Trail: Security Features in Java SE
Lesson: Security Features Overview

Security functions help you to protect your programs and data from harm, to keep data shielded and private, and to deploy new applications in security-aware runtime environments.

Java also provides several tools to help you to manage access to system resources; to create, store and maintain encrypted public and private passwords (key pairs) and certificates; and to create and sign jarfiles during the deployment process.



Note: Security functionality is complicated, and is designed to be that way. This trail introduces you to several basic coding and deployment tasks that support any Security feature you may need to use in the future. For descriptions of more specialized Security features, see the Security Overview Whitepaper in the Security Guides directory.

This Overview lesson discusses the following Security topics:

Security Architecture

Most Security functions monitor communication among independent applications across a network. Each application hosting system resources can grant or deny access to its resources, based on the permissions policies it has defined for calling applications in its own policy file. If a host application can verify the identity of the calling application and finds a permissions entry in its policy file, then the host application authorizes the calling application to procede. If the calling application has no policy file entry, then the host application either denies access or it allows a carefully limited access that protects its system resources from harm.

If you request access to a system resource controlled by another application within a secure networking environment, you must not only identify who you are, where you are, that your codebase is trusted, and then specify the action you want to perform; you must also guarantee your identity in terms that the other application understands. You can also be required to guarantee that messages and data you send to the host application are authentic and haven't been damaged or rewritten during transit. Finally, you can be required to encrypt messages and data you send to your host application, to decrypt messages and data received from your host application, or to send all communications over a Secure Socket Layer(SSL) connection. Java Security packages are designed to simplify every step in this access control process.

You can use Java Security packages to protect your system in the following ways:

  • You can control another application's access to your own local system resources

  • You can gain access to system resources managed by some other application

  • You can communicate with another application using a secure network protocol, like SSL

  • You can encrypt and decrypt files and messages using standard cryptography algorithms

Cryptography Architecture

Cryptographic Services encode and decode data passed between applications. That data can be a data file, but it can also be an encrypted password pair (key pair), a message digest, a digital signature or a certificate.

Note: If you're not a developer who is already familiar with cryptography concepts, you can skip to Security-Related Tools in this section.


The Java Cryptography Architecture (JCA) package defines the framework that accesses cryptographic functionality for the Java platform. The JCA includes a provider architecture that allows for multiple and interoperable cryptography implementations. The term cryptographic service provider (CSP), (or provider), refers to a package that supplies a concrete implementation of a subset of the cryptography aspects of the Security API.

A provider can contain an implementation of one or more of the following services:

  • digital signature algorithms

  • message digest algorithms

  • Key-generation algorithms

  • Keystore creation and management

  • Algorithm parameter management

  • Algorithm parameter generation

  • Key factory support to convert between different key representations

  • Certificate factory support to generate certificates and certificate revocation lists (CRLs) from their encodings

JDK also enables a provider to supply a random-number generation (RNG) algorithm.

The Java Runtime Environment includes a default provider named SUN. The SUN provider package includes implementations of a number of DSA (Digital Signature Algorithm) services, implementations of the MD5 (RFC 1321) and SHA-1 (NIST FIPS 180-1) message digest algorithms, a certificate factory for X.509 certificates and certificate revocation lists, a pseudo-random-number generation algorithm, and a keystore implementation. It also includes APIs for encryption, key exchange and Message Authentication Code (MAC).


Cryptographic Services

JDK now contains several useful engine classes. They have been added to the Signature, MessageDigest, and KeyPairGenerator classes. An engine class defines a cryptographic service in an abstract fashion (without a concrete implementation). An engine class defines API methods that allow applications to access the specific type of cryptographic service it provides, such as a digital signature algorithm. The actual implementations from one or more providers, are those for specific algorithms.

The application interfaces supplied by an engine class are implemented in terms of a service provider interface (SPI). That is, each engine class has a corresponding abstract SPI class that defines the service provider interface methods that cryptographic service providers must implement.

For example, an API client can use an instance of the Signature engine class to access the functionality of a digital signature algorithm to digitally sign a file. The actual implementation supplied in a SignatureSpi subclass would be that for a specific kind of signature algorithm, such as SHA-1 with DSA or MD5 with RSA.

Each instance of an engine class encapsulates an instance of the corresponding SPI class as implemented by a cryptographic service provider. Each API method of an engine class invokes the corresponding SPI method of the encapsulated SPI object.

Certificate Interfaces and Classes

JDK includes certificate interfaces and classes for parsing and managing certificates, and also provides an X.509 v3 implementation of the certificate interfaces. A certificate is basically a digitally signed statement from one entity (person; company), saying that the public key of another entity has some specific value.

Here are some of the certificate-related classes included in the java.security.cert package:

  • Certificate - This class is an abstraction for certificates that have various formats but important common uses. For example, various types of certificates, such as X.509 and PGP, share general certificate functionality, such as encoding and verifying, and some types of information, such as a public key. X.509, PGP, and SDSI certificates can all be implemented by subclassing the Certificate class, even though they contain different sets of information and store and retrieve the information in different ways.

  • CertificateFactory - This class defines the functionality of a certificate factory, which is used to generate certificate and certificate revocation list (CRL) objects from their encodings.

  • X509Certificate - This abstract class for X.509 certificates provides a standard way to access all the attributes of an X.509 certificate.

Key Management Classes and Interfaces

JDK supports the following Key interfaces:

  • A KeyStore class (an engine class) that supplies well-defined interfaces to access and modify the information in a keystore, which is a repository of keys and certificates. Multiple different concrete implementations are possible, where each implementation is that for a particular type of keystore. A keystore type defines the storage and data format of the keystore information.

  • A default KeyStore implementation, which implements the keystore as a file, using a proprietary keystore type (format) named JKS. The keystore implementation protects each private key with its individual password and also protects the integrity of the entire keystore with a (possibly different) password.

  • Key specification interfaces, which are used for transparent representations of the key material that constitutes a key. The key material for a key may, for example, consist of the key itself and the algorithm parameters used to calculate the key value. A transparent representation of keys means that you can access each key material value individually.

  • A tool utility (keytool) for managing keys and certificates.

Security-Related Tools

JDK includes the following tools:
Previous page: Table of Contents
Next page: Quick Tour of Controlling Applets