Tuesday, January 16, 2007


  • Select from a list security restrictions that Java 2 environments normally impose on applets running in a browser.
  • Given an architectural system specification, identify appropriate locations for implementation of specified security features, and select suitable technologies for implementation of those features.
Fundament goal: Protect data from unauthorized reading/modification, protection of computer resources against unauthorized use and guaranteeing correctness and availability of resources and data for authorized persons and entities.

Security Manager: categories of permission.
Permitted Operations:
  1. Ability to create a thread
  2. Limited ability to manipulate threads that the browser created for applet Security manager doesnt monitor CPU/Network or bandwidth utilization.
  3. Ability to perform manipulations for the AWT for GUI to work properly
  4. Ability to read system properties, but not modify them
  5. Allowed to make network connection only to host from which it was loaded(if not it could start Dos and also try to connect to internal resouces/systems of the local network)
  6. Cannot change the prioirty of the threads but can request more memory and throw OutOfmemoryException.
  7. Message digest is proof that a piece of data has not been modified. The process of creating message digest is know as hashing. Java 2 suports this.
  8. If applet is not trusted then it cannot do anything on the client machine.
  9. Cannot read/write from client
  10. Cannot read java.home or java.classpath.

Denied Operations Any operation that might be used to compromise the host is usually denied.
Exceptions to this are CPU Usages, Bandwith usagea and memory usage.

Principal, Roles, Identification, Authorization, Authentication, Access control.

Cryptography 1) Symmetric 2) Asymmetric - Has 2 keys private and a public key. Public key can be used to encrypt the message. It cannot be used to decrypt the message or derive the private key. Only the private key can be used to decrypt the message. Asymmetric cryptography is CPU intensive. Also know as public key crytography.

Signatures and Certificates.

SSL, HTTPS, WEB logins

Notes from cade/web/Simulators

No comments:

Post a Comment