Secure Sockets - PowerPoint PPT Presentation

1 / 18

About This Presentation

Title:

Secure Sockets

Description:

Number of Views:112

Avg rating:3.0/5.0

Slides: 19

Provided by: v5o5jotqkg

Category:

Tags: ioexception | secure | serverside | sockets

Transcript and Presenter's Notes

Title: Secure Sockets

1
Secure Sockets

2
Topics

3
Java security features

4
Secure communications

Symmetric encryption
Asymmetric encryption
It is not always obvious which algorithms and
protocols are good and which are not!!
JSSE (Java Secure Socket Extension) allows you to
create sockets and server sockets that
transparently handle the negotiations and
encryption necessary for secure communication.

5
JSSE

6
Creating Secure socket clients

Rather than constructing a java.net.socket object
with a constructor, you get one from a
javax.net.ssl.SSLSocketFactory using its
createSocket() method.
Public abstract class SSLSocketFactory extends
SocketFactory
Since SSLSocketFactory class is itself abstract,
you get an instance of it by invoking the static
SSLSocketFactory.getDefault() method
Public static SocketFactory getDefault() throws
InstantiationException

7
Once you have ref to the factory, use one of
these 5 methods to build an socket

Public abstract Socket createSocket(String host,
int port) throws IOException, UnknownHostException
Public abstract Socket createSocket(InetAddress
host, int port) throws IOException
Public abstract Socket createSocket(String host,
int port, InetAddress interface, int localPort)
throws IOException, UnknownHostException
Public abstract Socket createSocket(InetAddress
host, int port, InetAddress interface, int
localPort) throws IOException, UnknownHostExceptio
n
Public abstract Socket createSocket(Socket proxy,
String host, int port, boolean autoClose) throws
IOException
There are also other methods for configuring
exactly how much and what kind of authentication
and encryption is required.

8
Book examples

9
Choosing the cipher suites

Different implementations of JSSE support
different combinations of authentication and
encryption algorithms.
The getSupportedCipherSuites() method tells you
what combination of algorithms is available on a
given socket
Public abstract String getSupportedCipherSuites(
)
Some may be weak and consequently disabled
Public abstract String getEnabledCipherSuites()
tells you which suites this socket is willing to
use

10
Actual suite used is negotiated between the
client the server during connection time

If not, an SSL exception is thrown!
You can change the suites the client attempts to
use via setEnabledCipherSuites() method.

11
23 Cipher suites supported by 1.4

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
Each name has an algorithm divided into four
parts protocol, key exchange algorithm,
encryption algorithm and checksum

12
Session management

SSL socket for every connection is time consuming
SSL allows sessions to be established that extend
over multiple sockets.
Sockets within the same session use the same set
of public private keys
In JSSE sessions are represented by instances of
the SSLSession interface. You can use the methods
of this interface to check the times the session
was created, other info
Ex public long getCreationTime()
public long getLastAccessedTime()

13
Client Mode authentication

Sockets can be required to authenticate
themselves in high security applications.
The setUseClentMode() method determines whether
the socket needs to use authentication in its
first handshake.
Can be used by both server and client sockets.
When the value returned is TRUE, it means it is
on the client side, will not authenticate.
On the server side, use setNeedClentAuth() method
to require that clients should authenticate
themselves.
This property can be set only once for a socket.

14
Creating secure server sockets

Similar to client side
get one from a javax.net.ssl.SSLSocketFactory
using its createSocket() method.
Public abstract class SSLServerbSocketFactory
extends ServerSocketFactory
Since SSLSocketFactory class is itself abstract,
you get an instance of it by invoking the static
SSLServerSocketFactory.getDefault() method
Public static ServerSocketFactory getDefault()
throws InstantiationException

15
Three createServerSocket() methods

Public abstract ServerSocket createServerSocket(in
t port) throws IOException
Public abstract ServerSocket createServerSocket(in
t port, int queueLength) throws IOException
Public abstract ServerSocket createServerSocket(in
t port, int queueLength, InetAddressInterface)
throws IOException
getDefault() supports only authentication. To get
encryption as well, server side sockets require
more initialization and setup
In Sun com.sun.net.ssl.SSLContext object does
this configuration
Vary from JSSE implementations

16
JSSE implementation

Generate public keys and certificates using
keytool
Pay money to your certificate authenticated 3rd
party such as Verisign
Create an SSLContext for the algorithm youll use
Create a TrustManagerFactory for the source of
certificate material youll be using
Create a keyManagerFactory for the type of key
material you will be using
Create a KeyStore object for the key and
certificate database
Fill the keyStore object for the keys and
certificates
Initialize the KeyManagerFactory with keystore
and its pass phrase
Initialize the context with necessary key
managers from the keymanagerfactory, trust
managers from the trust managerFactory and a
source of randomness.