Inside Java 2 Platform Security Architecture API

Design and Implementation 2nd Edition Li Gong

pdf download

https://ebookname.com/product/inside-java-2-platform-security-
architecture-api-design-and-implementation-2nd-edition-li-gong/

Get Instant Ebook Downloads – Browse at https://ebookname.com

Instant digital products (PDF, ePub, MOBI) available
Download now and explore formats that suit you...

Java Data Mining Strategy Standard and Practice A

Practical Guide for architecture design and
implementation 1st Edition Mark F. Hornick

https://ebookname.com/product/java-data-mining-strategy-standard-
and-practice-a-practical-guide-for-architecture-design-and-
implementation-1st-edition-mark-f-hornick/

API Std 1164 SCADA Security First Edition Api

https://ebookname.com/product/api-std-1164-scada-security-first-
edition-api/

Software Architecture Design Patterns in Java 1st

Edition Partha Kuchana

https://ebookname.com/product/software-architecture-design-
patterns-in-java-1st-edition-partha-kuchana-2/

Organizational Behaviour Canadian Edition Mitchell J.

Neubert

https://ebookname.com/product/organizational-behaviour-canadian-
edition-mitchell-j-neubert/
A Revised List of Roman Memorial and Triumphal Arches
Analecta Gorgiana 1st Edition Arthur Frothingham

https://ebookname.com/product/a-revised-list-of-roman-memorial-
and-triumphal-arches-analecta-gorgiana-1st-edition-arthur-
frothingham/

The Stuffed Owl An Anthology of Bad Verse D.B. Wyndham

Lewis

https://ebookname.com/product/the-stuffed-owl-an-anthology-of-
bad-verse-d-b-wyndham-lewis/

Mobile Citizenship Spatial Privilege and the

Transnational Lifestyles of Senior Citizens 1° Edition
Margit Fauser

https://ebookname.com/product/mobile-citizenship-spatial-
privilege-and-the-transnational-lifestyles-of-senior-
citizens-1-edition-margit-fauser/

Introduction to the Mathematics of Medical Imaging 2nd

Edition Charles L. Epstein

https://ebookname.com/product/introduction-to-the-mathematics-of-
medical-imaging-2nd-edition-charles-l-epstein/

Security Awareness Applying Practical Security in Your

World 3rd Edition Mark Ciampa

https://ebookname.com/product/security-awareness-applying-
practical-security-in-your-world-3rd-edition-mark-ciampa/
The Moral Wager Evolution and Contract 1st Edition
Malcolm Murray

https://ebookname.com/product/the-moral-wager-evolution-and-
contract-1st-edition-malcolm-murray/
 Inside Java™ 2 Platform Security:

Architecture, API Design, and

Implementation, Second Edition

By Li Gong, Gary Ellison, Mary Dageforde

Publisher: Addison Wesley

Pub Date: June 06, 2003

ISBN: 0-201-78791-1
Copyright

Many of the designations used by manufacturers and sellers to distinguish their

products are claimed as trademarks. Where those designations appear in this
book, and Addison-Wesley was aware of a trademark claim, the designations
have been printed with initial capital letters or in all capitals.

The authors and publisher have taken care in the preparation of this book, but
make no expressed or implied warranty of any kind and assume no
responsibility for errors or omissions. No liability is assumed for incidental or
consequential damages in connection with or arising out of the use of the
information or programs contained herein.

The publisher offers discounts on this book when ordered in quantity for bulk
purchases and special sales. For more information, please contact:

U.S. Corporate and Government Sales

(800) 382-3419
corpsales@pearsontechgroup.com

For sales outside of the U.S., please contact:

International Sales
(317) 581-3793
international@pearsontechgroup.com

Visit Addison-Wesley on the Web: www.awprofessional.com

Library of Congress Cataloging-in-Publication Data is available.

Copyright © 2003 by Sun Microsystems, Inc.

150 Network Circle, Santa Clara, California 95054, U.S.A.

All rights reserved.

Duke™ designed by Joe Palrang

Sun, Sun Microsystems, Sun Microsystems Computer Corporation, the Sun logo,
the Sun Microsystems Computer Corporation logo, Java, JavaSoft, Java Software,
JavaScript, Java Authentication and Authorization Service, JAAS, Java
Cryptography Extension, JCE, Java GSS-API, Java Secure Socket Extension, JSSE,
Java IDL, Java Plug-in, Java Remote Method Invocation, Java RMI, Java Web Start,
EmbeddedJava, PersonalJava, JVM, JavaOS, J2EE, J2ME, J2SE, JDK, and J2SDK are
trademarks or registered trademarks of Sun Microsystems, Inc. UNIX® is a
registered trademark in the United States and other countries, exclusively
licensed through X/Open Company, Ltd. All other product names mentioned
herein are the trademarks of their respective owners.

Sun Microsystems, Inc. has intellectual property rights relating to technology

described in this publication. In particular, and without limitation, these
intellectual property rights may include one or more of the U.S. patents listed
at http://www.sun.com/patents and one or more additional patents or pending
patent applications in the U.S. and other countries.

THIS PUBLICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,

EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT.

THIS PUBLICATION COULD INCLUDE TECHNICAL INACCURACIES OR

TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE
INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW
EDITIONS OF THE PUBLICATION. SUN MICROSYSTEMS, INC. MAY MAKE
IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE
PROGRAM(S) DESCRIBED IN THIS PUBLICATION AT ANY TIME.

All rights reserved. No part of this publication may be reproduced, stored in

a retrieval system, or transmitted, in any form, or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior consent of
the publisher. Printed in the United States of America. Published simultaneously
in Canada.

For information on obtaining permission for use of material from this work,
please submit a written request to:

Pearson Education, Inc.

Rights and Contracts Department
75 Arlington Street, Suite 300
Boston, MA 02116
Fax: (617) 848-7047

Text printed on recycled paper

1 2 3 4 5 6 7 8 9 10—CRS—0706050403

First printing, May 2003

Dedication
To Roger Needham, 1935–2003

My supervisor, mentor, colleague, and friend

—Li Gong

To SAM

—Gary Ellison

To my husband, Tom Wills

—Mary Dageforde
The Java™ Series

Lisa Friendly, Series Editor

Tim Lindholm, Technical Editor

Ken Arnold, Technical Editor of The Jini™ Technology Series

Jim Inscore, Technical Editor of The Java™ Series, Enterprise Edition

http://www.javaseries.com

Eric Armstrong, Stephanie Bodoff, Debbie Carson, Maydene Fisher, Dale Green,
Kim Haase
The Java™ Web Services Tutorial

Ken Arnold, James Gosling, David Holmes

The Java™ Programming Language, Third Edition

Joshua Bloch
Effective Java™ Programming Language Guide

Mary Campione, Kathy Walrath, Alison Huml

The Java™ Tutorial, Third Edition: A Short Course on the Basics

Mary Campione, Kathy Walrath, Alison Huml, Tutorial Team

The Java™ Tutorial Continued: The Rest of the JDK™

Patrick Chan
The Java™ Developers Almanac 1.4, Volume 1

Patrick Chan
The Java™ Developers Almanac 1.4, Volume 2

Patrick Chan, Rosanna Lee

The Java™ Class Libraries, Second Edition, Volume 2: java.applet, java.awt,
java.beans

Patrick Chan, Rosanna Lee, Doug Kramer

The Java™ Class Libraries, Second Edition, Volume 1: java.io, java.lang, java.math,
java.net, java.text, java.util

Patrick Chan, Rosanna Lee, Doug Kramer

The Java™ Class Libraries, Second Edition, Volume 1: Supplement for the Java™ 2
Platform, Standard Edition, v1.2

Kirk Chen, Li Gong

Programming Open Service Gateways with Java™ Embedded Server

Zhiqun Chen
Java Card™ Technology for Smart Cards: Architecture and Programmer's Guide

Maydene Fisher, Jon Ellis, Jonathan Bruce

JDBC™ API Tutorial and Reference, Third Edition

Li Gong, Gary Ellison, Mary Dageforde

Inside Java™ 2 Platform Security, Second Edition: Architecture, API Design, and
Implementation

James Gosling, Bill Joy, Guy Steele, Gilad Bracha

The Java™ Language Specification, Second Edition

Doug Lea
Concurrent Programming in Java™, Second Edition: Design Principles and Patterns

Rosanna Lee, Scott Seligman

JNDI API Tutorial and Reference: Building Directory-Enabled Java™ Applications

Sheng Liang
The Java™ Native Interface: Programmer's Guide and Specification

Tim Lindholm, Frank Yellin

The Java™ Virtual Machine Specification, Second Edition

Roger Riggs, Antero Taivalsaari, Mark VandenBrink

Programming Wireless Devices with the Java™ 2 Platform, Micro Edition

Henry Sowizral, Kevin Rushforth, Michael Deering

The Java 3D™ API Specification, Second Edition

Sun Microsystems, Inc.

Java™ Look and Feel Design Guidelines: Advanced Topics

Kathy Walrath, Mary Campione

The JFC Swing Tutorial: A Guide to Constructing GUIs

Seth White, Maydene Fisher, Rick Cattell, Graham Hamilton, Mark Hapner
JDBC™ API Tutorial and Reference, Second Edition: Universal Data Access for the
Java™ 2 Platform

Steve Wilson, Jeff Kesselman

Java™ Platform Performance: Strategies and Tactics

The Jini™ Technology Series

Eric Freeman, Susanne Hupfer, Ken Arnold

JavaSpaces™ Principles, Patterns, and Practice

The Java™ Series, Enterprise Edition

Stephanie Bodoff, Dale Green, Kim Haase, Eric Jendrock, Monica Pawlan, Beth
Stearns
The J2EE™ Tutorial

Rick Cattell, Jim Inscore, Enterprise Partners

J2EE™ Technology in Practice: Building Business Applications with the Java™ 2
Platform, Enterprise Edition

Mark Hapner, Rich Burridge, Rahul Sharma, Joseph Fialli, Kim Haase
Java™ Message Service API Tutorial and Reference: Messaging for the J2EE™
Platform

Inderjeet Singh, Beth Stearns, Mark Johnson, Enterprise Team

Designing Enterprise Applications with the Java™ 2 Platform, Enterprise Edition

Vlada Matena, Sanjeev Krishnan, Beth Stearns

Applying Enterprise JavaBeans™ 2.1, Second Edition: Component-Based
Development for the J2EE™ Platform

Bill Shannon, Mark Hapner, Vlada Matena, James Davidson, Eduardo Pelegri-
Llopart, Larry Cable, Enterprise Team
Java™ 2 Platform, Enterprise Edition: Platform and Component Specifications

Rahul Sharma, Beth Stearns, Tony Ng

J2EE™ Connector Architecture and Enterprise Application Integration
Preface

Inventing is a combination of brains and materials. The more brains you

use, the less material you need.

—Charles Kettering

The phrases "computer security," "network security," and "information security"

conjure up various notions and precepts to a given audience. Some people tend
to envision technical measures, such as cryptography, as the sole means by
which security is attained. Other people recognize the limitations of various
technical measures and treat them as tools that, when used in combination with
other technical measures, can accomplish the task at hand. The distinction is
subtle but important. The phrase "platform security" reflects a holistic view of
security, suggesting that the foundation is secure and can be relied on as is or
used as a secure subsystem to leverage when building larger systems. Building
a secure platform is a very difficult and exacting task that historically has been
accomplished only when security is a design requirement that is taken into
consideration at the onset. The idea that security can be "bolted on" has proved
frail and wrought with failure modes, which has led to a mulititude of security
breaches.

Java technology is possibly the only general-purpose secure computing platform

to become commercially successful. This would never have happened had the
designers not taken security seriously from the start. The security properties
of Java technology are many, and the Java platform builds on itself to create a
reliable and secure platform. The Java 2 security model would be impossible to
make trustworthy if it were not for the safety net provided by the Java language
itself. The Java language specifies the semantics to ensure type safety and
referential integrity and yet would fail miserably if it were not for the
enforcement and assurances the Java virtual machine provides. Thus, from
these various secure subsystems, we have created a greater whole.

The target audience of this book is varied. We believe this book will be a useful
resource to those seeking a general understanding of the security foundation
the Java 2 security architecture provides and relies on. The book should also
prove particularily useful to software practitioners building enterprise-class
applications that must meet varied security requirements, ranging from
authentication to authorization to information protection. This book provides
insight into some of the design trade-offs we made as we developed the platform
and the lessons we have learned as we continue to evolve and enhance the
platform. We provide guidance to those needing to customize the security model
for their specific purposes. We describe the inflection points we designed into
the platform to accommodate those rare but critical customizations. Most of
the aforementioned topics are targeted to system developers, yet we recognize
that security is not limited to the implementation of an application. Equally
important is the deployment of the application. For deployers, we supply
descriptions ranging from expressing security policy to hardening the
installation of the runtime environment.

This book does not explain to any level of detail the Java programming language.
We recommend the book by Arnold and Gosling [3] as a good starting point. Also,
we do not cover the various security APIs in their entirety, and thus we refer the
reader to the Java 2 SDK documentation.

How This Book Is Organized

The text of this book is organized to cater to its various audiences. The first two
chapters supply background information providing the basis for more specific
topics covered in subsequent chapters. The reader need not be proficient in the
Java language to understand these introductory chapters. Chapters 3 through
6 describe the Java 2 security architecture, starting with general concepts and
ending with comprehensive coverage of security policy enforcement. Chapters
7 through 11 are targeted toward the enterprise application developer, covering
topics ranging from trust establishment to cryptography and network security.
For these chapters, Java language proficiency is assumed. Chapter 12 is directly
targeted toward deployers, who should also read Chapter 8 for additional details
about trust establishment. It is our belief that deployers need not be proficient in
the Java language and that they can ignore the sections of Chapter 8 describing
APIs.
The content of each chapter of this book is as follows:

Chapter 1: A general background on computer, network, and

information security

Chapter 2: A review of the Java security models, starting with the

original sandbox and progressing to the fine-grained access control
model

Chapter 3: An in-depth look at the Java 2 security architecture, which is

policy driven and capable of enforcing fine-grained access controls

Chapter 4: Detailed coverage of class loading, including a description

of the class loader inheritance hierarchy and the runtime delegation
hierarchy

Chapter 5: An explanation of the security classes that supply the

foundation for the enforcement of security policy at runtime

Chapter 6: Thorough coverage of the policy enforcement classes and the

design of the Java 2 security architecture access control algorithm

Chapter 7: An explanation of the customization points provided for

systems programmers who need to enhance the core security
architecture

Chapter 8: An outline of the trust establishment capabilities and

mechanisms supplied by the security architecture

Chapter 9: A presentation of common pitfalls and defensive

programming strategies

Chapter 10: Comprehensive coverage of the cryptography-related APIs

Chapter 11: An operational overview of the APIs used to secure network

protocols, including those for authentication, confidentiality, and
integrity protection
 Chapter 12: A presentation of the deployment options that may be used
to securely deploy the Java runtime and Java technology-based
applications

Chapter 13: A look at the various Java technology platforms and a

glance toward the future of Java security

Acknowledgments
This project began as a casual conversation between Li Gong and me at the 2001
JavaOne conference in San Francisco. Prior to that conversation, Li had
transitioned from the role of chief security architect for the Java 2 security
development project to leading Project JXTA, whereas I had transitioned into
the lead security architect role for the Java 2 development team near the end
of the prior millennium. I mentioned to Li that the security architecture had
evolved to the point that the first edition was no longer current and thus not an
authoritative text.

Nearly two years later, the results of that conversation have come to fruition,
and I can confidently state that we have come a long way to reach our goal of
producing a book that thoroughly and accurately describes the Java 2 security
architecture. This clearly would not have been possible without Li's support, and
I am grateful for having had the opportunity to work with Li in the past and
especially on this project.

This book would probably be stuck in the starting blocks if it were not for the
guidance and gentle nudging of Lisa Friendly, Manager of Software Technical
Publications at Sun Microsystems. Lisa recognized early on that my commitment
to the project was absolute but that my copious free time, which was allotted to
this effort, fell between the hours of 10 P.M. and 2 A.M. Lisa quickly solved this
problem by engaging Mary Dageforde as technical editor. I am forever grateful.
Not only is Mary an excellent technical writer and editor who ended up writing
enough to get coauthor billing, but she can code too! Mary truly made this
project happen with her drive, dedication, and thoroughness. I cannot say
enough about Mary, so I will keep it brief. Thank you, Mary.

Tim Lindholm was also an early inspiration, and I appreciate his support in
helping me keep things in perspective. I also want to acknowledge the support
of my management—Larry Abrahams, Maxine Erlund, Sharon Liu, and Stephen
Pelletier—who understood how important this project was to me.

My peers in the Java security development team participated in this publication

in many ways, and I wish to acknowledge them for their content contributions,
insights, patience, camaraderie, constructive criticism, and most of all their
friendship. Thank you, Alan Bateman, Jean-Christophe Collet, Jaya Hangal,
Charlie Lai, Rosanna Lee, Jan Luehe, Seema Malkani, Ram Marti, Michael
McMahon, Sean Mullan, Jeff Nisewanger, Yu-Ching Peng, Chok Poh, Vincent
Ryan, Scott Seligman, Andreas Sterbenz, Mayank Upadhyay, Yingxian Wang, and
Brad Wetmore.

Being a part of the team that created something that has had such a significant
impact on computing is an honor not shared by many. The success of Java is
obviously a result of the high caliber of people who made it a reality. I have had
the luxury of working alongside many talented people, and I expressly want
to thank Lars Bak, Josh Bloch, Gilad Bracha, Zhiqun Chen, Steffen Garup, James
Gosling, Graham Hamilton, Mark Hapner, Stanley Ho, Peter Jones, Peter Kessler,
Tim Lindholm, Ron Monzillo, Hans Muller, Hemma Prafullchandra, Mark
Reinhold, Rene Schmidt, Bill Shannon, Bob Scheifler, Jim Waldo, and Ann
Wollrath for the great experience, mentoring, and technical challenges.

Few people realize the existence and close working relationship the Java security
development team at Sun Microsystems maintains with our peers in other
organizations. I specifically wish to acknowledge the team at IBM, including
Larry Koved, Marco Pistoia, Tony Nadalin, and Bruce Rich, who have been
instrumental in enhancing the feature set of the Java 2 security architecture.

As new technologies emerge, we have worked closely with security researchers

within Sun Labs to integrate and productize their output. I wish to acknowledge
Anne Anderson, Whitfield Diffie, Steve Hanna, Susan Landau, and Radia
Perlman for passing along best-in-breed security technology.

I also want to thank the many reviewers of this text and specifically recognize
Gilad Bracha, Matt Curtin, James Hoburg, Peter Jones, Charlie Lai, Brian Larkins,
Rosanna Lee, John Linn, Ram Marti, Doug Monroe, Sean Mullan, Shivaram
Mysore, Vincent Ryan, Bob Scheifler, Andreas Sterbenz, Brad Wetmore, and Phil
Yeater for the feedback they provided. I also wish to recognize Peter Jones and
Shivaram Mysore for their content contributions.

Thanks also to Alan Sommerer, the Sun Microsystems Manager of Technical

Publications for the Java platform, for his help in ushering this book to
publication.

Finally, I want to express my gratitude to the production team. I thank the copy
editor, Evelyn Pyle, and the production folks at Addison-Wesley for their support
and effort in getting this book off my laptop and into print. Thanks to Marcy
Barnes, Jacquelyn Doucette, Amy Fleischer, John Fuller, Mike Hendrickson,
Michael Mullen, and Ann Sellers. Also, I want to acknowledge Mary Darby and
Amy Girard from Duarte Design for their innate ability to take my graphically
challenged images and turn them into a thousand words.

Gary Ellison
San Mateo, California
March 2003

I am grateful to all past and current members of the Java Security and
Networking group at Sun, as well as contributors from all over the world, who
continue to strengthen Java's position as the premier computing platform in
these areas. I am in debt to Gary Ellison and Mary Dageforde for their
tremendous effort in producing this second edition which significantly expands
the coverage of the first.

Li Gong
Beijing, China

It has been a pleasure working with Gary Ellison on this book. I thank him for
his vision, dedication, encouragement, feedback, enormous effort in the face of
multiple competing responsibilities, and sense of humor. It has also been my
good fortune to work with Li Gong and members of the top-notch Java Security
and Networking team at Sun at various times throughout the past several years.
I thank them all. Thanks also to Lisa Friendly of Sun and Mike Hendrickson of
Addison-Wesley for their support and their roles in facilitating publication of
this book. Finally, I would like to thank the copy editor, the graphics designers,
and the very helpful production folks at Addison-Wesley.

Mary Dageforde
Santa Clara, California

About the Authors

Li Gong is Managing Director of Sun Microsystems' Engineering and Research
Institute in Beijing, China. Previously at Sun, he was engineering head of Java
Security and Networking, Java Embedded Servers, and JXTA. He obtained B.S.
and M.S. degrees from Tsinghua University, Beijing, and a Ph.D. from the
University of Cambridge. He is Associate Editor-in-Chief of IEEE Internet
Computing.

Gary Ellison is a Senior Staff Engineer at Sun Microsystems, where he designs

secure network computing platforms. His primary role is focused on aspects of
trust, security, and privacy. From 1999 through 2002, he led the architecture,
design, and implementation of the security and networking components in the
Java 2 Platform, Standard Edition. He holds a B.Sc. in Mathematics and Physical
Science from The Ohio State University.

Mary Dageforde is a freelance consultant who writes software documentation

for various Silicon Valley computer companies, including Sun Microsystems.
She has an M.S. in Computer Science from Stanford University and a software
design and development background encompassing compiler and interpreter
implementation, language design, and database management. Since 1990, she
has concentrated on documenting APIs, languages, tools, and systems. She
wrote the Security trail of The Java™ Tutorial Continued (Addison-Wesley, 1999).
Preface to the First Edition

Give me a lever and a fulcrum, and I can move the globe.

—Archimedes

Since Java technology's inception, and especially its public debut in the spring
of 1995, strong and growing interest has developed regarding the security of
the Java platform, as well as new security issues raised by the deployment of
Java technology. This level of attention to security is a fairly new phenomenon
in computing history. Most new computing technologies tend to ignore security
considerations when they emerge initially, and most are never made more
secure thereafter. Attempts made to do so typically are not very successful, as
it is now well known that retrofitting security is usually very difficult, if not
impossible, and often causes backward compatibility problems.

Thus it is extremely fortunate that when Java technology burst on the Internet
scene, security was one of its primary design goals. Its initial security model,
although very simplistic, served as a great starting place, an Archimedean
fulcrum. The engineering talents and strong management team at JavaSoft are
the lever; together they made Java's extensive security architecture a reality.

From a technology provider's point of view, security on the Java platform focuses
on two aspects. The first is to provide the Java platform, primarily through the
Java Development Kit, as a secure platform on which to run Java-enabled
applications in a secure fashion. The second is to provide security tools and
services implemented in the Java programming language that enable a wider
range of security-sensitive applications, for example, in the enterprise world.

I wrote this book with many purposes in mind. First, I wanted to equip the
reader with a brief but clear understanding of the overall picture of systems and
network security, especially in the context of the Internet environment within
which Java technology plays a central role, and how various security
technologies relate to each other.

Second, I wanted to provide a comprehensive description of the current security

architecture on the Java platform. This includes language features, platform
APIs, security policies, and their enforcement mechanisms. Whenever
appropriate, I discuss not only how a feature functions, but also why it is
designed in such a way and the alternative approaches that we—the Java
security development team at Sun Microsystems—examined and rejected. When
demonstrating the use of a class or its methods, I use real-world code examples
whenever appropriate. Some of these examples are synthesized from the Java 2
SDK code source tree.

Third, I sought to tell the reader about security deployment issues, both how an
individual or an enterprise manages security and how to customize, extend, and
enrich the existing security architecture.

Finally, I wanted to help developers avoid programming errors by discussing a

number of common mistakes and by providing tips for safe programming that
can be immediately applied to ongoing projects.

Acknowledgments for the First Edition

It is a cliche to say that writing a book is not possible without the help of many
others, but it is true. I am very grateful to Dick Neiss, my manager at JavaSoft,
who encouraged me to write the book and regularly checked on my progress. Lisa
Friendly, the Addison-Wesley Java series editor, helped by guiding me through
the writing process while maintaining a constant but "friendly" pressure. The
team at Addison-Wesley was tremendously helpful. I'd like particularly to thank
Mike Hendrickson, Katherine Kwack, Marina Lang, Laura Michaels, Marty
Rabinowitz, and Tracy Russ. They are always encouraging, kept faith in me, and
rescued me whenever I encountered obstacles.

This book is centered around JDK 1.2 security development, a project that lasted
fully two years, during which many people inside and outside of Sun
Microsystems contributed in one way or another to the design, implementation,
testing, and documentation of the final product. I would like to acknowledge
Dirk Balfanz, Bob Blakley, Josh Bloch, David Bowen, Gilad Bracha, David
Brownell, Eric Chu, David Connelly, Mary Dageforde, Drew Dean, Satya Dodda,
Michal Geva, Gadi Guy, Graham Hamilton, Mimi Hills, Ted Jucevic, Larry Koved,
Charlie Lai, Sheng Liang, Tim Lindholm, Jan Luehe, Gary McGraw, Marianne
Mueller, Tony Nadalin, Don Neal, Jeff Nisewanger, Yu-Ching Peng, Hemma
Prafullchandra, Benjamin Renaud, Roger Riggs, Jim Roskind, Nakul Saraiya,
Roland Schemers, Bill Shannon, Vijay Srinivasan, Tom van Vleck, Dan Wallach,
and Frank Yellin. I also appreciate the technical guidance from James Gosling
and Jim Mitchell, as well as management support from Dick Neiss, Jon
Kannegaard, and Alan Baratz. I have had the pleasure of chairing the Java
Security Advisory Council, and I thank the external members, Ed Felten, Peter
Neumann, Jerome Saltzer, Fred Schneider, and Michael Schroeder for their
participation and superb insights into all matters that relate to computer
security.

Isabel Cho, Lisa Friendly, Charlie Lai, Jan Luehe, Teresa Lunt, Laura Michaels,
Stephen Northcutt, Peter Neumann, and a number of anonymous reviewers
provided valuable comments on draft versions of this book.

G. H. Hardy once said that young men should prove theorems, while old men
should write books. It is now time to prove some more theorems.

Li Gong
Los Altos, California
June 1999
Chapter 1. Computer and Network
Security Fundamentals

The three golden rules to ensure computer security are: do not own a
computer; do not power it on; and do not use it.

—Robert (Bob) T. Morris

Security is all about ensuring that bad things do not happen. This deceptively
simple brief statement can in fact have very complicated interpretations.
Exploring them can help in understanding what security really means.

Certain rule-of-thumb principles apply to the concept of security in general.

Throughout this book, you will see that these heuristics apply equally well to
computer security. First, security is always related to utility. To ensure that bad
things do not happen, you can simply do nothing. For example, a car stored in a
garage cannot cause a traffic accident. But doing nothing with the car is clearly
not what is intended. The real goal is to ensure that bad things do not happen
but that good things do get done.

Second, security is relative to the threat that one considers. For example, the
effectiveness of your house's locked front door to prevent theft depends heavily
on the types of thieves against which you are guarding. Although the lock might
deter an amateur thief, it might not pose a problem for a sophisticated one
equipped with the right tools.

Third, security must be considered from an overall system point of view. A

system is only as secure as its weakest point. That is, it is not enough to secure
only the front door. A skilled thief will try to enter the house from all potentially
weak spots, especially those farthest away from where you have installed strong
locks. It is of little use to install a deadbolt on a screen door.

Fourth, security must be easy to accomplish. If it takes 30 minutes and great

effort to unlock a complicated lock, you will tend to leave the door unlocked.
Fifth, security must be affordable and cost-effective. For example, it clearly does
not make sense to install a lock that is worth more than the contents it is
guarding. This is made more difficult to gauge due to the fact that the value of
something is subjective.

Last, but not least, security measures must be as simple as possible to

comprehend because, as experience indicates, the more complex a system is, the
more error-prone it tends to be. It is better to have something that is simple and
trustworthy than something that is less dependable due to the complexity of
building a comprehensive system.

1.1 Cryptography versus Computer

Security
Before moving on to specific topics, we want to clarify that cryptography and
computer security are two distinct subjects. Cryptography is the art of encoding
information in a secret format such that only the intended recipient can access
the information. Cryptography can also be applied to supply proofs of
authenticity, integrity, and intent. The use of cryptography has progressed
extensively over a long period of time, ranging from the ancient Caesar cipher
to cipher machines widely used in World War II to modern cryptosystems
implemented with computer hardware and software.

Computer security is the application of measures that ensure that information

being processed, stored, or communicated is reliable and available to authorized
entities. Computer security first became an issue only in the 1960s, when
timesharing, multiuser computer operating systems, such as Cambridge's early
computing system [133] and MIT's Multics [110], were first built. After that, the
field of computer security remained relatively obscure for years, apart from a
brief active period in the mid-1970s [5, 51, 57, 116]. Security concerns then were
based mostly on military requirements. Commercial security did not become
fully mainstream until the Internet and electronic commerce (e-
commerce)—and Java technology in particular—took center stage in the 1990s.

Security mechanisms often can benefit from the use of cryptography, such as
when running a network-based user login protocol. However, they do not
necessarily depend on the use of cryptography, such as when implementing
UNIX-style access control on files.

Yet cryptography does not exist in a vacuum. Cryptographic algorithms are

usually implemented in software or hardware; thus, their correct operation
depends critically on whether there is an adequate level of system security. For
example, if lack of access control means that an attacker can modify the
software that implements the algorithm, the lack of security directly impacts
the utilization of cryptography.

1.2 Threats and Protection

In computer security literature, threats or attacks are usually classified into
three categories.

1. Secrecy attacks. The attacker attempts to steal confidential information,

such as passwords, medical records, electronic mail (e-mail) logs, and
payroll data. The methods of attack vary, from bribing a security guard to
exploiting a security hole in the system or a weakness in a cryptographic
algorithm.

2. Integrity attacks. The attacker attempts to alter parts of the system

illegally. For example, a bank employee modifies the deposit system to
transfer customer money into his own account, thus compromising
transaction integrity [96]. Or, a college student breaks into the college
administration system to raise her examination scores, thus
compromising data integrity. An attacker might also try to erase system
logs in order to hide his footprint.

3. Availability attacks. The attacker attempts to disrupt the normal

operation of a system. These are also commonly called denial-of-service
attacks. For example, bombarding a machine with a large number of IP
(Internet Protocol) packets can effectively isolate the machine from the
rest of the network. A cyberterrorist might attempt to bring down the
national power grid or cause traffic accidents by compromising the
 computer-operated control systems.

These three categories of attacks are intricately related; that is, the techniques
and results of attacks in one category can often be used to assist attacks in
another. For example, by compromising secrecy, an attacker could obtain
passwords and thus compromise integrity by gaining access to and then
modifying system resources, which in turn could lead to successful denial-of-
service attacks. When a system failure occurs during an attack, most systems
are not fail-safe—that is, they do not enter into a state that is deemed
secure—because they are not designed to do so [111]. For example, it has been
shown that a system crash sometimes leads to a core dump in a publicly readable
directory, where the core can contain sensitive information if the dump occurs
[1]
at the right time.

[1]
Of course, attacks can be viewed from other perspectives. For
example, there is widespread public concern about the privacy of the
unregulated and sometimes illegal collection and distribution of
personal data, such as birth dates and U.S. social security numbers.

Similarly, protection mechanisms against these types of attacks in general are

related. Roughly speaking, the mechanisms are for one or more of the following
purposes: attack prevention, detection, or recovery. Not all these purposes can be
fulfilled by the same mechanisms, as explained later in this chapter.

To protect data secrecy, you can store the data in an obscure place in the hope
that attackers will not find it. Or you can install strict access control procedures
to guard against unauthorized access. Or you can use encryption technology to
encrypt the data such that attackers cannot access real data unless they can steal
the encryption key or can break the cryptosystem, which could be extremely
difficult. Of course, multiple measures can be deployed at the same time. Note
that, for secrecy, the most important technique is prevention. A loss of data is
very difficult to detect, and lost data is impossible to recover.

To protect data integrity, you can use any or all the mechanisms mentioned
previously. However, in this case, detection is easier, and recovery is often
possible. For example, you could compute the hash value for a file x, using a
wellknown one-way function f(), and store f (x) separately. If x is then modified
to be x', f (x) very likely will not be equal to f (x'), according to the properties of f().
Thus, you can recompute the hash value and compare it with f (x). A mismatch
will indicate that integrity has been compromised. See Section 1.5.1 for more
information on one-way hash functions.

Of course, if the corresponding f (x) is also compromised, detection might not be

possible. If the place to store f (x) itself is not safe, you could use a keyed, oneway
hash function and store f (k, x) together with x. If k is kept secret, it will still be
difficult for attackers to modify x and the hash value in such a way as to avoid
detection [39, 83].

To be able to restore the data to its original form after an integrity compromise,
you can back up data and store the backup in a secure place [96]. Or you can use
more complicated distributed computing techniques to back up the data in an
insecure network [53, 98, 114, 118].

Guarding against an availability attack is more complicated. The reason is that

apart from applying the usual techniques of prevention and detection, surviving
such attacks becomes critical. Here, computer security meets the field of
faulttolerant computing. Some interesting research results in this combined
topic area, sometimes called dependable systems, are available. For further
reading, consult the papers and their citations at [24, 42, 99, 114].

1.3 Perimeter Defense

Because of the multitude of potential weaknesses and the essentially unlimited
number of attack scenarios, whereby each scenario can be a combination of
various attack techniques, securing an entire system can be daunting, especially
when the system includes multiple host machines connected via a network.
Because a system is only as secure as its weakest link, the security coverage must
be comprehensive. The task is further complicated by the fact that a system—for
example, the internal network deployed within a large enterprise—typically
consists of machines of numerous brands and types. These machines run
different operating systems and different application software and are
connected with routers and other networking gears from various vendors
offering differing features and capabilities. In such a heterogeneous and
evolving environment, examining the entire system and securing all its
components—if possible at all—takes a long time.

Faced with such a messy picture, it is no surprise that companies find it easier,
both psychologically and physically, simply to divide the world into two camps:
"us" and "them." "Us" includes all machines owned, operated, or, in general,
trusted by the concerned enterprise, whereas "them" includes all other
machines, which are potentially hostile and cannot be trusted. Once the border
is drawn, it is a matter of keeping "them" out and "us" in. Such a defensive
posture is often called perimeter defense.

One approach to constructing a perimeter defense is simply not to connect "us"

with "them." Indeed, some military installations and commercial entities have
internal networks that are entirely separated from a wider area network: the
Internet, for example. They might allow some isolated terminals or machines for
outside connections, but these special machines are usually guarded to prevent
their being connected to the internal network.

If the overall system contains machines scattered among physical or

geographical locations, leased lines or dedicated network connections can link
the sites to form a private network. If, however, the sites must communicate
through the open network, encryption can be deployed between every two
communicating sites so that they form a virtual private network (VPN). This
is depicted in the fictitious scenario in Figure 1.1, where, although all four
campuses are connected to the Internet, three sites (MIT, UT Austin, and UCLA)
have firewalls deployed and have also formed a VPN so that network traffic
among them is automatically protected from eavesdropping.
Discovering Diverse Content Through
Random Scribd Documents
“He is going to try and get across, by and by, in the invalid
chair. He is not up yet, and honestly I do not think he is fit
to leave his bed; but he says he must, and he will.”

“Poor man!” sighed Aunt Anne. “Oh, dear me, Mr Beck,

what a deal of—Isabel, my dear, don’t wait.”

“No, Aunt,” said the girl quietly; and then, to herself, “Papa
must have told Aunt Anne not to let me be along with Tom,
or she would not have spoken like that.”

Then aloud—

“Good-bye, Mr Beck;” and she held out her hand, which was
taken for a moment and then dropped, as she turned and
left the room.

The vicar’s son had hardly left the house an hour when Sir
Cheltnam rode over to make inquiries, and was leaving his
card, when Alison came into the hall and went out on the
steps to speak to him.

“Can’t ask you in,” said Alison. “The governor’s very bad.”

“Got a doctor down from London, haven’t you?”

“We’ve had one in consultation, but he has gone back.”

“But our doctor here is not attending him, for I met him,
and he was asking about it, and thought it rather strange
that he had not been sent for.”

“Humph! You see, my brother is attending him.”

“Oh!” ejaculated Sir Cheltnam. “Well, it’s no business of

mine, but if anything happened to the old man it wouldn’t
look well, and people would talk about it a good deal. I say,
isn’t your brother rather disposed to ride the high horse?”

Alison winced.

“What do you mean?” he said rather roughly. “Oh, nothing

much. A bit haughty with me, as if he did not approve of my
pretensions. Coming the elder brother a bit, and I’m getting
nervous as to what it is going to be now your father is
down.”

“Oh, it is only Neil’s way,” said Alison sulkily. “And you don’t
seem much better. If you came over to my place, I should
ask you in, and call a man to take your horse.”

“How can I ask you in at a time like this?” said Alison

apologetically.

“Easily enough, and take me into the drawing room. How is

Isabel?”

“Broken-hearted, nearly. This came about directly after the

governor had given Tom Beck his congé.”

“Then he had done that?”

“Yes; and the little girl’s a bit sore about it.”

“Cheerful for me!” said Sir Cheltnam.

“Bah! He’ll be off to sea directly, and she’ll soon forget him.”

“Then you think I had better not come in to-day? I’m off,
then. Wish the old man better. I’ll come on again to-morrow
to see how he is. I say, tell Isabel I called and was in great
trouble, and that sort of thing.”

“Oh, yes; all right,” growled Alison.

“Pleasant sort of a brother-in-law in prospective,” said Sir
Cheltnam to himself, as he cantered off.

“Takes it as a matter of course that he is to have her,”

muttered Alison. “I’m not so sure.”

He bit one of his nails and watched the visitor till he was out
of sight, and still stood at the foot of the steps frowning.

“Even he sees it,” he muttered. “I won’t stand any more of

his arbitrary ways. He is only a year older than I am, and
yet he is to lord it over me as if I were a child. Why should
he take the lead in everything? Is he to do so always? Not if
I know it. If all this means that a new king reigns in
Hightoft, it is not going to be brother Neil.”

Almost in perfect ignorance of what was going on

downstairs, Neil remained patiently watching by his father’s
side. Aunt and sister had both begged him to go and lie
down, insisting upon the fact that he would be quite
helpless at night, and that it was his duty, so as to be ready
to watch again, but he only smiled.

“My dear Aunt,” he said at last to that lady, who was greatly
agitated in his behalf, “a doctor grows used to watching by
his patient’s bedside, and gets little snatches of sleep which
refresh him. Believe me, I am not a bit tired.”

At that moment Isabel entered the room with a telegram.

“For you, Neil, dear,” she said.

“It has been opened.”

“Yes, dear, Alison opened it. He said it must be for him.”

Neil frowned, but said no more, and taking out the telegram
he read:

“The nurse leaves town this afternoon. Let a carriage

meet her at the station.

“Hayle.”

“Hah!” he said, passing the letter to his aunt. “I am glad of

that; it will set me free, and the help of a good nurse at a
time like this is invaluable.”

“But shall we be able to trust her?” said Aunt Anne. “My

experience of nurses is that they are dreadful women, who
drink and go to sleep in sickrooms, and the patient cannot
wake them, and dies for want of attention.”

“Oh, Aunt!” cried Isabel.

“I am assured that it is quite true, my dear,” said Aunt

Anne, didactically.

“I think we have changed all that, Aunt, dear,” said Neil,

smiling. “Sir Denton would not send down any woman who
is not thoroughly trustworthy.”

Aunt Anne pursed up her lips, and tried to look wise and full
of experience—a difficult task for a lady with her plump,
dimpled countenance.

“Well, my dear,” she said, “I hope so; but it always seems to

me that the selection of an attendant for a sick man is a
lady’s duty, and I cannot believe in the choice made by a
man, and such an old man too. But there, we shall see.”

“Yes, Aunt, dear,” said Neil, smiling, “we shall see.”

Aunt Anne was left in charge of the patient, very much to
her satisfaction, so that Neil could go down with Isabel for a
rest and a little fresh air.

As they reached the hall they met Alison, who came up

directly.

“Oh, Neil,” he said, “I opened that telegram thinking it

might be meant for me.”

“Yes,” said his brother. “I heard that you did.”

“Quite a mistake I hope you don’t mind.”

“I have other things to take my attention,” replied Neil.

“Come, Isabel, let’s have a walk up and down in the fresh
air. I can’t stay long.”

He led the way out on to the drive, and, after hesitating for
a few moments, Alison followed, frowning, just as the sound
of horses’ hoofs was heard, and Saxa and Dana Lydon rode
up.

“Well, how’s the dad?” cried Saxa boisterously. “Going on all

right? Glad of it. You boys are making too much fuss over it.
Nature soon cures a fall. It isn’t like a disease, is it,
Doctor?”

“It’s of no use to ask him,” said Dana merrily. “He’ll pull a

professional face, and make the worst of it, and then by and
by, rub his hands and say, ‘There; see what a clever fellow I
am.’”

“Yes,” said Saxa maliciously, “when I could have set him

right with some embrocation and a bit of flannel bandage.”
“Glad the old man’s better,” cried Dana. “Here, you people
look white and worried. Order out the horses and come for
an hour’s ride.”

“Would you like to go, Isabel?” asked Neil.

“I? Oh, no,” cried the girl hurriedly.

“What a baby you are, Bel!” said Saxa contemptuously.

“You’ll come, Neil?”

“I should like a ride,” he replied, “but it is impossible to

leave home.”

“Next time I ask you there will be a different answer,” said

the girl sharply. “Don’t ask Alison, Dan,” she continued,
turning to her sister. “He is going to be a good boy too, and
stop and see his papa take his barley-water.”

“Is he?” said Alison gruffly. “Perhaps he was not going to

wait to be asked. There is no occasion for me to hang about
at home, Neil?”

“N-no, I think not. You can do nothing.”

“I’ll be ready in five minutes, then, girls.”

“Here, we’ll come round to the stables with you,” said Saxa.
“I want to see The Don. Is he any the worse for his fall?”

She said this as she rode on beside Alison, her sister

following, without any further notice of Neil and his sister,
while the former stood looking after her, frowning.

“And I thought of marrying that hoyden!” he said to himself.

“It is impossible. We have not a sympathy in common.”
Then the thought of his father’s expressed wishes came
back, and of his lying there helpless. He had made no
opposition when the matter had been spoken of last. How
could he draw back now?

His heart sank low as he looked into the future with a kind
of wonder as to what his future life would be bound up to a
woman like that, and a feeling of anger rose within him at
his weakness in letting the affair drift on so far.

“It is impossible,” he thought. “She does not care for me. It

would be madness—a sin against her and against myself.
Yes!” he said aloud with a start, for Isabel had laid her hand
upon his arm.

“There is something the matter,” she said quickly.

Neil turned to hurry into the house, but his sister held him
fast.

“No, no, dear. Tom is coming. Mr Beck must be worse.”

Neil looked in the direction taken by her eyes, and saw that
the young lieutenant was striding rapidly toward them,
coming by the short cut across the park, and now, seeing
that he was observed, he waved his hand.

“Go in, Isabel,” said Neil quietly.

“Neil!”

“I wish it, my dear. After what has passed, you have no

right to see him now.”

She gave him a tearful look, and went in with her head bent
down to hide her face from anyone who might be at the
windows.
The next minute the young sailor hurried up.

“You have sent her in, Neil,” he said reproachfully.

“Yes; why have you come back so soon? Anything wrong?”

“Yes,” said the young man hoarsely.

“Your father? I’ll come on.”

“No, no. Read that.”

He thrust a telegram into Neil’s hand, which read: “To join

your ship at once. Imperative!”

“Yes; and I cannot go with matters like this,” cried Beck.

“But you must. Your position as an officer is at stake.”

“I can’t help it. Neil Elthorne, put yourself in my place. How

can I go and leave Isabel at such a time?”

“What good could you do if you stayed?”

“It would help her. She would know I was near. I can’t go
and leave her knowing what I do about that fellow
Burwood.”

Neil looked at him fixedly for a few moments. “Don’t play

the boy,” he said at last sternly.

“No; I am going to play the man,” cried Beck. “Isabel and I

have been girl and boy together, and our affection has
gradually strengthened till I know that she loves me as well
as I love her.”

“Yes, perhaps so, my lad, but you heard her father’s

decision, and you can do no more.”
“Yes; I heard his decision,” said the young sailor sturdily,
“and I am not going to stand by and see her given up to
that man! Why, Neil, it would kill her.”

“Look here, Tom, my good fellow, you must be sensible. It

would be no kindness to my sister to let her feel that she
had ruined your prospects.”

“It would not ruin my prospects,” said Beck sturdily. “I’m a

good sailor, and if I lose my ship I can always get
employment in the merchant service.”

“Of course you could, but neither Isabel nor I are going to
let you degrade yourself. My father is dangerously ill, and
nothing such as you fear can advance a step for months to
come, so join your ship like a man, and show that you have
faith in the girl you believe to love you.”

“If I only could think—” began Beck.

“Look here, Tom. I think you have some faith in me.”

“In you? My dear Neil,” cried the young sailor warmly, “if
ever fellow looked upon another man as a brother, I do
upon you. Why, you know that.”

“Yes, I know that,” said Neil, taking his arm and walking up
and down the drive with him, “and I am going always to
behave like a brother to you. Go and join your ship.”

“But Isabel?”

“Leave me to act for you over that matter as a brother

would. For both your sakes I will do what is best.”

“But Burwood?”
“I don’t like Burwood, and I do like you,” said Neil, smiling.
“Come, will not that satisfy you?”

“Almost. You will fight for me, then, Neil?”

“I don’t think that there will be any occasion to fight for

you. I think time is on your side. Lieutenant Beck’s chance
was very small with my father; but suppose one Captain
Beck, a young officer who had distinguished himself by his
seamanship in Her Majesty’s service, came and renewed his
proposal for my sister’s hand, surely he would have a better
chance of success.”

“Neil, old fellow,” cried Beck, facing round and grasping the
young surgeon’s hand, “I don’t wonder that you are getting
to be a big fellow at your hospital.”

“Nonsense! Who says I am?”

“Oh, I’ve heard. I wish I were as clever as you are. I came

here feeling so bad that life didn’t seem worth living, and in
a few minutes you’ve shown things to me in such a different
light that—”

“You think it is worth living and sharing with someone else,”

cried Neil.

“My dear old fellow,” cried the sailor, with tears in his eyes.

“And you will go off like a man and join your ship?”

“Yes,” cried Beck, grasping his friend’s hand, and speaking

firmly, “like a man.”

“And you go at once?”

“Directly. Now take me in, and let me say good-bye to her.”

“No,” said Neil firmly.

“What? After my promise?”

“After your promise. I have a duty to my helpless father,

Tom, my lad, and I should be playing a very dishonourable
part if I took advantage of his position, knowing what I do
of his wishes, to arrange a meeting between you and my
sister. That was a love-sick boy speaking, not the Queen’s
officer—the man whose honour is beyond reproach.”

“I suppose you are right,” said Beck, after a pause. “You

know I am.”

“Let me see her for a moment, though.”

“No.”

“I know you are right—just to say ‘good-bye’ before you—

just to touch her hand.”

“No, my lad. Say good-bye to me, and I’ll tell her you love
her truly, and that you have gone off to your duty like a
man—an officer and a gentleman. That you have exacted no
promise from her, and that you have taken the advice of her
brother—a man who loves you both and will help you to the
end. There, I must go back to my father’s room. Good-bye.”

“O Neil,” groaned the young sailor; “this is all so hard and

business-like. Everything goes easily for you. You don’t
know what love is.”

A spasm contracted Neil’s features for a few moments, but

he smiled sadly directly after.

“Perhaps not,” he said. “Who knows? There, business-like or

not, you know I am doing my duty and you have to do
yours. Come, sailor, I shall begin to quote Shakespeare to
you. ‘Aboard, for shame; the wind sits in the shoulder of
your sail, and you are staid for.’”

“But it is so hard, Neil.”

“Life’s duties are hard, man; but we men must do them at

any cost. Come, good-bye, and old Shakespeare again—the
end of the old man’s speech: ‘To thine own self be true’—
and you will be true to the girl you wish to make your wife.
Good-bye.”

Neil held out his hand, but it remained untouched for the
full space of a minute before it was seized and crushed
heavily between two nervous sets of fingers, while the
young man’s eyes gazed fixedly in his. Then it was dashed
aside. Beck swung himself round and dashed off across the
park as hard as he could go, without trusting himself to look
back.
 Chapter Eight.
Conflicting Emotions.

“Poor fellow!” said Neil to himself; “and the dad prefers that
hunting, racing baronet to him for a son-in-law! Why it
would break little Bel’s heart.”

He stood watching till Beck passed in among the trees,

expecting to the last to see him turn and wave his hand.

“No; gone,” he said. “Well, I must fight their battle—when

the time comes—but it is quite another battle now.”

As he thought this he heard the clattering of hoofs, and

hastened his steps so as to get indoors before his brother
rode out of the stable yard with the Lydon sisters, and a
guilty feeling sent the blood into his pale cheeks. But he did
not check his steps; he rather hastened them.

“They don’t want to see me again,” he muttered; and then,

“Oh, what a miserable, contemptible coward I am;
preaching to that young fellow about his duty, and here I
am, the next minute, deceiving myself and utterly wanting
in strength to do mine. I ought to go out and say good-bye
to Saxa, and I will.”

He stopped and turned to go, but a hand was laid upon his
arm, and, as he faced round, it was to see a little white
appealing face turned up to his, and as he passed his arm
round his sister’s waist the horses’ hoofs crushed the gravel
by the door, passed on, and the sound grew more faint.

“Neil, dear; Tom has gone. Is his father very ill?”

These words brought the young surgeon back to the
troubles of others in place of his own.

“No, dear; he is no worse. It was not that,” he said hastily.

“What was it, then? Oh, Neil, dear, you hurt me. You are
keeping something back.”

“I am not going to keep anything back, little sis,” he said

tenderly. “Come in here.”

He led her into the drawing room and closed the door, while
she clung to him, searching his eyes with her own wistful
gaze, as her lips trembled.

“Now, dear, pray tell me. Why did Tom come?”

“He had bad news, dear.”

“About his ship?” cried the girl wildly.

“Yes.”

“O Neil! It was about going back to sea!”

Neil nodded, and drew her more closely to him, but she
resisted. His embrace seemed to stifle her; she could hardly
breathe.

“You are cruel to me,” she panted. “But I know,” she cried
half hysterically; “he has to go soon.”

“He has to do his duty as a Queen’s officer, Isabel, dear, and

you must be firm.”

“Yes, yes, dear, of course,” she cried, struggling hard the

while to master her emotion. “I will, indeed, try—to be calm
—and patient. But tell me; he has had a message about
rejoining his ship?”

“Yes, dear.”

“And he is to go soon?”

Neil was silent.

“Neil, pray speak,” she sobbed.

“Yes, my child. He brought a telegram.”

“A despatch,” she said, correcting him.

“No, dear—a telegram.”

“Then—then—it means—something sudden—for them to

telegraph. I can bear it, now, dear. How soon is he to go?”

“Isabel, my child, will you trust in me to help you to do

what is best?” said Neil tenderly.

“Yes, Neil, dear; of course, I want to do what is right, and

you will help me.”

“I will, dear, with all my strength. You know that Tom has
his duty to do, like the rest of us, and you have yours to our
poor father.”

“Yes, Neil, of course, and you know I try.”

“My darling, yes,” he cried, as he kissed the pale cheeks wet

now with tears.

“Then tell me. I must know. When is Tom to go?”

“Isabel, your father forbade all engagement with him, and I
have talked to Tom Beck as I thought was best for both of
you. Come, you must act like a brave little woman and help
me. We have both got our duty to do now at a very sad
time. You will help me and try to be firm?”

“Yes—yes,” she whispered hoarsely, “but—but—Neil—tell me

—when is he to go?”

“Isabel, dear, it was his duty as an officer and as an

honourable man.”

“Yes,” she whispered in a strangely low tone. “Tom would do

his duty always, I know—now—you are keeping something
back. I can see it,” she cried, growing more excited and
struggling in his arms. “I know now—and without bidding
me good-bye. Neil, you have sent him away; he is gone!”

Neil bent his head sadly, and she literally snatched herself
away.

“And you call yourself my brother!” she cried passionately.

“You say you taught him his duty; and, after all he has said
to me, to make him go without one word. Oh, it is cruel—it
is cruel. What have I done that you should treat me so?”

“Isabel, dear, you promised me that you would be firm.”

“How can a woman be firm at a time like this? But I know;

you could not be so cruel. He is coming back just to see me
and say good-bye.”

“He has gone, Isabel.”

“Without a single word or look?”

She gazed at him as if dazed, and unable to believe his
words. Then uttering a low, piteous cry, she sank helpless
across his arms, her eyes closed, and for hours she lay for
the most part unconscious, only awakening from time to
time to burst into a passion of hysterical weeping as her
senses returned.

“Duty is hard—very hard,” said Neil through his set teeth, as

he divided his time between his father’s and his sister’s
chambers, where Aunt Anne sat sobbing and bewailing their
fate. Alison had returned at dusk, and partaken of the
dinner alone, to go afterward to his little study, where he
sat and scowled and smoked.

The carriage had been sent to the station in accordance

with Sir Denton’s request, and then forgotten by all in the
house, and the night was going on apace.

Neil had just left his sister’s room and gone back to his
father’s to find him hot and feverish to an extent which
rather troubled him, and once more made him long for the
friendly counsel and advice of a colleague.

But his sound common sense gave him the help he needed,
and after administering medicine he became satisfied with
the result and sat by the bedside thinking of the stern duty
he had to fulfill.

“I judge Saxa too hardly,” he said to himself. “I do not go

the way to make her care for me, and it is no wonder that
she should be piqued by my indifference. I’ll try and alter it,
for all that other is a foolish dream, and due to my low
nervous state. I’ll turn over a new leaf to-morrow, and see
what can be done. It would help him in his recovery if he
knew that his dearest wishes were bearing fruit; and if I
satisfy him over that, he will yield to mine about poor little
Isabel. She will not be so hard to-morrow when her sorrow
is being softened down. For I did right, and I’ll do right
about Saxa, poor girl! I was quite rude to her to-day. I’ll
ride over to-morrow and fetch her to see him. He likes her
as much as he does Isabel. There, I think I am getting
things into train for the beginning of a new life, and— What
is it?”

“The carriage back from the station, my dear,” whispered

Aunt Anne. “The new nurse is in the hall. Will you come
down and speak to her at once?”

“Yes, Aunt. Thank Heaven, she has come.”

He hurried out of the room and down the stairs to where, in

the dim light, a tall cloaked figure stood by her humble-
looking luggage. And as he went he had made up in his
mind the words he would say to her about getting some
refreshment at once and joining him in the sick chamber,
where a bed had been made up in the dressing room for her
use.

But Neil Elthorne did not speak the words he had meant to
say, for, as the visitor turned at his step, he stopped short
with the blood rushing to his brain, and a strange sensation
of vertigo attacking him as he faltered out:

“Good Heavens! Nurse Elisia! Has he sent you?”

 Chapter Nine.
Off to Hightoft.

“There, you are better now.”

“No, I’m not.”

“Yes, indeed you are. This has nothing to do with the

operation, I assure you.”

“Then, pray, what is it?” This question very sharply, and the
patient moved in her bed in a way that showed very little
feebleness.

“Simply hysteria.”

“What! Sterricks?”

“Yes, a form of hysterics.”

“There!” cried the patient, with a triumphant tone in her

voice. “I knew you didn’t know nothing about it. I never had
sterricks in my life.”

“Because you have always been a woman in a vigorous

state of health. Latterly you have been brought down rather
low.”

“’Taint that,” said the woman sharply, “it’s what’s done to

me here, and the shameful neglect. It’s horrid; I’m half
killed, and then Mr Neil goes away and leaves me to that
horrible old man, and as soon as Mr Neil’s gone, the other
leaves me to die.”
“I am afraid you are a very foolish woman,” said the nurse
quietly. “I can assure you that you are getting well fast.”

“Oh, yes, I know. And you are as bad as they are. It’s
shameful!”

“You have been working yourself up to think you are being

neglected, but your troubles are imaginary.”

“Oh, yes, I know,” cried the woman angrily.

“Pray try and be reasonable,” said the nurse, speaking in a

voice full of patient resignation.

“Go on, pray, ma’am. You’ve all got me down here and are
trampling on me. I’m unreasonable now, am I?”

“I am afraid you are a little,” said the nurse, smiling as she

rearranged the bedclothes. “Mr Elthorne went away because
he was worn out with attending the poor people here, and
Sir Denton was telegraphed for to attend some unfortunate
gentleman who had met with an accident.”

“Then he oughtn’t to have gone,” cried the woman loudly.

“Pray, hush,” said the nurse. “You are hurting yourself and
upsetting the other patients.”

“And I say he’d no right to go. My life’s as much

consequence as anybody else’s life, and it’s a shameful
piece of neglect. Oh, if I do live to get away from this ’ateful
place, I’ll let some of you know. I’m to be left to die
because the doctors are too idle to come and see me. If I’d
only known, you’d never caught me here.”

“Hush, hush! Pray be quiet, dear. You are making yourself

hot and feverish.”
The nurse laid her cool white hand upon the patient’s brow,
but she resented it and thrust it away. “Let me be. I don’t
want holding down. It’s shameful. It’s cruel. Oh, why did I
come to this dreadful place? As for that Sir Denton, or
whatever his name is—”

“What about him? Do you want me?” said the gentleman in

question, who had come into the ward and up to the bed
unnoticed. “How are you this morning?—Ah, better.”

“No, I’m not, I’m worse, and it’s shameful.”

“What is?” said the surgeon, smiling.

“For me to be neglected by the doctors and nurses as I am.

It’s too bad, it is; and I might have died—no doctor, no
nurse.”

“Ah, yes; it is very cruel,” said Sir Denton. “I have

shamefully neglected my patients here, and as for the
conduct of Nurse Elisia to you, it is almost criminal. You will
have to go back home to your own people and be properly
treated. Dreadful places, these hospitals are.”

Nurse Elisia looked up at the old surgeon with wondering

eyes, as he took the woman’s own tone, but he smiled at
her sadly.

“Come with me, I want to talk to you. Poor thing,” he said,

as they walked away, “she is in the irritable, weary state of
the convalescent. She is not answerable for what she says.
Sorry I was obliged to go, but the case was urgent. Mr
Elthorne’s father. A terrible accident. The spine injured, and
paralysis of the lower part of the body.”

“Mr Elthorne’s father!” cried the nurse, turning pale. “How

shocking!”
“Terrible. Mr Elthorne telegraphed for me. It was not
necessary, for he was doing everything possible, and now it
is a case of careful nursing to save the poor fellow’s life.”

“Nursing?”

“Yes. I have promised Mr Elthorne to send him down the

most helpful, trustworthy nurse I knew, at once.”

“Sir Denton,” faltered the nurse, with a faint colour rising in

her cheeks.

“It is an exceptional ease, my child, one which calls for all a

nurse’s skill and tenderness with, perhaps, as much
patience as I have seen you exercise toward that foolish
woman. I am going to ask you to start at once for Hightoft,
and take up this case.”

“Sir Denton!” she cried. “Oh! it is impossible.”

“Why?”

“My patients here.”

“Your place can be filled, just as it would be necessary to fill

it if you were taken ill.”

“But I am not ill, Sir Denton, and I am needed here.”

“But you are needed there—at this gentleman’s house,

where the services of a patient lady like yourself would be
invaluable.”

“I could not go, Sir Denton; I beg you will not send me.”

“It is in a lovely part of the country. It is a charming place,

and I can guarantee for you that the ladies will receive you
as their equal—perhaps as their superior,” he added with a
meaning smile, which made her look slightly resentful.

“Really, Sir Denton,” she began.

“Forgive me,” he said. “It was a slip. I have no wish to pry

into your private life, Nurse Elisia. I am only thankful to
have the help and co-operation of a refined woman in my
sad cases here.”

“Thank you, Sir Denton, but you must excuse me from this.”

“I cannot,” he said firmly, “for I feel that it is your duty to

go. I have no hesitation in saying that it is absolutely
necessary for you to have a change, even if you do not have
rest, but you will be able to combine both there.”

“Pray send someone else, Sir Denton.”

“I know nobody whom I could trust as I would you, Nurse

Elisia,” he replied quietly, “and I am quite sure that there is
no one in whom Mr Elthorne would have so much
confidence.”

He noted the change in the nurse’s mobile countenance as

he went on speaking in his quiet way, for she was evidently
agitated and trying hard to conceal it.

“You see it would be so advantageous,” he continued. “After

a few days you could set Mr Elthorne at liberty to come
back here. Of course, as you know, the case is one which
needs almost wholly a careful nurse’s skill. How soon will
you be free to go?”

Like lightning the thoughts flashed through her brain of the

position she would occupy. It was like throwing her
constantly in Neil Elthorne’s society, and she shrank from
the position almost with horror. For, of late there had been
no disguising from herself the fact that the young surgeon
had, in his quiet way, been more than courteous to her, and
that his manner betokened a something, which on his side
was fast ripening into admiration.

“It is impossible,” she thought. “It would be cruelty to him,

for he is sincere and manly. No, I cannot go. It would be a
crime. Sir Denton,” she said hastily, aloud. “You must
excuse me from this duty. I cannot go.”

“No,” he said firmly, and he took her hand. “I cannot, I will

not excuse you. Once more I tell you that you ought to go;
it is your duty.”

“But why?” she cried, rather excitedly.

“Because you—evidently a lady of gentle birth—have set

yourself the task of toiling for your suffering fellow-
creatures. Here is one who may die if you do not go to his
help.”

“But another would be as efficient.”

“I do not know one at the present moment whom I would

trust as I would you; and in addition, the call comes at a
time when it is imperative that you should have rest and
change.”

“But,” she said, with a smile full of perplexity, “that would

not be rest and change.”

“Can you not trust me to advise you for your good?” said
Sir Denton gravely.

“Oh, yes, but—”

“That ‘but’ again. Come, nurse, I think you believe that I
take great interest in you.”

“Oh, yes, Sir Denton,” she said eagerly.

“Then trust me in this. Take my advice. More—oblige me by

going. I am surgeon here, and you are nurse, but it has
seemed to me, for some time past, that we have had a
closer intimacy—that of friends. Come, you will oblige me?”

“It is your wish then, that I should go?”

“Indeed, yes. When will you be ready to start?”

“At once.”

“That is good. Then I will telegraph down, so that a carriage

may be in waiting for you at the station. I am sure that Mr
Elthorne will see that you have every comfort and attention.
Good-morning. Thanks.”

Nurse Elisia stood by the door of the ward, watching the

retiring figure of the old surgeon as he passed down the
corridor.

“Is it not weak to have given way?” she said to herself.

“Perhaps not in such a case as this. Mr Elthorne will see that
I have every comfort and attention,” she said softly. “Mr
Elthorne must be taught that I am the hospital nurse, sent
down there for a special purpose. Mr Elthorne is weak, and
given to follies such as I should not have suspected in so
wise and able a man.”

She stood hesitating for a few moments looking toward

where Maria Bell lay, evidently watching her attentively, and
her first impulse was to cross to the woman and to tell her
that she would be handed over now to the charge of
another nurse; but, reconsidering the matter, she decided
merely to tell the next nurse in authority that she must take
full charge of the ward, and going down to the matron, she
stated that she would be absent for a time. That evening
she was being hurried down by a fast train, to reach the
station within a few minutes of the appointed time, and she
had scarcely stepped on to the platform when a man’s voice
made her start with dread lest it should be Neil.

“The nurse for Hightoft?” said the voice; and as she turned
she found that it was only a servant.

“Yes, I am the nurse,” she replied.

“Well, here’s a carriage for you. Any luggage?”

The man’s voice was sharp, and wanting in respect, the

ordering of the carriage for a long night drive having found
little favour with coachman and footman.

“That little black bag, that is all,” said the nurse quietly.

“Don’t mean to stay long, then,” said the man with a laugh,
as he took the little travelling bag, and swung it up on to
the foot-board, while the nurse stood patiently waiting, and
without resenting the man’s insolence and indifference as
he entered into a conversation with the coachman before
turning and, stepping back, stared hard at the calm, refined
face dimly seen by the feeble station lamps.

“Will you have the goodness to open the carriage door?”

“Eh? Open the door? Of course. Just going to,” said the
footman cavalierly, as he snatched open the door and
rattled down the steps.
He held out his hand, but she stepped in without his
assistance, the door was banged sharply to, and the handle
took some time to turn, as the man stared in at the visitor,
who quietly drew up the window and sank back in her seat.

“Gives herself airs, does she!” said the footman to himself.

“How fond people who have never been in a carriage before
are of making believe they are used to one. Can’t cheat me,
my lady. Bet a shilling she has never been in anything
better than a cab or a station-fly before in her life.”

“What are you grumbling about?” said the coachman, as his

fellow-servant climbed up to his side.

“Nothing, only thinking aloud about her ladyship inside. Got

in with a reg’lar toss of her head. There, hit ’em up, Tom,
and let’s get back. I don’t want to be on this job all night.”

“Regular nurse, arn’t she?” said the coachman. “Horspittle?”

“Yes, I suppose so. Dressed up like a nun out for a holiday.

Why couldn’t they have had a nurse out of the village, or
your wife?”

“Ah! Why indeed?” said the coachman sourly. “’Fraid poor

people should make a few shillings too much, I suppose. It’s
just the same if one of the horses is bad; we must have the
vet to see him, when I could put him right in a week. It’s
having the name does it with some people. Horspittle nurse!
A deal, I dare say, she knows.”

The ill-usage to which he and his fellow-servants were

called upon to submit claimed both their tongues during the
long, dark drive to Hightoft, while Nurse Elisia sat back in
the carriage, dreamy and thoughtful, watching the lights of
the lamps thrown upon hedgerow and tree as the good pair
of horses trotted swiftly back.
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebookname.com