Re: [GNU Crypto] how to deal with weak keys. was: Documentation

gnu-crypto-discuss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNU Crypto] how to deal with weak keys. was: Documentation

From:	Marcel Winandy
Subject:	Re: [GNU Crypto] how to deal with weak keys. was: Documentation
Date:	Fri, 6 Jun 2003 15:26:21 +0200
User-agent:	KMail/1.4.3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Raif!

Raif S. Naffah wrote:
> > There is another issue about the security manager. The security
> > manager can be exchanged or even absent. Since J2SE, it is better to
> > use the Access Controller directly because it is always present and
> > cannot be exchanged.
>
> can you point to example code?

Consider a class "A" providing a method "getSecret()". There is a permission 
class, "MyPermission", to access A's getSecret() method. A named permission, 
called "getSecret" is created and checked in the getSecret() method.

Using the security manager you would first check for its presence:
- -------------------------------------------
  if (sm != null) {  
     /* verify permission */ 
  }
- -------------------------------------------

However, newer Java versions delegate all requests to the AccessController 
which implements the standard access control algorithm. The AccessController 
is always present and cannot be altered during runtime. The example code 
according to class "A" will look like this when using the AccessController 
directly:
- 
--------------------------------------------------------------------------------------------------------
public Object getSecret() {
  try {
    AccessController.checkPermission(new MyPermission("getSecret"));
  }
  catch (AccessControlException) {
    // output: Access denied!
  }
  return secret;
}
- 
--------------------------------------------------------------------------------------------------------

It is strongly recommended to use the AccessController instead of a security 
manager (see [2]). The example is taken from [1].

Bye,
 Marcel

[1] M. Winandy, A.B. Cremers, A. Spalka, H. Langweg, "Protecting Java 
Component Integrity Against Trojan Horse Programs", Integrity and Internal 
Control in Information Systems V, Kluwer, 2003.
[2] L. Gong, "Inside Java 2 Platform Security", Addison-Wesley, 1999.
- -- 
Marcel Winandy
EMail: address@hidden
http://www-student.informatik.uni-bonn.de/~winandy/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD4DBQE+4JaAjqlzsXwzXNwRAkgfAKCCHigdxKOTCSgMBuGSpBA+6TelTgCXRd02
2yRDHvzgzY2zfCe7hPn4Ug==
=S7FN
-----END PGP SIGNATURE-----

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [GNU Crypto] how to deal with weak keys. was: Documentation, Marcel Winandy <=
- Re: [GNU Crypto] how to deal with weak keys. was: Documentation, Raif S. Naffah, 2003/06/06
  - Re: [GNU Crypto] how to deal with weak keys. was: Documentation, Marcel Winandy, 2003/06/07

Prev by Date: resolution. was: [GNU Crypto] how to deal with weak keys.
Next by Date: Re: resolution. was: [GNU Crypto] how to deal with weak keys.
Previous by thread: resolution. was: [GNU Crypto] how to deal with weak keys.
Next by thread: Re: [GNU Crypto] how to deal with weak keys. was: Documentation
Index(es):
- Date
- Thread