Date: Thu, 4 Jun 1998 15:29:39 -0700 (PDT)
From: Marianne Mueller <Marianne.Mueller@Eng>
Subject: Re: But what does that get me...?
To: java-security@web2.javasoft.com, felts@subrosa.com
Signed code (or digital signatures in general) get you two things:
1) authentication -- you know for sure where the code came from or who
published it
2) integrity -- you know for sure that the bits you are using are 100% the
same bits that the publisher wanted you to use
If anyone changes the file (changes any of the bits), the verification of
the digital signature will fail.
Other Java technologies for encryption are JCE (cryptographic extension,
requires JDK 1.2) and SSL (bundled with the Java Web Server and HotJava
Browser -- provides an encrypted communication channel between two parties
on the internet.)
Security is not limited to crypto features - the Java security model
relies on safety features in the Java language (no pointers, type safety,
bounds-checked arrays, immutable strings, ...), safety features at the
VM (virtual machine == interpreter) layer, such as classloader and verifier,
and safety features at the application layer, that is, a security policy
enforced by the SecurityManager.
Java security: http://java.sun.com/security
http://java.sun.com/sfaq
JCE: http://java.sun.com/products/jdk/1.2/jce/
New features
in JDK 1.2:
http://java.sun.com/products/jdk/1.2/docs/guide/security/index.html
If you're interested in cryptography, a good reference book is
Bruce Schneier's "Applied Cryptography." He has a web page
at www.counterpane.com.