Java实现SSL TLS

Java

SSL

需积分: 33 21 浏览量更新于2023-06-05 收藏 60KB DOCX 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

资源详情

资源推荐

Implementing SSL / TLS

using Java

Introduction

The aim of this information is to make the enablement of SSL in Java a bit simpler, easier to

understand and faster to get up and running. It can be confusing how to implement SSL in

Java if you have not had any previous SSL experience and websites that cover the topic tend

to only address specific aspects.

This webpage gives a basic introduction to SSL, explains how to use it with respect to Java,

explores 2-way SSL and gives code examples as well as Tomcat"configuration examples.

If anything is confusing please comment. The site is not yet fully finished. Was thinking of

adding a section on Java SSL errors also as the error messages can be misleading. Please

give feedback.

SSL/TLS Basics

The Basics of SSL/TLS

The following is a summary of the basics (without getting into the specifics). For a more

detailed description of the protocol visit"Wikipedia."

SSL is a framework for establishing a secure connection between two parties that wish to

communicate with each other. It is basically a conversation between the two parties during

which the two parties decide on what encryption ciphers each support, what key lengths to

use, encryption modes, certificates get exchanged, asymmetric encryption is used to agree

on a symmetric encryption key and then all subsequent communications are secured using

symmetric encryption. This conversation is called a"handshake.

The symmetric key generated during the handshake is only valid for the lifetime of the

SSL session. If the session does not remain active it will expire. A max lifetime can be set

after which the SSL session expires and a full handshake must again be established. Every

new SSL session will result in a new session / symmetric key.

Certicates and Keys

Before explaining SSL in more detail a quick summary of keys and certificates in

appropriate. Firstly SSL/TLS uses assymmetric encryption for authentication purposes

and to negotiate a symmetic key to be used for the SSL/TLS session.

Keys: Asymmetric encryption keys are generated in pairs - a private key and a

corresponding public key. Data encrypted with one can only be decrypted by the other.

Similarly data digitally signed with one can be verifier with the other. The private key, as

its name suggests, it is intended to be kept private and not disclosed.

Certificates: A certificate consists of a public encryption key conbines with some identity

information and an expiry date. A certificate also contains a digital signature of the

authority that issued the certificate. A certificate is typically issued to a web server,

application or a user and is a way to advertise the public encryption key."

If a client encrypts a message with a servers public key (from the servers certificate) they

the client can be assured that only the server can decrypt the message with the server's

private key (provided the server did not share the key). This is the basis for the

authentication that occurs. During the establishment of an SSL/TLS session key the client

creates and encrypts part of the session key. If the server is who he says he is, the server

should be able to decrypt the message with its private key and establish the session key."

But what if a hacker called Judas (not to be too dramatic!) created a Phishing website and

presented a bank's certificate to a client during an SSL/TLS handshake? Client browsers

would generate part of the session key, encrypt it and then present it to the server - but the

server would not be able to decrypt it without the corresponding private key and as such

would not be able to determine the session key proposed by the client. The result would be

that the connection would fail."

Trust

Central to each SSL connection is the concept of trust. With each SSL connection a

decision is made whether the certificate being presented can be trusted. But how does one

know if the identity information contained in the certificate is the truth? What if hacker

Judas creates his own asymmetric key pair, then signs the certificate to masquerade as a

bank?

The trust model is quite easy. Each client or server decides that they will trust certain

certificate authorities (CA) that issue certificates. To trust a CA is to trust that any

certificates issued by the CA are valid and that the identity information in the certificate is

correct and trustworthy. Verisign is an example of a CA that signs a lot of certificates for

large Internet companies. All browsers trust Verisign certificates by default. A certificate's

identity information is digitally signed by the CA that generated and issued the certificate.

A client or server 'trusts' a certificate authority by adding their certificate to a file called a

'truststore'. By storing the CA certificate in a truststore enables java to" verify a

certificate's digital signature generated by that CA and decide if it trusts the certificate or

not.

If Judas's Phishing website presents a bogus cercate for Barclay's bank your browser will try to

verify the digital signature on the cercate. This cericaon will fail since the browser does not

have the CA cercate in its local store of trusted CA's.



1 way SSL connection (Simple Handshake)



 !!

"

剩余10页未读，继续阅读

muyanchenluo

粉丝: 40
资源: 10

会员权益专享

JAVA实现的SSL/TLS双向认证源代码

TLS java简单实现

JAVA 实现SSL 连接

java ssl 双向认证_java实现 SSL双向认证

Java为实现SSL协议支持，提供了哪些包与类的定义

Java调用ssl异常（javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or ci

javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]

java.security.cert.CertException x.509 not found 是什么原因

javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection

java ssl证书升级后 接口调用报ssl peer shut down incorrectly

java websocket ssl_websocket 配置 https 连接

java程序清除ssl证书缓存

android vollery实现SSL

java HttpClient SSL

使用Java代码实现采用HTTPS和TLS 1.2版本建立连接，并完成双向TLS认证 (mTLS)的示例

Security安全框架 java 如何实现

public void checkClientTrusted(X509Certificate[] chain, String authType) { } 怎么在这个 SSL/TLS连接上启用服务器证书验证。

configure: error: *** No SSL/TLS library not found.

会员权益专享

最新资源

java ssl证书升级后接口调用报ssl peer shut down incorrectly