Getting started with RSA BSAFE® Share For JAVA - EMC ...
Getting started with RSA BSAFE® Share For JAVA - EMC ...
Getting started with RSA BSAFE® Share For JAVA - EMC ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Getting</strong> <strong>started</strong> <strong>with</strong><br />
<strong>RSA</strong> BSAFE ® <strong>Share</strong> for Java Platform 1.1<br />
<strong>RSA</strong>, The Security Division of <strong>EMC</strong>,<br />
July 16, 2009<br />
Version 1.0, July 16, 2009
Introduction to Presentation<br />
This presentation will help you get <strong>started</strong> using <strong>RSA</strong><br />
BSAFE ® <strong>Share</strong> for Java TM Platform (<strong>Share</strong> for Java).<br />
2
Objective<br />
As a result of this presentation you will be able to:<br />
– Describe the features of <strong>Share</strong> for Java<br />
3
Agenda<br />
Introduction<br />
Product Features<br />
Feature comparison: Sun’s JRE 6.0<br />
Feature comparison: <strong>RSA</strong> BSAFE Crypto-J, Cert-J and<br />
SSL-J<br />
4
5<br />
Introduction
Introduction<br />
Agenda<br />
– Product description<br />
– Associated products<br />
– Where to find more information<br />
6
Introduction<br />
Product Description<br />
<strong>Share</strong> for Java is a pure Java security toolkit.<br />
– Java is a computer programming language created by Sun<br />
Microsystems. The most recently released version is 6.0. See<br />
http://java.sun.com/ for more details.<br />
– Pure Java means that <strong>Share</strong> for Java is completely written<br />
using the Java programming language. It doesn’t use any<br />
native code libraries which are written in other programming<br />
languages such as C or C++.<br />
– <strong>Share</strong> for Java is designed to be used by Java Application<br />
Developers; software engineers who develop computer<br />
programs using the Java computer programming language.<br />
7
Introduction<br />
Product Description<br />
<strong>Share</strong> for Java is a pure Java security toolkit.<br />
– A toolkit is a library or component part.<br />
– Toolkits provide functionality via Application Programming<br />
Interfaces (API).<br />
– Application developers use toolkits to provide functionality<br />
rather than having to write the source code for the functionality<br />
themselves. This allows complex components to be re-used,<br />
rather than having to be developed for each application.<br />
8
Introduction<br />
Product Description<br />
<strong>Share</strong> for Java is a pure Java security toolkit.<br />
– Security in terms of <strong>Share</strong> for Java means cryptography,<br />
Public Key Infrastructure (PKI), and Transport Layer Security<br />
(TLS).<br />
• Cryptography: Algorithms that provide encryption, digital<br />
signatures, message digests and Pseudo Random Number<br />
Generation (PRNG).<br />
• PKI: The technology which includes Digital Certificates. Digital<br />
Certificates are used to identify secure servers on the Internet<br />
and are used <strong>with</strong> encrypted and signed email.<br />
• TLS: The technology which provides the security for secure<br />
https connections over the Internet.<br />
– <strong>For</strong> an introduction to security, see the Security Concepts<br />
document which comes as part of the <strong>Share</strong> for Java release.<br />
9
Introduction<br />
Product Description<br />
<strong>Share</strong> for Java:<br />
– Is a pure Java security toolkit.<br />
– Runs on Sun’s Java Standard Edition (SE) JRE 5.0 and 6.0 1 .<br />
– Can be used in Java Enterprise Edition (EE) deployments<br />
which use JBoss 1 application server.<br />
<strong>Share</strong> for Java contains two jar files:<br />
– shareCrypto.jar: Cryptographic and PKI functionality<br />
implemented as a Java Cryptographic Extension (JCE)<br />
provider.<br />
– shareTLS.jar: SSL v3.0, TLS v1.0, v1.1 and v1.2 functionality<br />
implemented as a Java Secure Sockets Extension (JSSE)<br />
provider.<br />
Note 1: Refer to the release notes for a detailed platform list.<br />
10
Introduction<br />
Associated Products: <strong>Share</strong><br />
Other <strong>Share</strong> products:<br />
– <strong>RSA</strong> BSAFE ® <strong>Share</strong> for C/C++: C language cryptographic,<br />
PKI and TLS toolkit.<br />
– <strong>RSA</strong> BSAFE ® <strong>Share</strong> Adapter: C language toolkit providing an<br />
OpenSSL compatible API.<br />
• Uses <strong>Share</strong> for C/C++ to provide the underlying cryptographic<br />
capabilities.<br />
11
Introduction<br />
Associated Products: Crypto-J, Cert-J and SSL-J<br />
Other BSAFE Java language products:<br />
– <strong>RSA</strong> BSAFE ® Crypto-J: Provides FIPS 140 validated pure<br />
Java cryptographic implementations, native cryptographic<br />
implementations, support for PKCS #11 devices, and support<br />
for both the JCE and the JSAFE API.<br />
– <strong>RSA</strong> BSAFE ® Cert-J: Provides the CertJ API for certificate<br />
management and other Public Key Infrastructure (PKI)<br />
services. Uses Crypto-J for cryptographic functionality.<br />
• Note that the Java Certification Path (JCP) API which is offered<br />
in Cert-J 3.0 is being incorporated into Crypto-J 4.1’s and <strong>Share</strong><br />
for Java’s JCE API<br />
– <strong>RSA</strong> BSAFE ® SSL-J: SSL v3.0, TLS v1.0, v1.1 and v1.2<br />
functionality is provided via the SSLJ and the JSSE API. Uses<br />
Crypto-J for cryptographic functionality.<br />
12
Introduction<br />
Associated Products: Crypto-J, Cert-J and SSL-J<br />
sslj.jar<br />
<strong>RSA</strong> BSAFE ® SSL-J 5.1<br />
<strong>RSA</strong> BSAFE ® <strong>Share</strong><br />
for Java TM Platform<br />
shareTLS.jar<br />
SSLJ API<br />
JSSE API<br />
JSSE API<br />
<strong>RSA</strong> BSAFE ® Cert-J 3.1<br />
certj.jar<br />
CERTJ API<br />
<strong>RSA</strong> BSAFE ® Crypto-J 4.1<br />
cryptoj.jar, cryptojFIPS.jar<br />
shareCrypto.jar<br />
JSAFE API<br />
JCE API<br />
JCE API<br />
13
Introduction<br />
More Information: <strong>Share</strong> for Java<br />
Install Guide: Installation instructions.<br />
Release Notes: Product features, platform list, known<br />
issues.<br />
Security Concepts: Introduction to cryptography and<br />
security<br />
javadoc: API reference guide.<br />
Developer’s Guide: Guidance on product usage.<br />
14
Introduction<br />
More Information: <strong>Share</strong> products and BSAFE products<br />
<strong>Share</strong> products: www.rsashare.com<br />
<strong>Share</strong> Community:<br />
https://community.emc.com/community/edn/rsashare<br />
<strong>RSA</strong> BSAFE: http://www.rsa.com/node.aspxid=1204<br />
15
16<br />
Product Features
Product Features<br />
Agenda<br />
Agenda<br />
– Cryptographic features<br />
– Public Key Infrastructure (PKI) features<br />
– Transport Layer Security (TLS) features<br />
– Further information<br />
17
Product Features<br />
Cryptographic<br />
Asymmetric (public key) algorithms: <strong>RSA</strong>, DSA, DH, ECDSA,<br />
ECDH, ECDHC and ECIES.<br />
Symmetric (secret key) ciphers: AES, triple-DES, DES, DESX,<br />
RC2, RC4, and RC5.<br />
Message digests: MD2, MD5, RIPEMD160, SHA1, SHA 224, SHA<br />
256, SHA 384, and SHA512.<br />
HMAC standards: HMAC/MD5, HMAC/SHA1, HMAC/RIPEMD160,<br />
HMAC/SHA224, HMAC/SHA256, HMAC/SHA384, and<br />
HMAC/SHA512.<br />
Pseudo-random number generator (PRNG) algorithms: MD5-<br />
based PRNG, SHA1-based PRNG, FIPS 186-2 PRNG, Dual EC-<br />
DRBG, HMAC DRBG.<br />
Password Based Encryption (PBE) algorithms and Password<br />
Based Key Derivation Functions (PBKDF2).<br />
18
Product Features<br />
Public Key Infrastructure (PKI)<br />
Digital Certificates: X.509, Extended Validation (EV), and Suite B.<br />
X.509 Certificate Path Building and Validation:<br />
RFC 3280, RFC 5430 Suite B and the NSA’s “Suite B Base<br />
Certificate and CRL Profile”.<br />
Certificate Status: Certificate Revocation Lists (CRL) and Online<br />
Certificate Status Protocol (OCSP).<br />
Certificate Requests: PKCS #10 and Certificate Request Message<br />
<strong>For</strong>mat (CRMF), Certificate Management Protocol (CMP).<br />
Certificate Stores: In Memory and Lightweight Directory Access<br />
Protocol (LDAP).<br />
Key Stores: Public Key Cryptography Standards (PKCS) #12.<br />
19
Product Features<br />
Transport Layer Security (TLS)<br />
TLS <strong>with</strong> support for SSL v3, TLS v1, TLS v1.1 and<br />
TLS v1.2 protocols.<br />
Support for associated standards:<br />
– RFC 3546: TLS Extensions.<br />
– RFC 4492: ECC Cipher Suites for TLS.<br />
– RFC 5289: TLS EC Cipher Suites <strong>with</strong> SHA-256/384 and<br />
AES/GCM.<br />
– RFC 5430: Suite-B Profile for TLS.<br />
20
Product Features<br />
Further Information<br />
See the release notes for full details of supported:<br />
– Cryptographic algorithms<br />
– Key sizes and named elliptic curves<br />
– Cipher suites<br />
– TLS Extensions<br />
– Protocols and Standards<br />
21
Feature Comparison<br />
<strong>Share</strong> for Java and Sun JRE 6.0<br />
22
Feature Comparison: Sun JRE 6.0<br />
Agenda<br />
Agenda<br />
– Overall Differences<br />
– Cryptographic features<br />
– Public Key Infrastructure (PKI) features<br />
– Transport Layer Security (TLS) features<br />
23
Feature Comparison: Sun JRE 6.0<br />
Overall Differences<br />
<strong>Share</strong> for Java has:<br />
– Straightforward upgrade path to <strong>RSA</strong> BSAFE Crypto-J / SSL-J<br />
– Ability to buy support<br />
– Ability to have defects fixed in a reasonable period of time<br />
– Greater algorithm and protocol support. In particular:<br />
• Elliptic Curve Cryptography support in pure Java<br />
• Modern Transport Layer Security (TLS) standards support<br />
• Modern Pseudo Random Number Generator (PRNG) support<br />
24
Feature Comparison: Sun JRE 6.0<br />
Cryptographic<br />
<strong>Share</strong> for Java supports the following over Sun JRE 6:<br />
– Asymmetric (public key) algorithms: ECDSA, ECDH, ECDHC<br />
and ECIES.<br />
– Symmetric (secret key) ciphers: DESX.<br />
• Symmetric feedback modes: CCM and GCM.<br />
– Message digests: RIPEMD160.<br />
– HMAC standards: HMAC/RIPEMD160.<br />
– Pseudo-random number generator (PRNG) algorithms: MD5-<br />
based PRNG, FIPS 186-2 PRNG, Dual EC-DRBG, HMAC<br />
DRBG.<br />
– Password Based Key Derivation Function version 2 (PBKDF2).<br />
25
Feature Comparison: Sun JRE 6.0<br />
Public Key Infrastructure (PKI)<br />
<strong>Share</strong> for Java supports the following over Sun JRE 6:<br />
– Digital Certificates: EV and Suite B.<br />
– X.509 Certificate Path Building and Validation:<br />
RFC 5430 Suite B and the NSA’s “Suite B Base Certificate and<br />
CRL Profile”.<br />
– Certificate Requests: PKCS #10 and CRMF.<br />
– Key Stores: PKCS #12 key store only uses FIPS 140 validated<br />
algorithm.<br />
26
Feature Comparison: Sun JRE 6.0<br />
Transport Layer Security (TLS)<br />
<strong>Share</strong> for Java supports the following over Sun JRE 6:<br />
– TLS <strong>with</strong> support for TLS v1.1 and TLS v1.2 protocols.<br />
– Support for associated standards:<br />
• RFC 3546: TLS Extensions.<br />
• RFC 5289: TLS EC Cipher Suites <strong>with</strong> SHA-256/384 and<br />
AES/GCM.<br />
• RFC 5430: Suite-B Profile for TLS.<br />
– Better TLS debug:<br />
• Multi-threaded debug.<br />
• Debug information stored to files.<br />
27
Feature Comparison<br />
<strong>Share</strong> for Java and Crypto-J/Cert-J/SSL-J<br />
28
Feature Comparison: Crypto-J/Cert-J/SSL-J<br />
Agenda<br />
Agenda<br />
– Overall Differences<br />
– Cryptographic features<br />
– Public Key Infrastructure (PKI) features<br />
– Transport Layer Security (TLS) features<br />
– Further information<br />
29
Feature Comparison: Crypto-J/Cert-J/SSL-J<br />
Overall<br />
Crypto-J/Cert-J/SSL-J has:<br />
– Source code is available.<br />
– Greater platform support:<br />
• Operating systems: Windows, Linux, Solaris, HPUX, AIX.<br />
• JREs: Sun, IBM, JRockit, HP.<br />
– Greater Application Server platform support:<br />
• JBoss, Weblogic, Websphere.<br />
30
Feature Comparison: Crypto-J/Cert-J/SSL-J<br />
Cryptography<br />
Additional Crypto-J features:<br />
– FIPS 140 validation.<br />
– JSAFE API, which includes the additional algorithms:<br />
• X9.31 PRNG<br />
• Multi-prime <strong>RSA</strong><br />
– PKCS #11 Support<br />
– Native crypto: Native implementations of some algorithms are<br />
available<br />
– (Crypto-J 4.1) Hardware Security Module (HSM) entropy:<br />
entropy is typically supplied by the operating system. Crypto-J<br />
allows an entropy source to be specified. This could be from a<br />
HSM.<br />
31
Feature Comparison: Crypto-J/Cert-J/SSL-J<br />
Public Key Infrastructure (PKI)<br />
Additional Cert-J features:<br />
– Cert-J API, which includes the additional features:<br />
• Certificate fulfillment<br />
• PKCS #7<br />
32
Feature Comparison: Crypto-J/Cert-J/SSL-J<br />
Transport Layer Security (TLS)<br />
Additional SSL-J features:<br />
– SSL-J API<br />
33
Thank you!