefi introduces the basics of certificate issuance in PKI (Public Key Infrastructure), emphasizing the need to understand the hierarchical structure from root to issuing CA (Certificate Authority), and finally to individual server certificates.
  • Root CA Creation: The intricate process of setting up a Root CA is highlighted, including a ceremonial approach to ensure security, involving the creation of key pairs and a self-signed root certificate. The authenticity of root certificates relies heavily on the secure distribution to software vendors' trust stores.
  • Issuing CA Setup: Similar to Root CA, Issuing CA setup involves a ceremonial and secure process to create its key pair and certificate signing request (CSR). The Root CA validates and signs the Issuing CA's CSR, establishing a trust hierarchy.
  • Server Certificate Issuance for Domains: Domain administrators, like Bob for ABCD.com, generate key pairs and CSRs for their servers. After validating the authority and authenticity, the Issuing CA signs the server's certificate, allowing it to be trusted for communications.
  • Chain of Trust and Validation: The process establishes a chain of trust from the server certificate to the Root CA. The session hints at future discussions on the validation process, ensuring each certificate in the chain is authentic and trusted, critical for secure communications and business operations.


Summaried in 10 bullet points

  1. Introduction to PKI Basics: Paul Turner of Benefi discusses the basics of certificate issuance within Public Key Infrastructure (PKI), explaining the importance of understanding the hierarchical structure of certificate authorities (CAs).
  2. PKI Hierarchy Overview: The session outlines a typical PKI hierarchy, consisting of a root CA, issuing CAs, and end-entity certificates for servers like ABCD.com.
  3. Root CA Establishment: Emphasizes the complex and ceremonial process involved in establishing a root CA, including setting up key pairs and creating a self-signed root certificate.
  4. Root Certificate Uniqueness: Highlights that the root certificate's security isn't in the certificate itself but in the distribution process to software vendors' trust stores.
  5. Issuing CA Creation: Describes the similar ceremonial process for setting up an issuing CA, which involves creating key pairs and certificate signing requests (CSRs) to be signed by the root CA.
  6. Security in CA Validation: Stresses the security and validation processes involved in signing the issuing CA's certificate by the root CA, ensuring a trusted hierarchy is maintained.
  7. Server Certificate Issuance: Details the process by which server administrators like Bob for ABCD.com create key pairs and CSRs to request certificates for their servers, involving validation of authority and domain ownership.
  8. Chain of Trust Establishment: Discusses the creation of a chain of trust from the server certificate up to the root certificate, ensuring each link in the chain is valid and trustworthy.
  9. Role of Signing Keys: Explains the use of signing keys by CAs to sign certificates, adding a layer of authentication and trust to the certificate issuance process.
  10. Final Remarks on Validation and Trust: Hints at future discussions on detailed validation processes and how trust is managed and maintained across the entire PKI structure, emphasizing the complex nature of certificate issuance and management.








Java Keystores

https://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----Overview

m Java Security Certificate Mgt   — can be done with Openssl tools nicely

https://docs.oracle.com/javase/9/tools/keytool.htm#JSWOR-GUID-5990A2E4-78E3-47B7-AE75-6D1826259549

java-keytool-docs.oracle.com-keytool.pdf

java-security-keytool-Step by step tutorial to create Keystore and Truststore file _ Tech Brainwave.pdf



Authentication Management


Look at Spring Security


Java Passkeys for webauthn-and-passkeys-for-java-developers/ ***


main problems with passwords:

  • Knowledge-based:
    • People can be socially engineered, quite easily, to divulge passwords, or other information that can be used to get to the password.
    • In this day and age there are just too many passwords to remember. If passwords are easy to remember they are also easy to guess. Complex passwords are not easy to remember, so we end up reusing passwords.
  • Phishing: Phishing websites can easily harvest passwords from even the most tech-savvy.
  • Remote Replay: Accounts can be accessed remotely using harvested passwords.
  • Data Breach: Applications become a target for data breaches when they store passwords.
  • Share and Reuse: Sharing and reusing passwords makes them even more vulnerable.
  • Password management: Passwords are not just a hassle for the end users, they are a hassle on the server side as well. Because
    • We need to build password recovery and reset flows.
    • We need multi-factor authentication flows to secure them further.
    • They need to be reset regularly in some use cases.

Passwordless Options

If you can verify a user's identity with something other than a password as the first factor of authentication, it is passwordless. We are doing this every day to unlock our phones and laptops using our fingerprints, faces, and so on.

There are a few passwordless methods that you might have seen here and there. Like:

  • Biometric authentication
  • Magic links
  • SMS/Email One-Time Password (OTP)
  • Push notifications

But most of these methods are not secure enough to replace a password + Multi-Factor Authentication (MFA) combination.


Passkeys

A passkey is a unique cryptographic key pair that allows you to access online services without using passwords. It is based on asymmetric public-key cryptography.

Unlike passwords, passkeys are resistant to phishing, are always strong, and are designed so that there are no shared secrets. –– FIDO Alliance

Passkey challenges

Where are passkeys reliably custodied without threat ?

How are passkeys automatically updated without client impact?

What are passkey standards - just PKI






Access Management ( RBAC )


Look at Spring Security





JEE Security Concepts




Spring Security Concepts


Look at Spring Security






Potential Value Opportunities



Potential Challenges



Candidate Solutions



Step-by-step guide for Example



sample code block

sample code block
 



Recommended Next Steps



  • No labels