jsse api university of palestine eng. wisam zaqoot april 2010
TRANSCRIPT
JSSE APIJSSE API
University of Palestine Eng. Wisam ZaqootApril 2010
Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL) Invented by Netscape and made public domain
for everyone’s use An additional layer to the TCP/IP stack that sits
between the Application and Transport layers ensures that all application data is encrypted but TCP/IP
headers are not usually run on port 443 (default HTTPS port)
Digital Certificates
Digital Certificates issued by a trusted disinterested third party (ex.
VeriSign) the Certificate contains the public-key for the
specific Web Server and a digital signature of the certifying authority
Secure Sockets Layer (SSL)
Once a secure session is established the source requests the destinations certificate ( sent in the http header (unencrypted))
once the source accepts the authenticity of the certificate it uses the public-key from the certificate to encrypt the generated session key for protecting the conversation between the source and destination.
its done this way to speed up overall communications, strong encryption (slow) is used as little as possible while weaker encryption is used for most exchanges
actual cipher algorithms are negotiated on a per-session basis
Security packages in Java
Separate packages that are included as part of JDK: JCE - Java Cryptography classes JAAS - Java Authentication and Authorization
Services Java GSS API - Java Generic Security Services API Java Certification Path API JSSE - Java Secure Sockets Extension
JCE
JCE covers encryption and decryption
symmetric bulk encryption, such as DES, RC2, and IDEA
Symmetric stream encryption, such as RC4 Asymmetric encryption, such as RSA Password-based encryption (PBE)
key agreement Message Authentication Code (MAC)
JAAS
JAAS provides for the authentication of users and the authorization of tasks based upon that authentication
Previously, anyone authenticated had access to the same security restrictions. Now, you can control what tasks are available for a specific authenticated user
requires modification of security policies
Java GSS-API
adds Kerberos V5 support to the Java platform. Kerberos originated at the Massachusetts Institute
of Technology (MIT) as project Athena back in 1987. Essentially, a network authentication protocol.
Defined in RFC 1510 from 1993 biggest draw is not having to send passwords over the net. offers single sign-on within one domain -- if everything
within the domain has been Kerberos-enabled. support is also provided for single sign-on across different
security realms over a network. Used in conjunction with JAAS, once a user's identity is
established, future authentication requests are no longer necessary.
Java Certification Path API Certification Path API provides classes for building and validating certificate
chains, an important requirement of a Public Key Infrastructure (PKI). These certificates provide for the storage of security keys for users. By
trusting the issuer of a certificate that holds the keys, and trusting the issuer of the certificate that trusts the original certificate, you establish chains of trust
Building and validating certification paths is an important part of many standard security protocols, such as SSL/TLS, Secure/MIME (S/MIME), and IP Security (IPsec).
certification path from a most-trusted CA to the target subject (Ali)
JSSE
Provides support for communications using SSL (Secure Sockets Layer)
and TLS (Transport Layer Security)
commonly thought of as HTTPS
part of javax.net
SSL (and thus HTTPS) permits encrypted traffic to be exchanged between
the client and server. After an SSL client initiates a conversation with an SSL server, the server sends an X.509
certificate back to the client for authentication. The client then checks the validity of the
certificate. Assuming the server is verified, the client generates a session secret key. After
some basic handshaking, the encrypted exchange can commence.
The JSSE library hides these inner workings of the SSL protocol from you.
JSSE API
JSSE API JSSE encompasses many of the same concepts and algorithms as
those in JCE but automatically applies them underneath a simple stream socket API.
JSSE includes many important features. For example: it is implemented in 100% Pure Java. It provides API support and an implementation for TLS version 1.0 and
some SSL versions. I It includes classes that can be instantiated to create secure channels
(SSLSocket and SSLServerSocket). It provides support for Hypertext Transfer Protocol (HTTP) encapsulated
in the SSL protocol (HTTPS), which allows access to data such as web pages using HTTPS.
It provides support for several cryptographic algorithms commonly used, including, RSA, DES, Triple DES and many others, with the ability that third parties provide additional cryptographic algorithms.
JSSE API includes factories for creating sockets, server sockets, SSL sockets, and SSL server sockets. Using socket factories you can encapsulate socket creation and configuration behavior.
keytool
keytool – command line utility organizes key material into keystores one keystore file for each entity initially keystore contains the public/private
key pair and a self-signed certificate allows storage of trusted certificate entries and
trusted certificate chains
Simple JSSE example
Next, we will see a simple JSSE example. This example is about a client and a server
who want to communicate securely. The client sends his username and password
to the server over a secure communication. The server will decrypt the received data, process it, and sends the login result to the client again over a secure communication.
The server:
The server (contd.)
The client
The client (contd.)
Running the example Enabling SSL requires that LoginServer uses a certificate that
LoginClient trusts. To generate a keystore and a certificate for this purpose we have to use one of the Java powerful tools called Keytool as follows:
keytool -genkey -alias OurKeys -keystore OurStore keytool -export -alias OurKeys -keystore OurStore -file admin.cer
- The first line generates public and private key pair, ' OurKeys ' is the alias for the public and private key pair. The alias simply identifies a particular public and private key pair for later use. These data will be stored in a keystore called 'OurStore'. You will be asked for some identification data like your name, organization and address.- The second line uses the public and private key pair to create a certificate file called 'admin.cer'.
Running the example
On the client side, this certificate should be imported by clients into their trusted keystores in order to enable them to use this certificate to validate the server's signature. This is done by client using the command:
keytool -import -alias mycer -file admin.cer -keystore trust
Running the example
Next, launch LoginServer and specify the keystore that contains the LoginServer's certificate as follows:
java -Djavax.net.ssl.keystore = OurStore -Djavax.net.ssl.keyStorePassword = password LoginServer
where password is the password we specified for ' OurStore ' keystore.
Running the example
Now we have to launch the LoginClient and specify the truststore for that client. The truststore contains certificates that the client trusts for the purpose of digital signature validation. For simplicity in this example, we will use the client's keystore 'trust' we created above as the truststore of the client. In real world, the client's truststore should contain trusted certificates such as certificates from CAs . launching the client is done as follows:
java -Djavax.net.ssl.trustStore = trust -Djavax.net.ssl.trustStorePassword =
password LoginClient
Running the example
The execution of the program with correct and incorrect input