没有合适的资源?快使用搜索试试~ 我知道了~
首页Java实现SSL TLS
资源详情
资源推荐
![](https://csdnimg.cn/release/download_crawler_static/8205165/bg1.jpg)
Implementing SSL / TLS
using Java
Introduction
The aim of this information is to make the enablement of SSL in Java a bit simpler, easier to
understand and faster to get up and running. It can be confusing how to implement SSL in
Java if you have not had any previous SSL experience and websites that cover the topic tend
to only address specific aspects.
This webpage gives a basic introduction to SSL, explains how to use it with respect to Java,
explores 2-way SSL and gives code examples as well as Tomcat"configuration examples.
If anything is confusing please comment. The site is not yet fully finished. Was thinking of
adding a section on Java SSL errors also as the error messages can be misleading. Please
give feedback.
SSL/TLS Basics
![](https://csdnimg.cn/release/download_crawler_static/8205165/bg2.jpg)
The Basics of SSL/TLS
The following is a summary of the basics (without getting into the specifics). For a more
detailed description of the protocol visit"Wikipedia."
SSL is a framework for establishing a secure connection between two parties that wish to
communicate with each other. It is basically a conversation between the two parties during
which the two parties decide on what encryption ciphers each support, what key lengths to
use, encryption modes, certificates get exchanged, asymmetric encryption is used to agree
on a symmetric encryption key and then all subsequent communications are secured using
symmetric encryption. This conversation is called a"handshake.
The symmetric key generated during the handshake is only valid for the lifetime of the
SSL session. If the session does not remain active it will expire. A max lifetime can be set
after which the SSL session expires and a full handshake must again be established. Every
new SSL session will result in a new session / symmetric key.
Certicates and Keys
Before explaining SSL in more detail a quick summary of keys and certificates in
appropriate. Firstly SSL/TLS uses assymmetric encryption for authentication purposes
and to negotiate a symmetic key to be used for the SSL/TLS session.
Keys: Asymmetric encryption keys are generated in pairs - a private key and a
corresponding public key. Data encrypted with one can only be decrypted by the other.
Similarly data digitally signed with one can be verifier with the other. The private key, as
its name suggests, it is intended to be kept private and not disclosed.
Certificates: A certificate consists of a public encryption key conbines with some identity
information and an expiry date. A certificate also contains a digital signature of the
authority that issued the certificate. A certificate is typically issued to a web server,
application or a user and is a way to advertise the public encryption key."
If a client encrypts a message with a servers public key (from the servers certificate) they
the client can be assured that only the server can decrypt the message with the server's
private key (provided the server did not share the key). This is the basis for the
authentication that occurs. During the establishment of an SSL/TLS session key the client
creates and encrypts part of the session key. If the server is who he says he is, the server
should be able to decrypt the message with its private key and establish the session key."
But what if a hacker called Judas (not to be too dramatic!) created a Phishing website and
presented a bank's certificate to a client during an SSL/TLS handshake? Client browsers
would generate part of the session key, encrypt it and then present it to the server - but the
server would not be able to decrypt it without the corresponding private key and as such
would not be able to determine the session key proposed by the client. The result would be
![](https://csdnimg.cn/release/download_crawler_static/8205165/bg3.jpg)
that the connection would fail."
Trust
Central to each SSL connection is the concept of trust. With each SSL connection a
decision is made whether the certificate being presented can be trusted. But how does one
know if the identity information contained in the certificate is the truth? What if hacker
Judas creates his own asymmetric key pair, then signs the certificate to masquerade as a
bank?
The trust model is quite easy. Each client or server decides that they will trust certain
certificate authorities (CA) that issue certificates. To trust a CA is to trust that any
certificates issued by the CA are valid and that the identity information in the certificate is
correct and trustworthy. Verisign is an example of a CA that signs a lot of certificates for
large Internet companies. All browsers trust Verisign certificates by default. A certificate's
identity information is digitally signed by the CA that generated and issued the certificate.
A client or server 'trusts' a certificate authority by adding their certificate to a file called a
'truststore'. By storing the CA certificate in a truststore enables java to" verify a
certificate's digital signature generated by that CA and decide if it trusts the certificate or
not.
If Judas's Phishing website presents a bogus cercate for Barclay's bank your browser will try to
verify the digital signature on the cercate. This cericaon will fail since the browser does not
have the CA cercate in its local store of trusted CA's.
1 way SSL connection (Simple Handshake)
!!
"
剩余10页未读,继续阅读
![zip](https://img-home.csdnimg.cn/images/20210720083736.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://profile-avatar.csdnimg.cn/3cdff2f7495c444795a642fa2d715c13_muyanchenluo.jpg!1)
muyanchenluo
- 粉丝: 40
- 资源: 10
上传资源 快速赚钱
我的内容管理 收起
我的资源 快来上传第一个资源
我的收益
登录查看自己的收益我的积分 登录查看自己的积分
我的C币 登录后查看C币余额
我的收藏
我的下载
下载帮助
![](https://csdnimg.cn/release/wenkucmsfe/public/img/voice.245cc511.png)
会员权益专享
最新资源
- 基于嵌入式ARMLinux的播放器的设计与实现 word格式.doc
- 经典:大学答辩通过_基于ARM微处理器的嵌入式指纹识别系统设计.pdf
- 嵌入式系统课程设计.doc
- 基于飞思卡尔控制器的智能寻迹车设计ARM基础课程课程设计.doc
- 下载基于ARM7的压电陶瓷换能器导纳圆测量仪的研制PDF格式可编辑.pdf
- 课程设计基于ARM的嵌入式家居监控系统的研究与设计.doc
- 论文基于嵌入式ARM的图像采集处理系统设计.doc
- 嵌入式基于ARM9的中断驱动程序设计—课程设计.doc
- 在Linux系统下基于ARM嵌入式的俄罗斯方块.doc
- STK-MirrorStore Product Release Notes(96130)-44
- STK-MirrorStore Storage Connectivity Guide for StorageTek Disk A
- 龙虾养殖远程监控系统的设计与实现数据采集上位-机软件模块-本科毕业设计.doc
- 龙虾养殖远程监控系统的设计与实现数据采集上位-机软件模块-.doc
- 龙虾养殖远程监控系统的设计与实现数据采集上位-机软件模块-本科生毕业论文.doc
- 麻阳风貌展示网站的设计与实现毕业论文.pdf
- 高速走丝气中电火花线切割精加工编程设计.doc
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
![](https://img-home.csdnimg.cn/images/20220527035711.png)
![](https://img-home.csdnimg.cn/images/20220527035711.png)
![](https://img-home.csdnimg.cn/images/20220527035111.png)
安全验证
文档复制为VIP权益,开通VIP直接复制
![](https://csdnimg.cn/release/wenkucmsfe/public/img/green-success.6a4acb44.png)