[ Also see: Wireless
Security Bluetooth
Security WAP Security
WLAN Security ]
Welcome to our roundup of Java security tools, techniques, news
and articles.
Interesting Sites and Useful Resources
| Baltimore Technologies |
Security tools. |
| Certicom |
Cryptographic
Toolkits MobileTrust managed certificate services enable
secure stock trading, online banking, enterprise, e-mail and
healthcare applications from mobile phones, pagers and PDAs. |
| enCommerce, Inc |
getAccess
Mobile Solution featuring the getAccess Mobile Server and
a suite of getAccess Mobile Services. The getAccess Mobile
Server extends enCommerce's proven getAccess software
architecture to deliver secure, individualized Web access via
wireless devices, such as mobile telephones and personal
digital assistants (PDAs). Meanwhile, enCommerce Mobile
Services help companies to implement secure wireless access in
as little as 90 days. |
| Entrust Technologies |
Secure Wireless
e-Business Solutions |
| F-Secure |
Security tools. |
| IBM |
Securing
wireless J2ME - security challenges and solutions for
mobile commerce applications. As mobile commerce becomes less
of a buzzword and more of a reality, transaction security is
becoming an important concern for mobile users and wireless
application developers alike. The overall security of a
network is only as strong as its weakest link, and in a
mobile-commerce network the weakest link is the client-side
device. The interceptable nature of wireless signals and the
limited memory and computing power of most handheld devices
leaves wireless systems dangerously vulnerable to data
theft... |
| Java Developer
Connection (JDC) |
Using
Passwords to Protect Your MIDlets Security is always
a concern when you are writing an application that deals with
sensitive data. It's especially so on handheld devices, which
are more apt to be lost or stolen than a desktop computer. A
handheld device is likely to hold truly personal information
that you don't want strangers to know, things such as
important phone numbers and addresses. Safeguarding that
information should always be a priority... |
| Java Developers
Journal (JDJ) |
Unlimited
Encryption on Limited Devices (11/02) I have the dubious
honor of having written one of the very first implementations
of the RSA cryptographic algorithm in Java some years ago, and
very badly I wrote it too. With a 4-bit key it worked great,
with an 8-bit key it took about 30 minutes to encrypt or
decrypt anything, and after three days of trying with a 16-bit
key, we had to use the computer for something else. Just to
give you some idea, even back then 128 bits was considered the
minimum for secure communications, and each bit doubles the
time. Cryptography is not fast; its security is bound up in
the complexity of its algorithms. Those who are writing modern
cryptography need to be much better mathematicians than I...
Frank's
Java Code Stack #4 Using Message Digest Stream (11/02) In
Java Code Stack #1 and #3, we observed some code snippets on
both Symmetric and Asymmetric Cryptography. But most of our
applications, such as password authentication and logon
verification, need a simpler way of creating a Digest of a
given string or a message. Message Digest is a hash algorithm
that takes as input a message of arbitrary length and produces
as output a 128-bit fingerprint or message digest of the
input. This Digest algorithm is meant for digital signature
applications, where a large file/Data must be compressed in a
secure manner before being encrypted with a Secret key under a
public key crypto model... |
| NTRU Cryptosystems |
Neo Java
public-key toolkit designed specifically for wireless devices
running Java applications. Encrypts data during transfer and
also provides user authentication. The application is less
than five KB and is designed for constrained environments such
as mobile phones and PDAs. |
| The Register |
Mobile
phone Java risks 'minimal' (10/02) Is wireless Java at
risk from malicious code attack? The answer appears to be no -
for vanilla Java 2 Micro Edition (Java 2 ME). But vendors'
proprietary extensions are more problematic, according to
Markus Schmall, of T-Mobile. He recently conducted a study of
the security of Java 2 ME, using tests on a Siemens SL45
phone. Java 2 ME is defined so that cross-loader functions are
limited, maths functions are restricted and no file access is
possible. This greatly limits the scope and number of attacks
possible on mobile devices running Java 2 ME. Schmall
considered a number of actions which malicious code might
take: accessing storage media, accessing internal memory,
initiating Web connections and interfering with installed
applications. |
| RSA Security |
Authentication and encryption technologies. |
| Sun |
The
Security and Trust Services API for J2ME (9/05) Introduced
with the Java Specification Request 177, the Security and
Trust Services API (SATSA) optional packages provides APIs for
communication with security elements, as well as security APIs
for the management of digital signatures, digital
certificates, and cryptographic operations. This article
presents an overview of SATSA, cover the communication APIs,
and present some information about the reference
implementation.
The
Security and Trust Services API (SATSA) for J2ME: The Security
APIs (9/05) SATSA makes a good job of simplifying
complexity, by providing an easy to use API. Yet, the topic of
security is a complex one and this article covers a lot of
background information. The goal of this article is to
introduce you to the main concepts of PKI and cryptography
with respect to SATSA. Writing secure applications is nothing
trivial and anyone writing secure applications must take the
time to understand the underpinnings of PKI and cryptography
in general; you can find a list of resources at the end of
this article.
Learning
Path: MIDP Application Security This learning path imparts
the basics of application security and shows you how to apply
that knowledge in applications that include MIDP clients.
There are four main sections. Overview, Application Security
in MIDP, Cryptography in MIDP, Further Reading.
Securing
J2ME Applications (PDF) Background, vision and goal,
Security architecture for existing wireless data services, SSL
and its evaluation for small devices...
MIDP
Application Security 1 Design Concerns and Cryptography (9/02)
This is the first of a series of four articles about building
security into wireless Java applications. Secure systems
protect something valuable, like money or personal property.
Secure computer applications protect valuable information. The
challenge of building secure systems is finding and defending
every vulnerability...
MIDP
Application Security 2 Understanding SSL and TLS (10/02)
Transport Layer Security (TLS) is a protocol that enables
authentication and data encryption over insecure networks. It
is implemented as a layer between TCP/IP and higher-level
network protocols like HTTP, SMTP, and NNTP. The
implementation of SSL in web browsers is nearly seamless for
users, providing cryptographic authentication and
session-based encryption at a minimal cost in ease of use.
This article describes TLS and its close cousin, SSL. You'll
learn how MIDP 1.0 and MIDP 2.0 support TLS and SSL, code some
examples, and get an understanding of the security level of
TLS and SSL.
MIDP
Application Security 3 Authentication in MIDP (12/02)
Devices that communicate over an insecure network like the
Internet need to prove their identity to each other, a process
called authentication. This article describes techniques MIDP
clients can use for authentication. The MIDP 1.0 provides no
direct API support for authentication. MIDP 2.0 does support
server authentication with HTTPS, but still lacks mechanisms
for client authentication.
MIDP
Application Security 4 Encryption in MIDP (9/05) Computer
applications use ciphers to protect sensitive information from
theft. Encrypted data can be safely transmitted over an
insecure network like the Internet. This article shows how
encryption protects data from eavesdroppers, then presents a
complete example that shows how to use the Bouncy Castle
Cryptography APIs to encrypt messages sent between two MIDP
devices.
MIDP
Terminal Emulation, Part 4: Securing Your Mobile
Communications MIDTerm implements an ANSI terminal and
uses the Telnet protocol to communicate over standard TCP/IP
sockets, enabling users of mobile devices to interact with
software running on remote computers. In this article, we'll
use MIDP 2.0's secure connection classes to encrypt MIDTerm's
communications. We'll first take a look at why encryption is
necessary and spend a little time explaining how public-key
encryption works, then I'll show you how to implement support
for secure sockets on both the mobile device and the server
you're connecting to. |
|
|
|
