SSL Socket Java encryption

Asked

Viewed 824 times

4

I’m having doubts about the Java SSL Socket.
I saw on several sites that the connection of SSL Socket is encrypted, but none of the sites gives me information on how this works right.

  • How do I know the message is being encrypted / decrypted?
  • How do I know what method is in use for this encryption / decryption?
  • Only SSL would be enough to keep the connection secure?
  • The encryption method used is the one in the certificate generated by Keytool?!

1 answer

5


How do I know the message is being encrypted / decrypted ?

The idea behind a layer cryptography is to abstract all this from the programmer, presenting itself as if it were a normal socket. That is, the SSLSocket opened? So the messages are being encrypted/decrypted. It’s that simple! Have you ever seen the character in any movie ask, "Is this a secure line?" ; in real life, the only right answer is, "if you need to ask, then it’s not safe...".

Responding more precisely, the class SSLSocket initiates the handshake protocol (Handshake) in one of the following circumstances:

  • Explicitly, by calling the method startHandshake;
  • Implicitly, if you try to read or write on that socket;
  • Implicitly, if you call getSession and the handshake has not yet occurred.

If the handshake fails for any reason, the socket is automatically closed (without sending or receiving any data) and no further communication is possible.

How do I know what method is in use for this encryption / decryption ?

Using SSLSocket.getSession(), followed by SSLSession.getCipherSuite().

Only SSL would be enough to keep the connection secure ?

What do you call "secure"? SSL/TLS provides authenticity (the client knows he is communicating with the right server), confidentiality (no one can intercept and read the communication) and integrity (if someone intercepts and tries to alter the communication, this is detected). Note that unless you require that the customer also authenticates with a certificate, even after the connection is established the server yet does not know who the client is. In this case, it is necessary to implement the client authentication yourself (for example, asking for a username and password - which is the most common).

From the connection point of view, the use of SSL alone is sufficient to ensure the properties described above. Of course, other aspects of its application may still require additional security (e.g.: if the client is a browser, it is necessary to establish a session key to identify the user conveniently, storing it in a secure cookie, POST requests need to be protected against CSRF, etc).

The encryption method used is the one in the certificate generated by Keytool ?

A certificate possesses a key pair that determines (or rather "restricts") part of the encryption protocol. But other aspects do not depend on it. I personally know very little about these protocols, as it is a very specialised area (if you want to know more about it, I suggest Crypto.SE).

In a answer to a related question I explain better what a certificate is and what it’s for. In short, it’s more responsible for identify communication participants (server, and optionally client) than by protecting their communication.

  • It is... for my application SSL and an MD5 already solves so hehe Thank you very much , I spent 4 hours yesterday looking for this information, but I could not find clearly

Browser other questions tagged

You are not signed in. Login or sign up in order to post.