JSSE API University of Palestine Eng. Wisam Zaqoot April 2010

Secure Sockets Layer (SSL)  Invented by Netscape and made public domain for everyone’s use  An additional layer to the TCP/IP stack that sits between the Application and Transport layers ensures that all application data is encrypted but TCP/IP headers are not usually run on port 443 (default HTTPS port)

Digital Certificates  issued by a trusted disinterested third party (ex. VeriSign)  the Certificate contains the public-key for the specific Web Server and a digital signature of the certifying authority

Secure Sockets Layer (SSL) Once a secure session is established the source requests the destinations certificate ( sent in the http header (unencrypted)) once the source accepts the authenticity of the certificate it uses the public-key from the certificate to encrypt the generated session key for protecting the conversation between the source and destination. its done this way to speed up overall communications, strong encryption (slow) is used as little as possible while weaker encryption is used for most exchanges actual cipher algorithms are negotiated on a per- session basis

Security packages in Java Separate packages that are included as part of JDK:  JCE - Java Cryptography classes  JAAS - Java Authentication and Authorization Services  Java GSS API - Java Generic Security Services API  Java Certification Path API  JSSE - Java Secure Sockets Extension

JCE JCE covers  encryption and decryption symmetric bulk encryption, such as DES, RC2, and IDEA Symmetric stream encryption, such as RC4 Asymmetric encryption, such as RSA Password-based encryption (PBE)  key agreement  Message Authentication Code (MAC)

JAAS JAAS provides for the authentication of users and the authorization of tasks based upon that authentication Previously, anyone authenticated had access to the same security restrictions. Now, you can control what tasks are available for a specific authenticated user requires modification of security policies

Java GSS-API adds Kerberos V5 support to the Java platform. Kerberos originated at the Massachusetts Institute of Technology (MIT) as project Athena back in Essentially, a network authentication protocol.  Defined in RFC 1510 from 1993  biggest draw is not having to send passwords over the net.  offers single sign-on within one domain -- if everything within the domain has been Kerberos-enabled.  support is also provided for single sign-on across different security realms over a network.  Used in conjunction with JAAS, once a user's identity is established, future authentication requests are no longer necessary.

Java Certification Path API Certification Path API provides classes for building and validating certificate chains, an important requirement of a Public Key Infrastructure (PKI). These certificates provide for the storage of security keys for users. By trusting the issuer of a certificate that holds the keys, and trusting the issuer of the certificate that trusts the original certificate, you establish chains of trust Building and validating certification paths is an important part of many standard security protocols, such as SSL/TLS, Secure/MIME (S/MIME), and IP Security (IPsec). certification path from a most-trusted CA to the target subject (Ali)

JSSE Provides support for communications using SSL (Secure Sockets Layer) and TLS (Transport Layer Security)  commonly thought of as HTTPS part of javax.net SSL (and thus HTTPS) permits encrypted traffic to be exchanged between the client and server.  After an SSL client initiates a conversation with an SSL server, the server sends an X.509 certificate back to the client for authentication. The client then checks the validity of the certificate. Assuming the server is verified, the client generates a session secret key. After some basic handshaking, the encrypted exchange can commence. The JSSE library hides these inner workings of the SSL protocol from you.

JSSE API

JSSE encompasses many of the same concepts and algorithms as those in JCE but automatically applies them underneath a simple stream socket API. JSSE includes many important features. For example:  it is implemented in 100% Pure Java.  It provides API support and an implementation for TLS version 1.0 and some SSL versions. I  It includes classes that can be instantiated to create secure channels (SSLSocket and SSLServerSocket).  It provides support for Hypertext Transfer Protocol (HTTP) encapsulated in the SSL protocol (HTTPS), which allows access to data such as web pages using HTTPS.  It provides support for several cryptographic algorithms commonly used, including, RSA, DES, Triple DES and many others, with the ability that third parties provide additional cryptographic algorithms.  JSSE API includes factories for creating sockets, server sockets, SSL sockets, and SSL server sockets. Using socket factories you can encapsulate socket creation and configuration behavior.

keytool keytool – command line utility  organizes key material into keystores  one keystore file for each entity  initially keystore contains the public/private key pair and a self-signed certificate  allows storage of trusted certificate entries and trusted certificate chains

Simple JSSE example Next, we will see a simple JSSE example. This example is about a client and a server who want to communicate securely. The client sends his username and password to the server over a secure communication. The server will decrypt the received data, process it, and sends the login result to the client again over a secure communication.

The server:

The server (contd.)

The client

The client (contd.)

Running the example Enabling SSL requires that LoginServer uses a certificate that LoginClient trusts. To generate a keystore and a certificate for this purpose we have to use one of the Java powerful tools called Keytool as follows: keytool -genkey -alias OurKeys -keystore OurStore keytool -export -alias OurKeys -keystore OurStore -file admin.cer - The first line generates public and private key pair, ' OurKeys ' is the alias for the public and private key pair. The alias simply identifies a particular public and private key pair for later use. These data will be stored in a keystore called 'OurStore'. You will be asked for some identification data like your name, organization and address. - The second line uses the public and private key pair to create a certificate file called 'admin.cer'.

Running the example On the client side, this certificate should be imported by clients into their trusted keystores in order to enable them to use this certificate to validate the server's signature. This is done by client using the command: keytool -import -alias mycer -file admin.cer -keystore trust

Running the example Next, launch LoginServer and specify the keystore that contains the LoginServer's certificate as follows: java -Djavax.net.ssl.keystore = OurStore -Djavax.net.ssl.keyStorePassword = password LoginServer where password is the password we specified for ' OurStore ' keystore.

Running the example Now we have to launch the LoginClient and specify the truststore for that client. The truststore contains certificates that the client trusts for the purpose of digital signature validation. For simplicity in this example, we will use the client's keystore 'trust' we created above as the truststore of the client. In real world, the client's truststore should contain trusted certificates such as certificates from CAs. launching the client is done as follows: java -Djavax.net.ssl.trustStore = trust -Djavax.net.ssl.trustStorePassword = password LoginClient

Running the example The execution of the program with correct and incorrect input