Java IoT Authors: Pat Romanski, Elizabeth White, Liz McMillan, Yeshim Deniz, Mehdi Daoudi

Related Topics: Java IoT

Java IoT: Article

Java & Cryptography Part 2

Java & Cryptography Part 2

The choice of encryption technologies is not always easy, but fortunately there are often several equally good options. The first step in choosing an algorithm is knowing the purpose to which it will be applied. Is it to ensure privacy, integrity, authenticity or to provide non-repudiation? Will it be used on a small amount of data or files so large that the encryption process could result in an unacceptable processing delay? The strength of an encryption method is dependent upon both the algorithm and the key length and can be understood in terms of the computational resources required to break it. The longer the key, the stronger any given algorithm. It is the value of the data and the length of time it must be protected that determines the necessary encryption strength. As long as the value of the data is lower than the cost of breaking the encryption, it is adequately protected.

Where to Apply Encryption
Although several encryption libraries are now available for Java programmers (see "Java Encryption Libraries Available Today"), the Java programmer is certainly not limited to just Java APIs. As detailed in Figure 1, the Web infrastructure supports encryption technology at several layers in the network model. In general, encryption services are only visible within the layer at which they are applied. HTTP and the lower layers are completely unaffected by the encryption of individual documents. Likewise, Web traffic is oblivious to the existence of a virtual private network (VPN) that securely tunnels packets over the Internet. Be aware that it might be advantageous to provide encryption at one network level and authentication at a different level. Figure 2 shows the most common network encryption configurations.

Virtual Private Networks
A VPN transparently tunnels normal LAN activities over a wider network and usually is used to support the distribution of a single organization over the Internet. Commonly supported between two firewalls, a VPN is a form of point-to-point encryption. Increasingly, this same technology also is being used to support remote users who access their organization's LAN through the Internet. Usually applied at the perimeter of a network (i.e., the Internet Gateway), a VPN is a network extension tool. It temporarily extends the boundary of a private network either to a single remote user or to another network. As implemented by most firewall vendors, a VPN session is automatically initiated when either network entity attempts to access the other. Firewall vendors usually offer a choice of authentication mechanisms for use by individual remote users (either traditional reusable passwords or one-time passwords generated by a hardware token device). Because it is configured in the transport (TCP) layer, all traffic between two entities flows through a VPN automatically without either the awareness or choice of the user or the application.

Secure Socket Layer
SSL has become ubiquitous on the Internet. It is widely used to provide privacy for on-line storefronts and other sensitive applications. Developed and implemented by Netscape, SSL is a form of host-to-host encryption that extends encryption all the way from a server to a client workstation. Firewalls are customarily configured to allow both incoming and outgoing SSL sessions. As a transport layer service (more specifically, a service that sits directly above the transport layer), it still cannot provide integrity or non-repudiation services because it does not have direct access to the objects being transmitted through it. It has an advantage over VPN in that it can be invoked from applications which are modified to support it. Most Web browsers have been modified to invoke an SSL session when using URLs starting with http:'. SSL is a convenient way to selectively provide confidentiality between a browser and a Web server. It also provides certificate-based authentication on the server side and optionally for the client. Note that applications which require some other form of authentication, such as a hardware token card, can still use SSL for privacy while taking advantage of an authentication service provided by a Web Server or written as a CGI program. Because it provides the normal socket interface, it is possible for SSL to support virtually any application, as long as that application has been designed to invoke and use SSL instead of the generic TCP socket services. Few SSL applications are available and in practice it is used almost exclusively for Web support.

Application Layer Encryption
Only a service that can operate on discrete objects can sign them or verify them. S-HTTP is a standard set of security services that operates between Web browsers and Web servers. Careful application of the OSI model (as shown in Figure 1) would probably place S-HTTP at the presentation layer, but it offers the same capabilities as application layer encryption, if not the same level of flexibility, because it can directly operate on the objects being served through the Web. S-HTTP is a very useful protocol because it can provide object integrity and digital signature without requiring programmatic support, but unfortunately it is not widely implemented.

Given the lack of widespread S-HTTP support, many Java applications will be written to use their own cryptographics services. Using encryption from within Java provides a number of benefits:
1. All cryptographic services are available (privacy, authentication, non-repudiation, integrity).
2. The programmer controls and specifies the encryption service.
3. No infrastructural support is needed from the server, the client or system administrators.
4. Java applets can bring encryption services with them, effectively adding encryption services to the client workstation browser without requiring downloading or configuration on the part of the user.
5. Encryption can be selectively applied, allowing more efficient processing of non-private data.
6. Because Java programs operate above the network transport layers, they can also take advantage of S-HTTP and SSL.

If end-to-end encryption is not required, it is usually more convenient to allow the Webmaster or network administrator to configure encryption services using the existing infrastructure. In general, the higher in the network stack it is applied, the more specifically cryptographic authentication and verification can be applied. Point-to-point encryption usually only authenticates organizations (everything behind the firewall) to each other, while SSL can authenticate a user on a specific workstation to a specific server. Application level encryption can identify a specific application or data object. It offers the most flexibility and functionality, but requires the most programming effort. The good news is that much of this programming effort has already been done. A number of transaction services and electronic commerce libraries are available to the Java programmer. These higher-level libraries can simplify the implementation of electronic commerce applications and an upcoming article will discuss these products and their use.

Further Reference
Encryption products that can be effectively applied by non-specialists are readily available. If you get involved in a project requiring cryptographic services - and a lot of the most interesting Java applications will require it - get a copy of Bruce Schneier's book, Applied Cryptography (2nd edition; Wiley, 1996). This is the bible of encryption technology for programmers and administrators. It's a great introduction and reference manual to this complex subject and a well-thumbed copy should be on the shelf of anyone with a serious need for encryption.

More Stories By Jay Heiser

Jay Heiser is the Director of Internet Products for HomeCom Internet Security Services, where he is currently providing network security consulting to several major financial institutions and retail chains. He has lectured on information security in the US and Europe at events such as InfoWarCon, The Internet Conference, and FOSE. Jay also has animated several presentations on basic network security topics and made them available on the Web at http://www.homecom.com/services/hiss/LearnAbout.html.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

IoT & Smart Cities Stories
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected pat...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Druva is the global leader in Cloud Data Protection and Management, delivering the industry's first data management-as-a-service solution that aggregates data from endpoints, servers and cloud applications and leverages the public cloud to offer a single pane of glass to enable data protection, governance and intelligence-dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it. Druva's...
BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, compared the Jevons Paradox to modern-day enterprise IT, examin...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
DSR is a supplier of project management, consultancy services and IT solutions that increase effectiveness of a company's operations in the production sector. The company combines in-depth knowledge of international companies with expert knowledge utilising IT tools that support manufacturing and distribution processes. DSR ensures optimization and integration of internal processes which is necessary for companies to grow rapidly. The rapid growth is possible thanks, to specialized services an...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...