Win a copy of Practical SVG this week in the HTML/CSS/JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Java Security -- why????

 
Richard Smolen
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Could someone explain why or give a scenario where someone would want to code a Java security solution from scratch, rather than using a 3rd Party product like PGP? It seems less cost-effective and much more risky to code your own security.
I'm sure the book's introduction discusses this, but as I haven't won a copy yet ... ;-)
 
Mark Herschberg
Sheriff
Posts: 6037
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It depends on what you mean by security solution.
Why would they re-implement Blowfish, or try to improve on it? I have no idea. I've got a master's degree in cryptography and I sure wouldn't trust myself to write a better crypto algorithm. There's maybe 2000 people in the world (many of whom work for governments) who can write good crypo algorithm.
But as for solution, thats a different story. Most libraries only provide low level funtionality. Low level? Yes, things like SSL are pretty high level compared to Blowfish or RC5. However, they are lower level than the complex security model used in today's enterprise systems.
Do you need something which provides authentication to multiple data sets with different access control lists? Do you need anonymnity when going through a data set to which you have access? No single algorithm will give you that, so you need to combine a couple of protocols together, i.e. build your own solution.
Even, then, they should be careful. I wouldn't trust myself at this level either--not without some peer review.
So generally speaking, you can't do everything you might wnat with off-the-shelf systems.

--Mark
 
Daniel Somerfield
Author
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Generally, if there is a reliable third pary product that does the job, by all means use. My recommendation is to use well-tested open-source code. This way lots of people have been checking the code for holes.
However, one day, you will find a situation where there isn't a product to do the job. We have run into this on a number of occasions. This is particularly common in situations where you are already writing a Java application and need to build security capabilities for it, whether that is a permissions model, encryption, single sign-on, whatever. The Java Security APIs are broad enough to cover most of these situations.
That being said, I believe it is not wise to use (or write your own) propriatary encryption algorithms. There are plenty of well-tested implementations of exisiting, well-tested algorithms like RSA and Blowfish out there. There is rarely a situation where you should do your own.
Good luck winning a copy
Originally posted by Richard Smolen:
Could someone explain why or give a scenario where someone would want to code a Java security solution from scratch, rather than using a 3rd Party product like PGP? It seems less cost-effective and much more risky to code your own security.
I'm sure the book's introduction discusses this, but as I haven't won a copy yet ... ;-)


------------------
Daniel Somerfield
Author of Professional Java Security
 
mohit joshi
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There are many situations where you may need Java Security APIs. If you develop a java desktop application which needs to talk to a secure server..
If you need security strength more then what SSL can provide..
On server side you can usually get a SSL enabled webserver to do the work, but if you want to do things outside the SSL, or if you want to do non HTTP work using SSL, then you can use these APIs.
 
mohit joshi
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
since NIST(National Institute of Standards and Technology ) of USA has decided to replace DES ( currently used in SSL etc ) with AES( based on Rijndael algorithm ) is it going to change the implementation of SSL by different providers. Is it expected to have any impact on SSL/TLS protocol itself...
Also DES has been the standard followed by lot of Banks and financial organizations for many years. Are these companies expected to upgrade their software to confirm to new Standard..
Any views..
Mohit Joshi

[This message has been edited by mohit joshi (edited August 23, 2001).]
 
Anonymous
Ranch Hand
Posts: 18944
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Helo!
As speaking about secure protocols - how do I establish SSH and SCP functionality into my Java software?
------------------
Antti Barck
It Solutions Consultant -- NSD Oy
Sun Certified Programmer for the Java™ 2 Platform
 
David Weitzman
Ranch Hand
Posts: 1365
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Mindterm has java ssh.
 
Anonymous
Ranch Hand
Posts: 18944
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by David Garland:
Mindterm has java ssh.

I recall that it is an applet?

------------------
Antti Barck
It Solutions Consultant -- NSD Oy
Sun Certified Programmer for the Java™ 2 Platform
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!