Comparison of Java and. Net security functions (zz)

This article is based on the translation and excerpt from Denis piliptchouk's article. Some terms are not well understood. For more information, see the original article.

Part 1 Security Configuration and code Encapsulation

Security Configuration

Both platforms use XML or plain text files. The biggest difference between the two platforms is that they process different Security Configuration Systems.

On the. NET platform, there are two ways to modify security configuration parameters: graphical interface and command line. Mscorcfg.mscis the graphic interface format. caspol.exe provides the command line method for batch processing or configuration text.

Java platform only uses the graphic interface tool policytool.exe. Different from. net, the name and location of its target object (configuration file) are not fixed.

. Net defines different security configuration files: system scope, local scope, and user scope. When there is a configuration conflict, in principle, a small range of parameters have priority.

The core configuration files of Java and J2EE are stored in a fixed location, but the extension configuration files vary with the manufacturer.

Code encapsulation: Test

Both Java and. NET Common Library Runtime (CLR) Implement Memory Security or type security protection mechanisms, and the security of applications developed on these platforms can also be verified. Their implementation mechanisms are quite different.

In. net, CLR always executes compiled code without interpreting the code. However, before the intermediate language (IL) is compiled, the compiler will perform verification and validation steps. The first step is to check the file structure and code integrity. The second step includes some extended checks, including memory security, stack tracking, data stream analysis, and type checks. In the running stage, ves (virtual execution system) is responsible for security checks and handling error incidents.

On the Java platform, the Java Virtual Machine (JVM) is responsible for loading, linking, testing, and executing classes. For compiled and optimized code, JVM also uses two unconditional call stacks to retain the original byte code information.

Conclusion: unlike. net, the default JVM setting does not check local code. In addition, the JVM retains the initial byte code for runtime check, while. Net combines static analysis and runtime insert Validation Code.

Code encapsulation: Application Isolation

In. net, domain isolation is based on the memory security mechanism. different domains cannot directly access each other's address space and can only access it through the. NET remote communication mechanism.

On the Java platform, application isolation is achieved through the combination of classloaders and protectiondomains. Security class loading is the cornerstone of the JVM security mechanism.

Summary:. Net AppDomains are more direct and easier to use than Java protectiondomains, just like operating system processes.

Code encapsulation: Language Features

The two platforms are basically the same, and. NET is slightly more flexible.

Summary:

Java has many advantages in security configuration.. NET is more selective and easy to use in code encapsulation.

Part 2 encryption and communication

Encryption Method: overview

. Net encryption is mainly based on CryptoAPI and related extensions. Most encryption classes are in system. Security. cryptography, x509centificates, and XML .. Net uses stream-based models for encrypted transmission. All algorithms are set to the highest security level by default .. Net also allows users to define their own algorithms in machine. config.

The encryption algorithm of the Java platform consists of Java Cryptography Architecture (JCA) and Java Cryptography Extension (JCE ). JCE exports are restricted by relevant laws. If you want to use your own encryption algorithm, you must be certified by the certification authority (sun or IBM.

Encryption Method: Algorithm

. Net mainly provides the following types of encryption algorithms: asymmetric algorithms, hash algorithms, symmetric algorithms, and random number generation algorithms.

Java provides more encryption algorithms, but fewer third-party vendors can provide their own algorithms in Java.

Secure Communication

SSL is already an industrial standard for transport security. Both Java and. net support the latest SSL 3.0 version.

Secure Communication: Platform

. Net only uses SSL in IIS-based applications to protect HTTP transmission. For non-IIS applications,. Net cannot protect data in transmission.

In Java, JSSE (Java Secure Socket extensions) provides platform-level services to Ensure TCP/IP-based communication security.

Except for IIS,. Net does not provide any standard scheme for communication protection at the platform level, but Java provides a full set of solutions in this respect.

Secure Communication: Applications

. NET provides the latest web service security assurance through the WSA (Web Service Architecture) and WSE (Web Service Extension) packages. Java has not yet provided such support.

Summary: In terms of encryption methods, Java and. net is basically no big difference; in terms of communication protection, Java ratio. NET provides more options, but Java is much more secure than Web Services. net lags behind.