Build secure
network applications with SSL and
the JSSE API - JavaWorld May 2001
Tutorial Details:
Build secure network applications with SSL and the JSSE API
Build secure network applications with SSL and the JSSE API
By: By Todd Sundsted
Get started with SSL and JSSE using these two simple apps
he Internet is a dangerous place. It's simply too easy to snoop, spoof, and steal unprotected information as it travels over the wires. Last month , I wrote the final article in a series on X.509 certificates and public key infrastructure (PKI), the technologies that secure most e-commerce activity on the Internet. Near the end of the article, I suggested looking at the SSL (Secure Socket Layer) protocol to learn how X.509 certificates are used in practice. SSL is the X.509 killer app -- nearly every browser and most popular Web and application servers support it.
This month, I will explore SSL as implemented by the JSSE (Java Secure Socket Extension), and show you how to build secure network applications in Java using SSL and JSSE.
Let's begin with a simple demonstration. JSSE provides an SSL toolkit for Java applications. In addition to the necessary classes and interfaces, JSSE provides a handy command-line debugging switch that you can use to watch the SSL protocol in action. In addition to providing useful information for debugging a recalcitrant application, playing with the toolkit is a great way to get your feet wet with SSL and JSSE.
To run the demonstration, you must first compile the following class:
public
class Test
{
public
static
void
main(String [] arstring)
{
try
{
new java.net.URL("https://" + arstring[0] + "/").getContent();
}
catch (Exception exception)
{
exception.printStackTrace();
}
}
}
Next, you need to turn on SSL debugging and run the above application. The application connects to the secure Website that you specify on the command line using the SSL protocol via HTTPS. The first option loads the HTTPS protocol handler. The second option, the debug option, causes the program to print out its behavior. Here's the command (replace with the name of a secure Web server):
java -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol -Djavax.net.debug=ssl Test
You need to install JSSE; refer to Resources if you're unsure how.
Now let's get down to business and talk about SSL and JSSE.
A brief look at SSL
The code in the introduction demonstrates the easiest way to add SSL to your applications -- via the java.net.URL class. This approach is useful, but is not flexible enough to let you create a secure application that uses generic sockets.
Before I show you how to add that flexibility, let's take a quick look at SSL's features.
As its name suggests, SSL aims to provide applications with a secure socketlike toolkit. Ideally, it should be easy to convert an application that uses regular sockets into an application that uses SSL.
SSL addresses three important security issues:
It provides authentication, which helps ensure the legitimacy of the entities involved in a dialog.
It provides privacy. SSL helps warrant that a third party cannot decipher the dialog between two entities.
It maintains integrity. The use of a MAC (message authentication code), which is similar to a checksum, helps guarantee that a dialog between two entities is not modified by a third party.
SSL relies heavily on both public-key and secret-key cryptography. It uses secret-key cryptography to bulk-encrypt the data exchanged between two applications. SSL provides the ideal solution because secret-key algorithms are both secure and fast. Public-key cryptography, which is slower than secret-key cryptography, is a better choice for authentication and key exchange.
Sun's JSSE reference implementation comes with all the technology necessary to add SSL to your applications. It includes RSA (Rivest-Shamir-Adleman) cryptography support -- the de facto standard for security on the Internet. It includes an implementation of SSL 3.0 -- the current SSL standard -- and TLS (Transport Layer Security) 1.0, the next generation of SSL. JSSE also provides a suite of APIs for creating and using secure sockets.
The JSSE API
The Java security architecture uses the Factory design pattern heavily. For the uninitiated, the Factory design pattern uses special factory objects to construct instances, rather than calling their constructors directly. (See Resources for the pros and cons of the factory class.)
In JSSE, everything begins with the factory; there's a factory for SSL sockets and a factory for SSL server sockets. Since generic sockets and server sockets are already quite fundamental to Java network programming, I'll assume that you're familiar with the two and you understand their roles and differences. If you are not, I recommend picking up a good book on Java network programming.
SSLSocketFactory
Methods in the javax.net.ssl.SSLSocketFactory class fall into three categories. The first consists of a single static method that retrieves the default SSL socket factory: static SocketFactory getDefault() .
The second category consists of four methods inherited from javax.net.SocketFactory that mirror the four key constructors found on the java.net.Socket class, and one method that wraps an existing socket with an SSL socket. They each return an SSL socket:
Socket createSocket(String host, int port)
Socket createSocket(String host, int port, InetAddress clientHost, int clientPort)
Socket createSocket(InetAddress host, int port)
Socket createSocket(InetAddress host, int port, InetAddress clientHost, int clientPort)
Socket createSocket(Socket socket, String host, int port, boolean autoClose)
The two methods in the third category return the list of SSL cipher suites that are enabled by default, and the complete list of supported SSL cipher suites:
String [] getDefaultCipherSuites()
String [] getSupportedCipherSuites()
A cipher suite is a combination of cryptographic algorithms that define a particular level of security for an SSL connection. A cipher suite defines whether the connection is encrypted, whether content integrity is verified, and how authentication occurs.
SSLServerSocketFactory
Methods on the javax.net.ssl.SSLServerSocketFactory class fall into the same three categories as SSLSocketFactory . First, there is the single static method that retrieves the default SSL server socket factory: static ServerSocketFactory getDefault() .
The methods that return SSL server sockets mirror the constructors found in the java.net.ServerSocket class:
ServerSocket createServerSocket(int port)
ServerSocket createServerSocket(int port, int backlog)
ServerSocket createServerSocket(int port, int backlog, InetAddress address)
Finally, the SSLServerSocketFactory features the two methods that return the list of ciphers enabled by default and the list of supported ciphers, respectively:
String [] getDefaultCipherSuites()
String [] getSupportedCipherSuites()
So far, the API is pretty straightforward.
SSLSocket
Things get interesting in the javax.net.ssl.SSLSocket class. I assume you are already familiar with the methods provided by its parent, the Socket class, so I will concentrate on the methods that provide SSL-related functionality.
Like the two SSL factory classes, the first two methods listed below retrieve the enabled and supported SSL cipher suites, respectively. The third method sets the enabled cipher suites. An application can use the third operation to upgrade or downgrade the range of acceptable security that the application will allow:
String [] getEnabledCipherSuites()
String [] getSupportedCipherSuites()
void setEnabledCipherSuites(String [] suites)
These two methods determine whether the socket can establish new SSL sessions, which maintain connection details -- like the shared secret key -- between connections:
boolean getEnableSessionCreation()
void setEnableSessionCreation(boolean flag)
The next two methods determine whether the socket will require client authentication. The methods only make sense when invoked on server mode sockets. Remember, according to the SSL specification, client authentication is optional. For example, most Web applications don't require it:
boolean getNeedClientAuth()
void setNeedClientAuth(boolean need)
The methods below change the socket from client mode to server mode. This affects who initiates the SSL handshake and who authenticates first:
boolean getUseClientMode()
void setUseClientMode(boolean mode)
Method void startHandshake() forces an SSL handshake. It's possible, but not common, to force a new handshake operation in an existing connection.
Method SSLSession getSession() retrieves the SSL session. You will seldom need to access the SSL session directly.
The two methods listed below add and remove an SSL handshake listener object. The handshake listener object is notified whenever an SSL handshake operation completes on the socket.
void addHandshakeCompletedListener(HandshakeCompletedListener listener)
void removeHandshakeCompletedListener(HandshakeCompletedListener listener)
SSLServerSocket
The javax.net.ssl.SSLServerSocket class is similar to the javax.net.ssl.SSLSocket class; it doesn't require much individual attention. In fact, the set of methods on javax.net.ssl.SSLServerSocket class is a subset of the methods on the javax.net.ssl.SSLSocket class.
The first two methods listed below retrieve the enabled and supported SSL cipher suites. The third method sets the enabled cipher suite:
String [] getEnabledCipherSuites()
String [] getSupportedCipherSuites()
void setEnabledCipherSuites(String [] suites)
These two methods control whether or not the server socket can establish new SSL sessions:
boolean getEnableSessionCreation()
void setEnableSessionCreation(boolean flag)
The following methods determine whether the accepted sockets will require client authentication:
boolean getNeedClientAuth()
void setNeedClientAuth(boolean flag)
The methods below change the accepted socket from client mode to se
Read
Tutorial at: Click here to view the tutorial
Rate Tutorial: Build secure
network applications with SSL and
the JSSE API - JavaWorld May 2001
View Tutorial: Build secure
network applications with SSL and
the JSSE API - JavaWorld May 2001
Related
Tutorials:
 Java security evolution
and concepts, Part 4
Java security evolution
and concepts, Part 4
|
Java security evolution
and concepts, Part 5
Java security evolution
and concepts, Part 5
|
Mix protocols
transparently in
Web applications
Mix protocols
transparently in
Web applications
|
Jini's relevance emerges, Part
1
Jini's relevance emerges, Part
1
|
Yes, you can secure your Web services documents, Part 1
Yes, you can secure your Web services documents, Part 1
|
Jini's relevance emerges, Part
2
Jini's relevance emerges, Part
2
|
Update distributed applications
Update distributed applications
|
Secure Web
services
Secure Web
services
|
Jini Starter Kit 2.0 tightens Jini's security framework
Jini Starter Kit 2.0 tightens Jini's security framework
|
High-availability mobile applications
High-availability mobile applications
|
Very
interesting
Very
interesting
|
Using SSL with Non-Blocking IO
Using SSL with Non-Blocking IO
After the initial experiments with Java NIO, most developers start wondering about security; in particular, how to use SSL with Java NIO. With the traditional blocking sockets API, security is a simple issue: just set up an
|
Networking our whiteboard with servlets.
Find out how to easily replace the RMI and sockets networking layers with servlets.
|
JavaTM Secure Socket Extension (JSSE)
The JavaTM Secure Socket Extension (JSSE) is a Java package that enables secure Internet communications. It implements a Java version of SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols and includes functionality for data encryption
|
Getting Started with Java Message Service (JMS)
The Java Message Service (JMS) is designed to allow Java applications to use enterprise messaging systems. It makes it easy to develop enterprise applications that asynchronously send and receive business data and events. Learn how to implement it for you
|
Community-Submitted Article: Hardening the Solaris 9 OS and NcFTP for an FTP Bastion Host
A BigAdmin reader writes about the build, configuration, and subsequent hardening of UNIX servers that constitute a secured FTP solution.
|
Sun Researchers Unveil World's Smallest Secure Web Server
The Next Generation Crypto team at Sun Microsystems Laboratories has created this small secure web server, nicknamed Sizzle (from SSSL for "Slim SSL"). The coin-sized server is designed to be embedded in a wide array of tiny devices for secure monitorin
|
Developing Distributed application using Enterprise Java Beans, J2EE Architecture, EJB Tutorial, WebLogic Tutorial.
Developing Distributed application using Enterprise Java Beans, J2EE Architecture, EJB Tutorial, WebLogic Tutorial.
Distributed Architecture
Two-tier application:
In the past two-tier applications were used. Two-tier applications are also know as
|
Pure Java SSH Tool for J2ME
JSch is the pure Java SSH2 implementation developed by JCraft under revised BSD license. It has been already widely adopted by several open source projects, including Eclipse, Apache Ant, etc.,
|
UltraLightClient Community Site
Community-driven Wiki site for UltraLightClient Code Snippets and Contributions
If you want to contribute, please go to Register as Committer. There is no support for the content on this site by Canoo. Committers agree that the code can be used free of c
|
|
|
|
