Difference between revisions of "Protecting code archives with digital signatures"

From OWASP
Jump to: navigation, search
 
Line 1: Line 1:
=== Protecting code archives with digital signatures ===
+
=== An example with OSGi bundles ===
 
+
== An example with OSGi bundles ==
+
  
 
The OSGi platform provides support for the life cycle of bundles, from installation through execution to removal. This implies that the security for OSGi must be considered along the whole life-cycle, and in particular that the deployment is taken into account.
 
The OSGi platform provides support for the life cycle of bundles, from installation through execution to removal. This implies that the security for OSGi must be considered along the whole life-cycle, and in particular that the deployment is taken into account.

Revision as of 04:59, 21 November 2006

An example with OSGi bundles

The OSGi platform provides support for the life cycle of bundles, from installation through execution to removal. This implies that the security for OSGi must be considered along the whole life-cycle, and in particular that the deployment is taken into account.

Security implies three main aspects:

  • Integrity,
  • Authentication,
  • and Confidentiality.

The OSgi specification propose to enforce the first two properties: Integrity and Authentication, that can not be considered separately. In fact, guaranteeing integrity without authentication means that anybody can provide the data, and authentication without integrity means that anybody can change the data. Confidentiality is not considered, because it implies that security unaware systems are excluded.

We present here the principles of secure deployment, the threats that exist, and the solution proposed by the OSGi specification. The structure of a signed bundle as well as the algorithm for signing and validating a bundle are shown.