分类: 网络与安全
2017-01-23 11:59:41
把JavaTM Secure Socket Extension (JSSE) Reference Guide把翻译了一下,留着自己看,也分享给大家,略有删减,不保证翻译的正确性。
通过网络传输数据很容易被别人窃取。当数据包含个人私密信息,例如:密码,信用卡号等时必须把这些数据加密,对未经授权的用户不可见。这些数据不能在网络传输过程中被修改,无论是有意还是无意的。Secure Sockets Layer (SSL) and Transport Layer Security (TLS)协议就是来帮助我们在网络传输数据时保护隐私和数据的完整性。
The Java Secure Socket Extension (JSSE) 确保网络通讯安全。它提供一个框架和一个JAVA版本SSL和TLS协议的实现,包括数据加密、服务器认证、消息完整性,以及可选的客户端认证。使用JSSE,开发人员可以提供安全的客户端和服务器上运行任何应用协议之间的数据通道,如超文本传输协议(HTTP),Telnet或FTP。
通过抽象复杂的底层安全算法和“握手”机制,JSSE minimizes the risk of creating subtle, but dangerous security vulnerabilities. 。此外,它简化了应用程序开发(通过像模块化服务),开发人员可以直接集成到他们的应用程序。
JSSE提供应用程序编程接口(API)框架和API的实现。JSSE API补充“核心”网络和加密服务,分别在java.security和java.net包内,以提供扩展的网络套接字类,信任管理,key(秘钥)管理,SSLContexts,以及套接字工厂框架及创建类行为。因为套接字API是基于阻塞I/O模型,在JDK 5中,一个非阻塞的SSLEngineAPI引入允许实现自己选择I/O的方法。
JSSE API能够支持SSL2.0和3.0版本及Transport Layer Security (TLS) 1.0。这些安全协议封装一个正常的双向流套接字流,JSSE的API增加了传输的认证 、加密和完整性保护。JSSE实现支持SSL 3.0和TLS 1.0。它没有实现SSL 2.0。
如上所述,JSSE是一个Java SE 6平台的安全组件,是基于相同的设计原则在其他地方找到Java Cryptography Architecture (JCA)框架。这个框架的加密相关的安全组件,使他们有实现独立性,并尽可能,算法独立。
在Java SE 6平台还包括其他安全组件: Java Authentication, Authorization Service (JAAS)和Java Security Tools。
JSSE API被设计可以使用其他基于SSL / TLS或Public Key Infrastructure (PKI)的协议实现程序,替换JSSE内部程序。开发人员还可以提供替代逻辑,以确定是否应信任远程主机或应向远程主机发送什么身份验证密钥材料。
JSSE 包括以下重要特点:
加密算法 * |
Cryptographic Process |
Key Lengths (Bits) |
---|---|---|
RSA |
Authentication and key exchange |
512 and larger |
RC4 |
Bulk encryption |
128 |
DES |
Bulk encryption |
64 (56 effective) |
Triple DES |
Bulk encryption |
192 (112 effective) |
AES |
Bulk encryption |
256 |
Diffie-Hellman |
Key agreement |
1024 |
DSA |
Authentication |
1024 |
* Note: The SunJSSE implementation uses the JavaTM Cryptography Extension (JCE) for all of its cryptographic algorithms.
- 安全 (SSL)套接字和服务器段套接字.
- 非阻塞引擎(SSLEngine),提供制造和消费 SSL/TLS 流数据.
- 创建套接字工厂服务器sockets,SSLsockets和SSL服务器sockets。使用套接字工厂可以封装套接字创建和配置行为。
- 一个表示安全套接字执行环境的类,该类用作安全套接字工厂和引擎的工厂。
- 密钥和信任管理器接口 (including X.509-specific key and trust managers),和一些创建他们的工厂.
- 一个安全HTTP URL 链接的类 (HTTPS).
更多详细信息参见: SunJSSE 板块.
实现 SSL 3.0 and TLS 1.0 安全协议.
最常见的SSL和TLS的加密套件,其中包括一个组合的身份认证,密钥协商协议的一个实现,加密和完整性保护。
基于X.509-based的密码管理,从一个标准的JCA KeyStore中选择合适的认证密钥 。
基于X.509-based信任管理的实现,证书链路径验证规则
An implementation of PKCS12 as JCA keystore type "pkcs12" 。在PKCS12中Storing trusted anchors 是不支持的。用户应存储的, Users should store trust anchors in JKS format and save private keys in PKCS12 format.
Java Secure Socket Extension Documentation
- Archive of API-related questions and answers posted to Sun's Java Security team through java-security@sun.com:
http://archives.java.sun.com/archives/java-security.htmlNote: The above mailing list is not a subscription list or a support mechanism. It is simply a one-way channel that you can use to send comments to the Java SE 6 Standard Edition security team.
- JSSE API documentation:
Java Platform Security Documentation
The Java Security home page has links to White Papers, Books, Secure Coding guidelines, etc:
Java SE SecurityThe JavaTM Certification Path API Programmer's Guide:
CertPath Programmer's GuideLinks to more Java SE 6 platform security documents:
Security Guides pageTutorial for Java platform security:
Security Features in Java SE- Book on Java SE platform security:
Inside Java 2 Platform Security: Architecture, API Design, and Implementation by Li Gong. Addison Wesley Longman, Inc., 1999. ISBN: 0201310007.Export Issues Related to Cryptography
For information on U.S. encryption policies, refer to these Web sites:
U.S. Department of Commerce:
Export Policy Resource Page:
Computer Systems Public Policy:
Federal Information Processing Standards Publications (FIPS PUBS) homepage, which has links to the Data Encryption Standard (DES):
Revised U.S. Encryption Export Control Regulations:
Cryptography Documentation
Online resources:
- Dr. Rivest's Cryptography and Security page:
~rivest/crypto-security.htmlBooks:
Applied Cryptography, Second Edition by Bruce Schneier. John Wiley and Sons, Inc., 1996.
Cryptography Theory and Practice by Doug Stinson. CRC Press, Inc., 1995.
Cryptography & Network Security: Principles & Practice by William Stallings. Prentice Hall, 1998.
Secure Sockets Layer Documentation
Online resources:
Introduction to SSL from Sun? ONE Software:
The SSL Protocol version 3.0 Internet Draft:
The TLS Protocol version 1.0 RFC:
"HTTP Over TLS" Information RFC:
Books:
SSL and TLS: Designing and Building Secure Systems by Eric Rescorla. Addison Wesley Professional, 2000.
SSL and TLS Essentials: Securing the Web by Stephen Thomas. John Wiley and Sons, Inc., 2000.
Java 2 Network Security, Second Edition, by Marco Pistoia, Duane F Reller, Deepak Gupta, Milind Nagnur, and Ashok K Ramani. Prentice Hall, 1999. Copyright 1999 International Business Machines.