M TS V N B O M T-M HO TTRONG JAVA

HN, 09/06

M c tiu bi h c:
1.M 1. M t v cng c JAR 2. T o v xem m t file JAR, li t k v trch rt n i dung c a n. 3. S d ng ch k i n t (Digital Signatures) nh n d ng Applets 4. T o b cng c kha b o m t (Security key) 5. Lm vi c v i ch ng ch s (Digital Certificate) 6. Tm hi u v gi Java.security 7. M t vi v d c th

JAVA APPLET


Java l m t ngn ng l p trnh u tin g i cc ch ng trnh t ng tc nh v n b n, nh v cc thng tin t nh thng qua World Wide Web. Cc ch ng trnh ny chnh l Java Applet Java Applet c ch y trn h th ng c a ng i dng, thay v ch y trn my ch Web (Web server). Thi u tnh b o m t trong applet c th d n t i vi c s a i ho c c cc d li u nh y c m trn my ng i s dung applet.

1. Cng c JAR


M t file JAR l m t file l u tr c nn do cng c (jar.exe) c a Java t o ra. N t ng t nh ch ng trnh PKZIP. N ch a nhi u file trong m t file l u tr (.jar). i u ny cho php t i v trnh duy t hi u qu . Dng m t jar v i applet c i thi n ng k hi u n ng th c hi n c a trnh duy t. V t c c cc t t c cc file c bin d ch v trong m t file duy nh t, trnh duy t ch c n thi t l p k t n i HTTP v i web server. Nn file gi m 50% th i gian t i file.

kh i l nh:

ng cng c JAR, dng cu l nh sau t i d u nh c

jar [options][manifest] jar-file input-file(s) jarinput

Tu c t x v f m xc o M

ch n m t T o ra m t file jar m i Li t k n i dung c a file jar Trch d n file c tn t file jar T o u ra chi ti t (verbose output) trn dngl i chu n Xc nh tn file jar Bao hm thng tin ch ng th c t cc file ch ng th c nh. Ch l u tr , khng nn Khng t o cc file ch ng th c cho cc m c (entries).

L nh l u t t c cc file class v file java trong th m c hi n hnh vo m t file jar g i l pack jar cf pack.jar *.class *.java
c t o m t l u tr f xc nh l u tr

L nh li t k cc file trong file pack.jar jar tf pack.jar

t tu ch n ny f tu ch n xc c s d ng cho b ng n i dung l u tr nh tn file l u tr

g p file l u tr pack.jar vo trong m t applet ta m trang HTML, v thm thu c tnh ARCHIVE=pack.jar vo th applet <applet code=exr7.class ARRCHIVE=pack.jar height=125 width=350></applet> ARCHIVE s ch cho trnh duy t n p l u tr pack.jar tm file exr7.class Cu l nh sau trch rt cc file c nn trong file pack.jar: jar xvf pack.jar M c ch n x cho php b n trch rt n i dung c a file.

2. Ch k i n t (Digital Signature) nh danh cc applet



   

Trong java, b o m t applet trn web l ph n r t quan tr ng. Hacker c th vi t cc applet nguy hi m xuyn th ng hng ro b o m t. V th , applet h n ch s can thi p c a cc ngn ng . Applet khng h tr m t s thao tc sau: c v ghi file t h th ng n i applet ang ch y. L y thng tin t file c a h th ng Xo file c a h th ng. Java 2 c th th c hi n t t c cc thao tc trn, v i cc applet cung c p t m t nh cung c p applet tin c y, v c k ch k i n t (digitally signed).

Hnh sau minh h a qu trnh m ho kho

M t ch k i n t l m t file m ho i cng v i ch ng trnh gip nh n d ng chnh xc ngu n g c c a file. Kha b m t tnh gi tr t file applet. Ng i gi kho b m t ki m tra n i dung c a i t ng.

Trong ch k i n t , m t kha ring (private key) c s d ng m ha, v kho cng khai, c dng gi i m. Trong khi k (sign) trn m t i t ng, pha k dng thu t ton Message Digest (nh MD5) tnh gi tr digest c a i t ng. Gi tr digest c dng nh l 'd u vn tay' c a i t ng. Digest sau c m ho dng kha ring, t o ra ch k i n t c a i t ng. Kho cng khai c s d ng gi i m v ki m tra chng. K t qu c a s gi i m, gi tr digest c a ra. Gi tr digest c a i t ng c tnh v so snh v i gi tr digest c gi i m. N u gi tr digest c a i t ng v gi tr digest c m ho kh p v i nhau, ch k c c xc nh n. Ti li u m t ch k c g i l Ch ng th c (Certificate)

Thi t l p s tin c y, nh n d ng applet c ch ng nh n. Ch ng nh n cc th c th khc s d ng kha cng khai gi m o. Nh ch ng th c (a certificate authority) c dng th c hi n ch ng nhn. Nh n c c ch ng th c t m t CA (Certificate Authority), applet ph i trnh ti li u ch ng th c s nh n d ng c a n. Hi n gi cc cng ty a ra cc d ch v xc nh n ch ng th c sau:

VeriSign Thawte Certification



B n c th thi t l p cc m c b o m t khc nhau. M t applet c th a ra s u thc hon ton, ho c khng u thc, v i s gip c a t p cc l p g i l permissions. Nh ng nhn chung, cc applet b gi i h n m t cc t i a, tr khi nh pht tri n k trn applet. i u ny xc nh nh pht tri n l tin c y.

3. Kho b o m t Java (Java Security key).



Chng ta c n t o 3 cng c , tn l, jar, jarsigner, v keytool, tr c khi dng cc applet c k. Chng ta c n t o c p kha cng public/private, v lm cho n tr nn s n sng v i cng c jarsigner.

By gi , chng ta s s d ng cc cng c t o keystore. Keystore (L u tr kho) Keystore l m t c s d li u kho, ch a cc ch ng th c s dng nh n d ng cc gi tr kho cng khai (public). Keytool (Cng c kho) Keytool l cng c kho b o m t c a java, t o v qu n l kha cng khai, kho ring (private), v cc ch ng th c b o m t. N c ng c th th c hi n:
   

Qu n l c p kho cng public/private L u tr cc kho cng khai Dng cc ch ng th c xc th c ch ng th c khc. Xc th c (Authenticate) d li u ngu n.

T t c thng tin m keytool qu n l c l u tr trong c s d li u g i l keystore. Sun c m t keystore m c nh dng nh d ng file m i g i l JKS (java key store L u tr kho java). ki m tra xem h th ng b n c m t keystore d i nh d ng ny hay ch a hy th c hi n cu l nh sau t i d u nh c l nh: keytool list Thng bo l i sau xu t hi n n u b n khng c g trong keystore c a b n. keytool error: keystore file does not exist: c:\windows\.keystore c:\windows\ JDK tm keystore chnh trong th m c C:\windows\. C:\windows\ y l m t v tr chung cho cc file h th ng quan tr ng trn windows 95, 98 v NT systems.

Tu ch n keystore c ng c th c s d ng trong l nh keytool, nh sau: keytool list keystore c:\java\try c:\java\ Cu l nh ny ch cho JDK tm keystore trong file c g i l try trong th m c C:\java\try. N u C:\java\ khng tm th y, s hi n th thng bo l i nh trn. L a ch n -genkey c th c s d ng cng v i cu l nh keytool t o c p kho cng public/private. B n c ng c th dng m t s cc tu ch n khc. D ng n gi n nh t nh sau: keytool genkey alias I

B danh (alias) c th c dng l u tr , thay th ho c xo c p kho. Cc b danh keytool khng phn bi t ch hoa, th ng. Trong l nh trn, chng ta khng s d ng tu ch n keystore. N u cng cu l nh s d ng tu ch n keystore, s c vi t l i nh sau: keytool genkey alias I keystore store Trong l nh trn, c p kho s c l u tr trong keystore tn l store, v khng l u trong keystore m t nh c a h th ng.

Sau khi nh p l nh trn vo, v nh n phm enter, keytool nh c b n nh p vo m t kh u (password) cho keystore, nh sau: Enter keystore password: Nh p vo password l m t kh u nh yu c u.

      

 

 

Ti p theo, keytool nh c b n nh p vo cc thng tin b sung nh : What is your first and last name? (Tn v h ) [unknown] what is the name of your organization unit? [unknown]: software Development. What is the name of your organization? (Tn c a t ch c) [Unknown]: ABC Consultants (t v n ABC) What is the name of your city or Locality? (tn thnh ph ho c a ph ng c a b n) [Unknown]: California What is the name of your State or Province? (tn bang ho c t nh c a b n) [Unknown]:United States of America What is the two-letter country code for this unit?(M qu c twogia v i 2 k t ) [Unknown]: US

Khi b n nh p vo cc thng tin, keytool hi n th thng tin sau: Is <CN=Bob Fernandes, OU=Software Development, O=ABC Consultants, L=California, ST=United States of America, C=US>correct? [no]: Cu i cng, keystool nh c b n nh p vo m t kh u cho kho ring c a b n, nh : Enter key password for <I> (RETURN if same as keystore password): Thng tin trn c s d ng k t h p s phn bi t tn (name) v i b danh (alias). Thng tin trn c ng c th c a vo tr c ti p t m c ch n -dname -

M t kh u sau cng ph n bi t v i m t kh u keystore. N c dng truy c p kho ring c a c p kho. M t kh u c th tr c ti p ch r b ng cch s d ng tu ch n -keypass. N u m t kh u khng ch r, m t kh u keystore cs c dng. Tu ch n -keypasswd dng thay i m t kh u. Tu ch n -keyalg ch r thu t ton t o c p kho. Khi b n t o m t kho v b sung n vo trong keystore, b n c th dng tu ch n -list c a keytool xem kho c trong keystore hay khng.

   

xo c p kho t c s li u, dng l nh sau: keytool delete alias aliasName aliasName ch tn c a kho c xo. By gi , chng ta t o c p kho ring/cng c ng cho file JAR, chng ta hy k danh n. L nh jarsigner dng k danh m t file JAR. Nh p l nh sau vo d u nh c DOS: jarsigner keystore keyStore storepass storePassword keypass keyPassword

B ng sau cung c p danh sch c a JARFileNames v b danh: Tu ch nM t

keyStore Password keystorekeyPassword JARFileName Alias Tn keystore s d ngstore M t kh u M t kh u kho ring Tn c a file JAR c k danh B danh c a b k danh

 

k danh file JAR pack.jar, v i keystore store, v m t kh u l u tr v cc kho ring l password, dng l nh sau: jarsigner keystore store storepass password keypass password pack.jar pk pk ngh a l tn b danh. N u tu ch n -keystore khng ch r, th keystore m c nh c dng.

 

ch r ch k c a file JAR c nh danh, dng tu ch n -verify. jarsigner verify pack.jar pack.jar ch tn file JAR. N u ch k khng h p l , th ngo i l sau c t o ra. Jarsigner:java.util.zip.ZipException:invalid entry size (expected 900 but got 876 bytes) Ng c l i, xu t hi n thng bo jar verified (jar c xc minh)

 

Qu trnh xc th c ki m tra theo cc b c sau: C file .DSA ch a ch k h p l cho file ch k .SF khng. C cc m c trong file ch k l cc digest cho m i m c t ng ng trong file k khai (manifest file)

4. Ch k i n t (Digital Certificates)


Cho n by gi , chng ta h c cch t o v k m t file JAR. By gi , chng ta s h c cch xu t cc ch k i n t (digital certificates), n c s d ng xc th c ch k c a cc file JAR. Chng ta c ng s h c cch nh p ch k i n t t file khc vo. Ch k i n t l m t file, m t i t ng, ho c m t thng bo c k b i quy n ch ng th c (certificate authority). The CA (Certificate authority) c p ch ng nh n gi tr cc kho cng khai. Ch ng nh n X.509 c a t ch c International Standards Organization l m t d ng ch ng nh n s ph bi n. Keytool h tr nh ng ch ng nh n ny.

Keytool b c u tin c n nh n cm t ch ng nh n (certificate). Chng ta dng ch ng nh n t o c p kho private/public. Keytool nh p vo cc ch ng nh n c t o v c k. Keytool t ng g n kho cng khi m i v i m t ch ng nh n m i. Cng th c th t o kho cng khai k ch ng nh n ny. c g i l self-signed . selfcertificates (Ch ng nh n t k). Cc ch ng nh n ny khng ph i l ch ng nh n ng tin c y cho nh danh. Tuy nhin, chng c n t o cc yu c u k danh ch ng nh n (certificate-signing request). (certificate-

Keytool v tu ch n c s d ng t o cc ch ng nh n trn. Cu l nh sau gip t o cc ch ng nh n trn: keytool keystore store alias mykey certreq file mykey.txt C p kho c t o l mykey. Tu ch n -file ch tn file l u cerrtificate-signing. cerrtificateDng tu ch n -export xu t cc ch ng nh n ny nh sau: keytool export keystore store alias pk file mykey Cu l nh trn hi n th d u nh c sau: Enter keystore password Ch ng nh n l u tr trong <mykey>

nh p cc ch ng nh n khc vo keystore c a b n, nh p cu l nh sau: keytool -import keytool keystore alias alias file filename Tn c ch nh l tn file ch a ch ng nh n c nh p vo (imported certificate). Cu l nh sau ch tn b danh l alice nh p ch ng nh n trong file mykey vo keystore MyStore: keytool import keystore MyStore alias alice file mykey Cu l nh trn hi n th d u nh c sau: Enter keystore password: (Nh p vo m t kh u keystore)

K t qu xu t ra hi n th hai tu ch n Owner v Issuer. N hi n th tn cng ty, ngh nghi p, t ch c, a i m, bang v ti n t . N c ng hi n th s serial v th i gian c gi tr . Cu i cng, n h i l tin c y ch ng nh n ny khng. Ch ng nh n c ch p thu n d a vo s tin t ng c nhn b n. Dng l nh -list li t k n i dung c a keystore nh sau: keystool list keystore Store Cu l nh trn yu y u password keystore

 

 

Dng tu ch n -alias li t k m t m c. Dng l nh -delete xo b danh trong keystore, nh sau: keytool delete keystore Store alias alias Dng l nh -printcert in ch ng nh n cl u tr trong file, theo cch sau: keytool printcert file myfile Dng l nh -help nh n v danh sch t t c cc tu ch n m keytool h tr : keytool -help

5. Cc gi b o m t java (JAVA Security packages)



Cc gi b o m t Java bao g m: java.security y l gi API b o m t chnh. Ch a cc l p v giao di n h tr m ho, digest v ch k i n t . java.security.acl Ch a cc giao di n dng ci t cc chnh sch i u khi n truy c p java.security.cert Cung c p s h tr cho ch ng nh n X.509 java.security.interfaces nh ngh a cc giao di n truy nh p Digital Signature Algorithm java.security.spec Cung c p cc l p c l p v ph thu c vo thu t ton m ho s d ng kho.

 

Tm t t: N u kh n ng b o m t trong applet khng m b o, cc d li u nh y c m c th c s a i ho c ph i by. M c ch chnh c a JAR l k t n i cc file m applet s d ng trong m t file nn duy nh t. i u ny cho php cc applet n p vo trnh duy t m t cch hi u qu . M t file k khai (manifest file) ch a thng tin v cc file l u tr . Ch k i n t l m t m ho km v i ch ng trnh nh n di n chnh xc ngu n g c c a file.

  

Keystore l m t c s d li u kho. Keytool l cng c kho b o m t c a java. ch ng nh n i n t l m t file, ho c m t i t ng, ho c m t thng bo c k b i quy n ch ng nh n (certificate authority)

 

Ki m tra ki n th c: File ________l file l u tr c nn. Tu ch n _____, khi dng v i cng c jar, trch rt tn file t m t l u tr (.jar) JAR t ng t o file k khai, th m ch n khng c ch ra ng/Sai Thu c tnh______,khi dng trong th applet, ch cho trnh duy t n p file jar, v tm file class c a applet.

Trong ch k i n t , _______ c dng cho m ho v _________ c dng cho gi i m. T t c cc thng tin keytool qu n l, cl u tr trong m t c s d li u g i l _______ keytool b c u tin c n thi t nh n c m t ch ng nh n ng/Sai Gi _______ch a giao di n dng ci t cc chnh sch i u khi n truy nh p.

Bi t p
S d ng cc cu l nh java th c hi n cc hnh ng sau: T o m t file jar core-java.jar ch a cc file l p core(.class) v cc file ngu n. Li t k n i dung c a file jar. T o file html nhng applet CardLayoutDemo.class, file l p c ch a trong file jar. Trch rt n i dung file jar. Dng l nh keytool v i tn b danh v keystore t o ra c p kho public/private

 

 

    

K danh file jar m i c t o. Xc minh ch k (signature). Xu t cc ch ng nh n (certificate) Li t k n i dung c a keystore. In cc ch ng nh n c l u trong file.