I have an GUI which is designed in JAVA and act as an client, and can communicate remotely to an server which is written in C/C++. Communication between them is made through Sockets. However the messages sent are not encrypted and is vulnerable to man-in-the-middle attacks. I was wondering what the best solution will be to protect the communication and wanted to implement SSL. Is it possible to do so, and if yes, what toolkit I should look into.
Java contains an SSL implementation called JSSE. See the Javadoc for the javax.net.ssl package. There is also a tutorial, and several examples are provided with the JDK.
You might not even need to modify the server at all. You could just stick stunnel in front of it.
A warning: With TLS/SSL you face a whole bunch of additional error conditions that you might need report or log, especially concerning certificates (wrong, expired, unable to verify due to networking / DNS issues)
Related
I'm trying to improve some code that enables logging in to our application using digital certificates, probably certificates stored on PKCS11 tokens.
It's a Java client server application, with the server on JBoss [Wildfly], and a rich Java thick client. We also have a GWT/Javascript based web client, but this doesn't yet support certificate auth.
The current implementation uses 2-way SSL authentication if certificate authentication is configured, i.e. the server will require a client certificate when the connection is opened. This causes some problems, and in trying to find ways to address them I've been searching madly to see if there is a standard, 'Right Way To Do PKI Auth To A JBoss Application'.
However just about everything I have found on the subject seems also to revolve around using two-way SSL, which kind of implies that is the Right Way to Do It.
It seems undesirable to me, in that the network transport is quite a low-level concern, heavily separated from the application logic and stuff like authentication and user management.
In order to prove the client is a valid user of the system (as opposed to merely someone with credentials endorsed by a CA in the server trust store), the server application logic has to rummage around looking to find the certificate that was used on the incoming connection in order to scrape the Common Name off it. I've discovered that javax.servlet.request.X509Certificate is a standard-ish parameter one can query on the servlet, so it ought at least to be possible.
The other architectural problem this causes is that our app requires reauthentication for the lifetime of certain sensitive operations. If one is using the SSL connection to prove the user has the private key, then logically that would require opening a whole separate connection.
Logically, authenticating with a certificate would seem to require
The server generating a nonce
The client encrypting the nonce using the client's private key
The client sending that encrypted value to the server with the accompanying public certificate [or certificate chain].
Now, that is exactly what happens during an SSL handshake, but obviously a whole load of other baggage comes with it that is irrelevant to the application-level concern of authenticating the user.
I thought about implementing the steps directly myself, but this would seem to violate the first rule of crypto (Don't implement your own crypto).
If the server generates random nonces then that introduces a level of chattiness and statefulness to the process, which is doable but a pain when you are striving for a stateless and clusterable server.
Time-based One-Time Password implementations circumvent this, and seem to be a standardized mechanism for 2-factor authentication that is getting support from Google+ and the like.
However I can't find anything in the way of out-of-the-box libraries that will let me build an implementation using certificates directly from an imposed PKI.
I'm writing a server-client application where communication is done over the internet and I have several questions and concerns regarding security. I have done some research and found some posts here useful, but I would like more information. Some related questions I read were:
Secure authentication of client over RMI
java rmi authentication & security. exportObject makes it public?
Is communication in java rmi secure?
I have 3 parts to consider:
Information exchanged between the client and the server.
Authentication of the client.
Exploiting a running RMI server (hacking etc.).
What I know:
RMI over SSL. Using SSL sockets instead of the default socket would encrypt all information passed between the client and the server. This includes the objects exchange and method calls.
Authentication using username/password combination over SSL before RMI connection has been established. To my understanding there was supposed to be a way to authenticate inside the RMI connection but it was voted down.
Not too sure what can or needs to be done here. I do know that you can't just write your own client and ask to connect to the server since you need an ObjectID and the remote interfaces. However, is it not possible to decompile the classes \ interfaces you need since they are sent in RMI anyway? I also saw this Youtube video [http://www.youtube.com/watch?v=otjllNaBxiw] while researching and it got me worried with how easy it is, although I don't know if the server was not setup correctly.
All in all, are there other security issues I need to consider in RMI over the internet? Am I missing a solution I need to look at? Is what I already know wrong?
Information exchanged between the client and the server.
RMI over SSL.
Authentication of the client.
Authentication of the client is done by SSL. You mean authorisation, which is 'relatively' easy. Define your own RMIServerSocketFactory that returns an ServerSocket override whose implAccept() method wraps the socket in an SSLSocket, to which you add a handshake listener and set needClientAuth to true on it (and clientMode to false). Your handshake listener should then get and check the client certificate from the SSLSession, to see if the identity it authenticates is authorised, and simply close the socket if non-authorised.
Authorising the server, in the client, is on the other hand baroquely complex. You really need the JERI API in Jini to do it properly.
Exploiting a running RMI server (hacking etc.).
I won't go so far as to say it's impossible, but it's extremely difficult, and there are several strong lines of defence. You need the ObjectID, which is random, and can be made securely random, and you need the classes. Classes and interfaces aren't sent in RMI unless you specifically enable it, and they are sent by a side channel that you can secure arbitrarily strongly, for example with two-way-authenticated HTTPS. So you can't get those. Then you need to get yourself authorised, which basically requires compromising the server. And if that's possible, anything is.
I'm currently investigating for a client a solution where he wants to send and receive files using sftp in Domino.
I have looked on the net for API's covering this and found one recommended more than others; JSch.
One reason for choosing this API is for its use by others including Eclipse.
What I'd like to know is:
if there're any obsticales using this Library? If so, can you recommend any other?
are there any other caveats using sftp in Domino Java?
does Domino JVM support JavaTM Cryptography Extension (JCE)?
can we use Dominos self-signed certificates here, with Dominos CA?
/Mike
1) Sending. This should work, but you will probably have to deal with the JVM's Security Manager ("/jvm/lib/security/java.policy") of Domino to get a socket, ...
2) Receiving: You probably don't want to implement a SSH server inside domino. It's much easier and more secure to use the SSH server of the host and periodicaly scoop up the inbound files via an Agent.
Dominos Self Signed SSL certificates have nothing to do with SSH as implemented by JSch.
3) The Domino JVm will probably support theJavaTM Cryptography Extension (JCE). Watch out for the supported JRE versions of Domino.
4) Generally: Are you sure, you want to implement it that way? Probably way easier are either WebServices or a REST-API, both via SSL/TLS and optionally facilitating client certificates.
I'm working on a school project with a server application that holds centralized data, and client applications that hold cached data that will be synchronized with sockets.
Everything is written in Java.
What is good practice?
How can I stop people from listening to my traffic? Or prevent people to understand what is said?
You simply use SSLSocketFactory instead of SocketFactory for your client server application. That way, the communication between the two will be totally encrypted. You can secure your client server app in less than a day, if you know basic Java. Here's a tutorial.
SSL is the standard practice. See the javax.net.ssl package, and the JSSE Reference Guide. But this may be beyond the scope of your project or your abilities at this stage. Check with your instructor.
I am looking for a tool that would assist me and other developers in debugging/inspecting the network traffic between a rich client application and a server where the communication protocol is either RMI/HTTP or Corba/HTTP.
I already have Charles Proxy, which I LOVE, but it doesn't understand the payloads and just interprets them as octet-stream, hexadecimal garbage.
Either a stand alone program or an Eclipse plugin would work.
You'll find that very difficult in the case of RMI/JRMP, as it requires Java and the availability of all the application and library classes to deserialize the stream correctly. Without that the stream can't even be parsed.
In e case of IIOP I'm sure there are sniffers available, maybe even a Wireshark plugin.