没有合适的资源?快使用搜索试试~ 我知道了~
首页Java实现SSL TLS
资源详情
资源推荐
Implementing SSL / TLS
using Java
Introduction
The aim of this information is to make the enablement of SSL in Java a bit simpler, easier to
understand and faster to get up and running. It can be confusing how to implement SSL in
Java if you have not had any previous SSL experience and websites that cover the topic tend
to only address specific aspects.
This webpage gives a basic introduction to SSL, explains how to use it with respect to Java,
explores 2-way SSL and gives code examples as well as Tomcat"configuration examples.
If anything is confusing please comment. The site is not yet fully finished. Was thinking of
adding a section on Java SSL errors also as the error messages can be misleading. Please
give feedback.
SSL/TLS Basics
The Basics of SSL/TLS
The following is a summary of the basics (without getting into the specifics). For a more
detailed description of the protocol visit"Wikipedia."
SSL is a framework for establishing a secure connection between two parties that wish to
communicate with each other. It is basically a conversation between the two parties during
which the two parties decide on what encryption ciphers each support, what key lengths to
use, encryption modes, certificates get exchanged, asymmetric encryption is used to agree
on a symmetric encryption key and then all subsequent communications are secured using
symmetric encryption. This conversation is called a"handshake.
The symmetric key generated during the handshake is only valid for the lifetime of the
SSL session. If the session does not remain active it will expire. A max lifetime can be set
after which the SSL session expires and a full handshake must again be established. Every
new SSL session will result in a new session / symmetric key.
Certicates and Keys
Before explaining SSL in more detail a quick summary of keys and certificates in
appropriate. Firstly SSL/TLS uses assymmetric encryption for authentication purposes
and to negotiate a symmetic key to be used for the SSL/TLS session.
Keys: Asymmetric encryption keys are generated in pairs - a private key and a
corresponding public key. Data encrypted with one can only be decrypted by the other.
Similarly data digitally signed with one can be verifier with the other. The private key, as
its name suggests, it is intended to be kept private and not disclosed.
Certificates: A certificate consists of a public encryption key conbines with some identity
information and an expiry date. A certificate also contains a digital signature of the
authority that issued the certificate. A certificate is typically issued to a web server,
application or a user and is a way to advertise the public encryption key."
If a client encrypts a message with a servers public key (from the servers certificate) they
the client can be assured that only the server can decrypt the message with the server's
private key (provided the server did not share the key). This is the basis for the
authentication that occurs. During the establishment of an SSL/TLS session key the client
creates and encrypts part of the session key. If the server is who he says he is, the server
should be able to decrypt the message with its private key and establish the session key."
But what if a hacker called Judas (not to be too dramatic!) created a Phishing website and
presented a bank's certificate to a client during an SSL/TLS handshake? Client browsers
would generate part of the session key, encrypt it and then present it to the server - but the
server would not be able to decrypt it without the corresponding private key and as such
would not be able to determine the session key proposed by the client. The result would be
that the connection would fail."
Trust
Central to each SSL connection is the concept of trust. With each SSL connection a
decision is made whether the certificate being presented can be trusted. But how does one
know if the identity information contained in the certificate is the truth? What if hacker
Judas creates his own asymmetric key pair, then signs the certificate to masquerade as a
bank?
The trust model is quite easy. Each client or server decides that they will trust certain
certificate authorities (CA) that issue certificates. To trust a CA is to trust that any
certificates issued by the CA are valid and that the identity information in the certificate is
correct and trustworthy. Verisign is an example of a CA that signs a lot of certificates for
large Internet companies. All browsers trust Verisign certificates by default. A certificate's
identity information is digitally signed by the CA that generated and issued the certificate.
A client or server 'trusts' a certificate authority by adding their certificate to a file called a
'truststore'. By storing the CA certificate in a truststore enables java to" verify a
certificate's digital signature generated by that CA and decide if it trusts the certificate or
not.
If Judas's Phishing website presents a bogus cercate for Barclay's bank your browser will try to
verify the digital signature on the cercate. This cericaon will fail since the browser does not
have the CA cercate in its local store of trusted CA's.
1 way SSL connection (Simple Handshake)
!!
"
剩余10页未读,继续阅读
muyanchenluo
- 粉丝: 40
- 资源: 10
上传资源 快速赚钱
- 我的内容管理 收起
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
会员权益专享
最新资源
- 保险服务门店新年工作计划PPT.pptx
- 车辆安全工作计划PPT.pptx
- ipqc工作总结PPT.pptx
- 车间员工上半年工作总结PPT.pptx
- 保险公司员工的工作总结PPT.pptx
- 报价工作总结PPT.pptx
- 冲压车间实习工作总结PPT.pptx
- ktv周工作总结PPT.pptx
- 保育院总务工作计划PPT.pptx
- xx年度现代教育技术工作总结PPT.pptx
- 出纳的年终总结PPT.pptx
- 贝贝班班级工作计划PPT.pptx
- 变电值班员技术个人工作总结PPT.pptx
- 大学生读书活动策划书PPT.pptx
- 财务出纳月工作总结PPT.pptx
- 大学生“三支一扶”服务期满工作总结(2)PPT.pptx
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功