Shulou(Shulou.com)06/03 Report--

JVM calendar JDPR or Java data protection advice is what, many novices are not very clear, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Find PII and sensitive data

Java developers can locate PII by static typing and clearing API. For POJO examples written by developers, standardized method naming can reveal potential PII information like getAddress (), getName () or getSomethingElseThatLooksLikePII () through most communities. Through the method name, developers familiar with PII targets can easily find points of interest in PII sleep and identify potential leaks.

Java API also provides another simple way to identify PII bear caves. For example, most persistence is handled by JDBC or ORM libraries such as Hibernate. By observing queries or looking directly at the database, developers can identify the PII that flows through these interfaces. The existence of standardized API (such as JDBC and Hibernate) makes it easy for instrument-based tools to find PII, similar to the way free instrument-based tools monitor security or performance.

Correct use of cryptography

Java developers benefit from Java Cryptographic Architecture, a compatible set of tools and libraries that cover basic encryption methods. Starting with JDK 9, most JRE ships with Unlimited Strength Cryptography. The unlimited strength of encryption and the limitations of policy file configuration have always been the source of confusion in development projects that require strong encryption. The Java developer provides a quick test that you can run to see if infinite strength is configured correctly.

Import javax. Encryption. Password

Class TestCryptoLimitations {

Public static void main (String [] args) {

Try {

The system. Out. Println ("Hello World!" )

Int maxKeyLen = password. GetMaxAllowedKeyLength ("AES")

The system. Out. Println ("maximum key length is" + maxKeyLen)

} catch (exception e) {

The system. Out. Println ("sad World: (")

}

}

}

Next, you may encounter three main encryption use cases in the project: hash files / credentials, symmetric encryption, and asymmetric encryption.

Hash and message digest

Hashes are typically used to generate file checksums or encrypted credentials. It is an one-way algorithm, the hash value can be calculated from the key in polynomial time, and is considered to be effective. On the contrary, finding the value that produces a given hash, called a collision, is inefficient and expensive to calculate. Consider birthday attacks take O (2 ^ (n / 2) time as an example. The behavior of one-way hash functions makes them suitable for credential storage or test data (for example, files) tampering. Even a small change file will significantly change the hash value.

Common hashing algorithms are: SHA-256,SHA-512 or older algorithms, such as MD5 and SHA-1, can be blacklisted in the jre / lib / security / java.security file under the jdk.certpath.disabledAlgorithms attribute.

When hashing the secret portion of the credential (for example, a password), the hash value should include a unique value for each user's salt. Salt is an encrypted random value, which is difficult to guess and is usually in the form of a long string of hexadecimal values or byte arrays. Containing salt prevents precomputation attacks, and attackers only need to look for pre-calculated values in dictionaries called rainbow tables. No Salting is required to hash non-secret information, such as file checking. It's best to use a key derivation function like PBKDF2 rather than your own credential hash, which we'll cover shortly.

Calculate the hash value of the given file:

MessageDigest md = MessageDigest. GetInstance ("SHA-256"); md. Update (fileinbytes); final byte [] hashed = md. DoFinal ()

This can use password-based key derivation (PBKDF2) to generate a hash of information that should be secret and more difficult to pre-calculate.

Final String password = "12345"; final String salt = "user@example.com"; final int iterations = 32

PBEKeySpec keySpec = new PBEKeySpec (password. ToCharArray (), salt. GetBytes (), iteration, 512)

SecretKeyFactory skf = SecretKeyFactory. GetInstance ("PBKDF2WithHmacSHA256")

Byte [] hashed = skf. GenerateSecret (keySpec). GetEncoded ()

Final String encoded = Base64. GetEncoder (). EncodeToString (hashed); system. Out. Println ("Code:" + Code); symmetric password

Symmetric passwords are used to encrypt and decrypt information. The symmetric password gets its name because the encryption and decryption operations use the same key. Symmetric cryptography is the foundation of cryptography, which is faster than asymmetric cryptography. Keys are usually long strings or byte arrays and are not easy to find in dictionaries.

Common symmetry algorithms include AES,Blowfish and DES. The following is an example of symmetric encryption and decryption.

Import javax. Encryption. Password; import javax. Encryption. Norms. IvParameterSpec; import javax. Encryption. Norms. SecretKeySpec; import java. It's clear. SecureRandom; import java. Util . Base64

Public class CryptoAdvent {public static String encrypt (byte [] key,byte [] initVector,String value) throws Exception {IvParameterSpec iv = new IvParameterSpec (initVector); SecretKeySpec skeySpec = new SecretKeySpec (key, "AES"); password = password. GetInstance ("AES / CBC / PKCS5PADDING"); password. INIT (password. ENCRYPT_MODE,skeySpec,IV)

Byte [] encrypted = cipher. DoFinal (value. GetBytes ("UTF-8")); string encoding = Base64. GetEncoder (). EncodeToString (encryption); return code;}

Public static String decrypt (byte [] key,byte [] initVector,String encrypted) throws Exception {IvParameterSpec iv = new IvParameterSpec (initVector); SecretKeySpec skeySpec = new SecretKeySpec (key, "AES"); password = password. GetInstance ("AES / CBC / PKCS5PADDING"); password. INIT (password. DECRYPT_MODE,skeySpec,IV)

Byte [] original = cipher. DoFinal (Base64. GetDecoder (). Decode (encrypt); return new String (original);}

Private static String bytesToHex (byte [] bytes) {StringBuilder sb = new StringBuilder (); for (byte b:bytes) {SB. Append (string. Format ("02X", b);} returns someone. ToString ();}

Public static void main (String [] args) {try {

/ / Note: each time the program runs, a new Key and initVector are generated. Real / / implementation you need to store the key and initVector as secret / / decrypt later. / / SecureRandom sr = new SecureRandom (); byte [] key = new byte [16]; sr. NextBytes (key); / / 128bit key byte [] initVector = new byte [16]; sr. NextBytes (initVector); / / 16-byte IV

The system. Out. Println ("Random key =" + bytesToHex (key)); system. Out. Println ("initVector =" + bytesToHex (initVector))

String payload = "this is the clear text of the article by Erik and Milton." ; system. Out. Println ("Original text =" + payload)

String encrypted = encrypt (key,initVector,payload); system. Out. Println ("encrypted text =" + encrypted)

String decryption = decryption (key, initVector, encryption); system. Out. Println ("Decrypted text =" + decrypted)

String result = decrypted. Equal to (payload)? "it works!" "something is wrong." ; system. Out. Println (result)

} catch (Exception t) {t. PrintStackTrace ();}

An example output is:

Random key = E5 01 B6 AC 9 C A5 6 D 64 08 DE AB DD 83 9 C E0 87initVector = AC 09 5 C B0 6 E 76 3 B E6 A4 2 B D7 4 C B3 4 B CE F8 original text = this is the original text from Eric and Milton. Encrypted text = / LQlJp7fR4Gkq5unWU4X + 5 qrje1WWKyCms + MPzcwsFf2eE + QHVr2RQDoJVfrSmoc / dM5ulrtk5z4z4evozprUQ = = decrypted text = this is the plaintext from Eric and Milton's article. Its work! Asymmetric cipher

Most Internet encryption, such as HTTPS, is built around asymmetric encryption. The advantage of asymmetric encryption is that it provides a way for clients and servers to securely negotiate keys and cipher suites, which are later used to protect data using common symmetric encryption techniques. Asymmetric encryption takes advantage of some new classes, such as KeyPair, PublicKey, PrivateKey, and Certificate. Each of these classes is designed to share a public key to access anyone over an untrusted network, and then encrypt the message using their own private key. The owners of the public key can then use their own private key to decrypt the message so that the two can talk.

The most common use of asymmetric encryption is to encrypt HTTPS communications with websites. In this case, each client has a list of known certification authorities that are used to establish identity and verify the owner of each site's public key.

Unlike browsers, most JRE have a truncated list of certificate authorities that contain many different certificates from Digicert, but not popular certificate authorities, such as Amazon Trust (AWS) or SSL.com. As a result, Java clients may not be able to authenticate some URL because of PKIX exceptions.

When this happens, developers should not just disable SSL authentication. Doing so simply ensures that the application sends information over a secure channel without knowing what is on the other end of the channel.

The correct mechanism is to add the root certificate to the lib / security / cacerts file:

Keytool-importcert-keystore lib/security/cacerts-alias awstrust-file awstrust.cer

While it is reasonable to add a root certificate to this root certificate authority store, things such as headphones do not require a root certificate, and if so, the private keys of these headphones should be kept private.

Effective patch management

Developers need to consider two areas to fix:

Keep pace with JRE

Keep up with the library loophole

Both Oracle JRE and Amazon Corretto are patched quarterly. Unlike Oracle JRE, whose Java 8 support ends in April 2019, Amazon Corretto promises free patches on a quarterly basis by 2023-about four years.

Java developers cannot resist the types of attacks that have recently attacked the Node community, thus stealing different amounts of bitcoin. For example, in 2014, an attack was carried out against Maven Central to modify the bytecode because it was moved to the network in the jar file. Although SSL can be enabled quickly in response, most JAR files are still not signed by the jarsigner tool, which makes it more difficult to detect tampering. Similar attacks took place elsewhere.

When vulnerabilities are found in third-party libraries, your application is almost defenseless until patches are deployed. This is why designing software applications, services, and infrastructure for quick fixes is critical to strong security. In addition to rapid deployment, testing is often a common obstacle. Most organizations postpone patching because they are not confident that patches will not disrupt production. This is why it is important to invest in high-quality unit test cases.

To monitor the security status of third-party libraries, developers such as OWASP Dependency Check or Contrast Community Edition can use free tools.

Many software buyers enforce this dependency analysis, called software portfolio analysis, in part because it can be easily detected simply by looking at the library. Developers who ignore this recommendation may find that their application is undeployed and subsequent invoices are unpaid.

General advice

Developers should be concerned about the types of data they have and how they protect it. Due to GDPR's regulatory environment, the default business approach of "saving all data" can become a serious business responsibility. The data may be new, but the oil is flammable, and when dealing with encrypted data, do not store the key with the encrypted data, as this can undermine the purpose.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.