From: http://hedong.3322.org/archives/000566.html
Storage / delete password. If the password is stored in the Java String object, the password will always reside in memory until the garbage collection or process is terminated. Even if garbage collection is performed, it still exists in the idle memory heap until the memory space is reused. The longer the password String resides in memory, the greater the danger of being eavesdropped. Worse, if the actual memory is reduced, the operating system will convert this password String to the switch to the disk, so it is easy to suffer from disk block eavesdropping attacks. To minimize this leakage (but not eliminated), you should store your password in a char array and zero it after use. (String is invisible, so it cannot be zero it.) Intelligent serialization. When the object is serialized for a memory or transfer any private field, these objects are present in the stream. Therefore, sensitive data is easily eavesdropped. You can use the Transient keyword to tag properties so that this property will be ignored in the stream.
Some security concepts and implementation in JDK1.4
Message summary. This is a technique that is used in conjunction with the message authentication code to ensure message integrity. Private key encryption. Technologies designed to ensure message confidentiality. Public key encryption. Allow communication between communication without having to negotiate the secrets in advance to share secret messages. digital signature. Prove that the other message determines the bit mode from the correct communication party. Digital certificate. Adding another level of security to digital signatures by allowing third-party certification agencies to authenticate messages. Code signature. The signature is embedded in the concept of the passed code. SSL / TLS. A protocol for establishing a secure communication channel between clients and servers. Transport Layer Security (TLS) is a replacement of a secure sockets layer (SSL).
Message summary. This is a technique that is used in conjunction with the message authentication code to ensure message integrity.
It gets the data in the message and generates a bit block designed to represent the message "fingerprint". The message summary function is a one-way function. It is very simple to generate fingerprints from the message, but the message that generates and gives the fingerprint is difficult. Private key encryption. Technologies designed to ensure message confidentiality.
Cipher copher = cipher.getInstance ("DES / ECB / PKCS5PADDING"); cipher.init (cipher.encrypt_mode, key); byte [] ciphertext = cipher.dofinal (PlainText); public key encryption. Allow communication between communication without having to negotiate the secrets in advance to share secret messages.
The public key and private key are formed to be generated and need to be longer than the private key encryption key than the equivalent intensity. The typical key length of the RSA algorithm is 1,024. A member of the key pair is derived from another one. The public key encryption is slow (slower than 100 to 1,000 times more encryption), and therefore it is often commonly used. The public key encryption is used to distribute the private key called the session key to the other party, and the private key encryption using the private session key is used to perform a large number of messages encryption. The following two algorithms are used in public key encryption:
RSA. This algorithm is the most popular public key password, but it does not support it in JDK 1.4. You must use a third-party library similar to BounceCastle to get this support. Diffie-hellman. Technically, this algorithm is technically called a key agreement algorithm. It cannot be used for encryption, but can be used to allow both parties to derive the secret key by sharing information on the public channel. This key can then be used for private key encryption. KeyPairGenerator keyGen = KeyPairGenerator.getInstance ( "RSA"); keyGen.initialize (1024); KeyPair key = keyGen.generateKeyPair (); Cipher cipher = Cipher.getInstance ( "RSA / ECB / PKCS1Padding"); cipher.init (Cipher. ENCRYPT_MODE, key.getPublic ()); byte [] cipherText = cipher.doFinal (plainText); cipher.init (Cipher.DECRYPT_MODE, key.getPrivate ()); byte [] newPlainText = cipher.doFinal (cipherText); digital signature . Prove that the other message determines the bit mode from the correct communication party. The sender uses a private key to the message signature, and then the recipient's public key to decrypt the digital signature without providing the RSA algorithm for digital signature and encryption. US standards named DSA (Digital Signature Algorithm) can be used for digital signatures, but cannot be used for encryption. Digital certificate. Adding another level of security to digital signatures by allowing third-party certification agencies to authenticate messages.
The Certification Center (CA) is an organization that verifies the identity of an entity and signs the public key and identity of the entity with the CA private key. The message recipient can obtain the sender's digital certificate and verify (or decrypt) the certificate with the public key of the CA. This can verify that the certificate is valid and allow the recipient to extract the sender's public key to verify its signature or send the encrypted message to him. Browsers and JDK itself have built-in certificates from several CAs and their public keys. Code signature. The signature is embedded in the concept of the passed code.
The Jarsigner tool will use a JAR file, a private key, and a corresponding certificate as an input, then generate the signature version of the JAR file as an output. It calculates a message summary for each class in the JAR file, then signing these summary to ensure the integrity of the file and identifies the owner of the file. JAR CVF HelloWorld.jar HelloWorld.class Jarsigner HelloWorld.jar JoeuserKey Jarsigner -verify -verbose-Certs HelloWorld.jar SSL / TLS. A protocol for establishing a secure communication channel between clients and servers. Transport Layer Security (TLS) is a replacement of a secure sockets layer (SSL).
SSLServerSocketFacctory sslf = (SSLServerSocketFactor) SSLServerSocketFactory.getDefault (); ServerSocket serverSocket = sslf.createServerSocket (PORT); When using SSL / TLS (usually https: // URL) request to the station when transmitting a certificate from the server to the client . The client uses the installed public CA certificate to verify the identity of the server through this certificate, and then check if the IP name (machine name) matches the machine connected to the client. The client generates random information that can be used to generate a private key (called session key), and then encrypt it with the server's public key and send it to the server. The server decrypts the message with its own private key, and then derives the same private session key as the client. The RSA public key algorithm is usually used at this stage. Then, the client and server communicate using a private session key and private key algorithm (usually RC4). Use another key message authentication code to ensure the integrity of the message. Reference: Java security first partial cryptography foundation
