m Java security concepts

Owned by jim mason
Last updated: Jan 03, 2024 by jimm1
8 min read

Key Points

  1. Java supports full security management - stores, certificates, keys in different key stores


References

Reference_description_with_linked_URLs_______________________Notes______________________________________________________________










https://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----Overview

m Java Security Certificate Mgt

Java keystore types


Java Passkeys for webauthn-and-passkeys-for-java-developers/ ***













Key Concepts



Java provides a set of tools to manage security

https://docs.oracle.com/javase/9/tools/security-tools-and-commands.htm#JSWOR691


Spring frameworks also add Security features any Java solution can use


Identity Management



Certificate Management

https://docs.oracle.com/javase/9/tools/security-tools-and-commands.htm#JSWOR691


You use specific JDK security tools and commands to set security policies on your local system and create applications that can work within the scope of the security policies set at remote sites.

The following sections describe the security tools and commands used to set security policies and to create applications:

  • keytool: You use the keytool command and options to manage a keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates.

  • jarsigner: You use the jarsigner tool to sign and verify Java Archive (JAR) files.

  • policytool: You use policytool to read and write a plain text policy file based on user input through the utility GUI.

    Note:

    The policytool tool has been deprecated in JDK 9 and might be removed in the next major JDK release.

The following sections describe the Kerberos security tools and commands for Windows systems:

  • kinit: You use the kinit tool and its options to obtain and cache Kerberos ticket-granting tickets.

  • klist: You use the klist tool to display the entries in the local credentials cache and key table.

  • ktab: You use the ktab tool to manage the principal names and service keys stored in a local key table.


PKI - Public Key Infrastructure - X509 and PKCS standards



NIST PKI Glossary

https://csrc.nist.gov/glossary/term/public_key_infrastructure


Tech Target - PKCS standards

https://www.techtarget.com/searchsecurity/definition/Public-Key-Cryptography-Standards

pkcs-techtarget.com-What are Public-Key Cryptography Standards PKCS.pdf  link

pkcs-techtarget.com-What are Public-Key Cryptography Standards PKCS.pdf. file


These standards cover the following:

  • Rivest-Shamir-Adleman (RSA) encryption
  • RSA signature
  • password-based encryption
  • encrypted or cryptographic message syntax
  • private key information syntax
  • selected object category and attribute type
  • certification or authentication request syntax
  • encryption or cryptographic token interface
  • personal information exchange syntax
  • encrypted or cryptographic token information syntax

A primary goal of developing PKCS was to make different applications from different vendors interoperable. However, security developers also had other aims, namely, to accelerate the deployment of public key cryptography by vendors, foster more secure communications through extensive cryptography and avoid the errors in typical schemes


Entrust on PKI Concepts

https://www.entrust.com/resources/certificate-solutions/learn/what-is-pki#:~:text=PKI%20is%20an%20acronym%20for,identity%20and%20provides%20certain%20allowances.


PKI Bootcamp - What is a PKI? - Paul Turner

https://www.youtube.com/watch?v=5OqgYSXWYQM


  • PKI Overview: Paul Turner introduces Public Key Infrastructure (PKI), explaining it as a system to secure communications between parties like Bob with his web server (Bob.com) and users like Sally who wants to securely connect and share sensitive data, ensuring authenticity and security through digital certificates.
  • Certificate Authorities and Registration: The process involves a Certificate Authority (CA) issuing digital certificates after verifying the requestor's legitimacy through a Registration Authority (RA), which could be a person or an automated system. This RA confirms the requestor's control over the domain or resource.
  • Certificate Trust and Verification: When Sally connects to Bob.com, she relies on the website's certificate to ensure its authenticity. Her trust is based on certificates embedded in her software by the CA, with root certificates from Root Certificate Authorities providing a higher level of security and trustworthiness.
  • Certificate Revocation and Status Checking: The PKI system includes mechanisms for revoking certificates, such as Certificate Revocation Lists (CRLs), and checking the current status of a certificate through Online Certificate Status Protocol (OCSP) or Certificate Transparency, ensuring ongoing trustworthiness of certificates.
  • PKI Infrastructure and Attack Surface: The PKI ecosystem comprises various components like policy documents, practice statements, and software tools, all forming part of the attack surface. The system's robustness is critical as attackers may target any weak link, from key pair generation to certificate validation, to compromise security.


PKI Bootcamp - Basics of Certificate Issuance - Paul Turner 

https://www.youtube.com/watch?v=L1GkEnftoRQ


Summarized with 5 bullet points

  • Introduction to Certificate Issuance: Paul Turner of Benefi introduces the basics of certificate issuance in PKI (Public Key Infrastructure), emphasizing the need to understand the hierarchical structure from root to issuing CA (Certificate Authority), and finally to individual server certificates.
  • Root CA Creation: The intricate process of setting up a Root CA is highlighted, including a ceremonial approach to ensure security, involving the creation of key pairs and a self-signed root certificate. The authenticity of root certificates relies heavily on the secure distribution to software vendors' trust stores.
  • Issuing CA Setup: Similar to Root CA, Issuing CA setup involves a ceremonial and secure process to create its key pair and certificate signing request (CSR). The Root CA validates and signs the Issuing CA's CSR, establishing a trust hierarchy.
  • Server Certificate Issuance for Domains: Domain administrators, like Bob for ABCD.com, generate key pairs and CSRs for their servers. After validating the authority and authenticity, the Issuing CA signs the server's certificate, allowing it to be trusted for communications.
  • Chain of Trust and Validation: The process establishes a chain of trust from the server certificate to the Root CA. The session hints at future discussions on the validation process, ensuring each certificate in the chain is authentic and trusted, critical for secure communications and business operations.


Summaried in 10 bullet points

  1. Introduction to PKI Basics: Paul Turner of Benefi discusses the basics of certificate issuance within Public Key Infrastructure (PKI), explaining the importance of understanding the hierarchical structure of certificate authorities (CAs).
  2. PKI Hierarchy Overview: The session outlines a typical PKI hierarchy, consisting of a root CA, issuing CAs, and end-entity certificates for servers like ABCD.com.
  3. Root CA Establishment: Emphasizes the complex and ceremonial process involved in establishing a root CA, including setting up key pairs and creating a self-signed root certificate.
  4. Root Certificate Uniqueness: Highlights that the root certificate's security isn't in the certificate itself but in the distribution process to software vendors' trust stores.
  5. Issuing CA Creation: Describes the similar ceremonial process for setting up an issuing CA, which involves creating key pairs and certificate signing requests (CSRs) to be signed by the root CA.
  6. Security in CA Validation: Stresses the security and validation processes involved in signing the issuing CA's certificate by the root CA, ensuring a trusted hierarchy is maintained.
  7. Server Certificate Issuance: Details the process by which server administrators like Bob for ABCD.com create key pairs and CSRs to request certificates for their servers, involving validation of authority and domain ownership.
  8. Chain of Trust Establishment: Discusses the creation of a chain of trust from the server certificate up to the root certificate, ensuring each link in the chain is valid and trustworthy.
  9. Role of Signing Keys: Explains the use of signing keys by CAs to sign certificates, adding a layer of authentication and trust to the certificate issuance process.
  10. Final Remarks on Validation and Trust: Hints at future discussions on detailed validation processes and how trust is managed and maintained across the entire PKI structure, emphasizing the complex nature of certificate issuance and management.


Summarized with 20 bullet points

  1. Session Introduction: Paul Turner from Benefi introduces the basics of certificate issuance in Public Key Infrastructure (PKI), aiming to clarify the complex hierarchy involving root and issuing CAs.
  2. PKI Hierarchy Overview: The session outlines the typical structure of PKI, including root CAs, issuing CAs, and individual server certificates, forming a hierarchical model.
  3. Importance of Root CA: The process of setting up a root CA is explained as intricate and critical, involving a ceremonial and secure setup to ensure trustworthiness.
  4. Root CA Key Pair Creation: It is highlighted that the root CA creates a key pair, consisting of a public and private key, crucial for signing certificates and establishing security.
  5. Self-Signed Root Certificate: The root CA issues a self-signed root certificate, proving access and authenticity to its own key pair, despite inherent security limitations of the certificate itself.
  6. Distribution of Root Certificates: Emphasizes the security of root certificates not in the certificate itself but in the secure distribution process to software vendors' trust stores.
  7. Issuing CA Setup: Describes the setup of an issuing CA, mirroring the root CA's process with its own ceremony and security protocols, including key pair creation and requesting a certificate from the root CA.
  8. Certificate Signing Request (CSR) for Issuing CA: The issuing CA creates a CSR containing its public key and other relevant information, which is sent to the root CA for signing.
  9. Security of Issuing CA's Certificate: Highlights the security measures and validation process involved in the root CA signing the issuing CA's certificate, ensuring its authenticity.
  10. Server Certificate Issuance Process: Details the steps taken by server administrators like Bob for domain ABCD.com to generate key pairs, create CSRs, and request certificates for servers.
  11. Validation of Server's Certificate Request: Explains the need for server administrators to prove their authority and domain ownership as part of the certificate request process.
  12. CA's Role in Signing Server Certificates: Discusses how the CA, upon validating the server's request, uses its signing key to issue a certificate, establishing trust for the server's communications.
  13. Chain of Trust Formation: The process creates a chain of trust linking the server certificate to the issuing CA and up to the root CA, validating the entire path.
  14. Security Implications of Signing Keys: Emphasizes the importance of secure signing keys used by CAs to authenticate and sign certificates, forming the backbone of trust.
  15. Public vs. Private CAs: Distinguishes between public CAs, which are trusted by browsers worldwide, and private CAs, which are trusted within specific organizations.
  16. Complexity of Certificate Issuance: Acknowledges the intricate nature of certificate issuance and the many steps involved in ensuring a secure and trusted PKI environment.
  17. Future Topics on Validation: Hints at future discussions detailing the validation process and how each certificate in the chain is verified for authenticity.
  18. Administrative Responsibilities: Highlights the administrative responsibilities in managing PKI, including creating key pairs, handling CSRs, and ensuring proper validation.
  19. Role of Trust Stores: Mentions the critical role of trust stores in software vendors, which hold the trusted root certificates needed to validate chains of trust.
  20. Summary and Importance: Concludes by reinforcing the importance of understanding the certificate issuance process within PKI for securing communications and validating identities in digital environments.





Java Keystores

https://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----Overview

m Java Security Certificate Mgt   — can be done with Openssl tools nicely

https://docs.oracle.com/javase/9/tools/keytool.htm#JSWOR-GUID-5990A2E4-78E3-47B7-AE75-6D1826259549

java-keytool-docs.oracle.com-keytool.pdf

java-security-keytool-Step by step tutorial to create Keystore and Truststore file _ Tech Brainwave.pdf



Authentication Management


Look at Spring Security


Java Passkeys for webauthn-and-passkeys-for-java-developers/ ***


main problems with passwords:

  • Knowledge-based:
    • People can be socially engineered, quite easily, to divulge passwords, or other information that can be used to get to the password.
    • In this day and age there are just too many passwords to remember. If passwords are easy to remember they are also easy to guess. Complex passwords are not easy to remember, so we end up reusing passwords.
  • Phishing: Phishing websites can easily harvest passwords from even the most tech-savvy.
  • Remote Replay: Accounts can be accessed remotely using harvested passwords.
  • Data Breach: Applications become a target for data breaches when they store passwords.
  • Share and Reuse: Sharing and reusing passwords makes them even more vulnerable.
  • Password management: Passwords are not just a hassle for the end users, they are a hassle on the server side as well. Because
    • We need to build password recovery and reset flows.
    • We need multi-factor authentication flows to secure them further.
    • They need to be reset regularly in some use cases.

Passwordless Options

If you can verify a user's identity with something other than a password as the first factor of authentication, it is passwordless. We are doing this every day to unlock our phones and laptops using our fingerprints, faces, and so on.

There are a few passwordless methods that you might have seen here and there. Like:

  • Biometric authentication
  • Magic links
  • SMS/Email One-Time Password (OTP)
  • Push notifications

But most of these methods are not secure enough to replace a password + Multi-Factor Authentication (MFA) combination.


Passkeys

A passkey is a unique cryptographic key pair that allows you to access online services without using passwords. It is based on asymmetric public-key cryptography.

Unlike passwords, passkeys are resistant to phishing, are always strong, and are designed so that there are no shared secrets. –– FIDO Alliance

Passkey challenges

Where are passkeys reliably custodied without threat ?

How are passkeys automatically updated without client impact?

What are passkey standards - just PKI






Access Management ( RBAC )


Look at Spring Security





JEE Security Concepts




Spring Security Concepts


Look at Spring Security






Potential Value Opportunities



Potential Challenges



Candidate Solutions



Step-by-step guide for Example



sample code block

sample code block



Recommended Next Steps