How to create a custom secure socket connection between client/server?
I am developing a client/server application based on Java sockets and I would like some guide lines on how to make those secure/encrypted. So, I have been reading the last two weeks about SSL, security, public and private key encryption, symmetric and asymmetric methodologies and I would like to implement a safe connection between client/server with the approach below:
Server: Create a public key for encryption and private key for decryption
Client: Uses Server's public key to encrypt his credentials along with a timestamp of request so as the encrypted value won't be the same every time he wants to authenticate himself. Attached to this message clients also includes the shared key that both client/server should connect (symmetric encryption).
Server: Decrypts the message with his private key, check user's credentials and timestamp. If credentials are correct, then it uses the symmetric key to send a response of success.
Rest of communication continues with client's symmetric key.
The below Java code is an example of how SSL communication can be achieved with SSL sockets. clientKeyStore.jks is the Client's Java Keystore which holds the server's public key. When a socket is created, I guess, that the client uses the public key to initiate the communication. My question is where the exchange of symmetric key happens, (if it happens?). Are there any vulnerabilities that I should have in mind, or is this safe from Man-In-The-Middle-Attack?
Thank you in advance
SSLSocketServer
public class SSLSocketServer {
private SSLServerSocket serverSocket;
public SSLSocketServer(int port) throws IOException {
System.setProperty("javax.net.ssl.keyStore","serverKeyStore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "serverKeyStorePass");
SSLServerSocketFactory factory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
serverSocket = (SSLServerSocket) factory.createServerSocket(port);
start();
}
public void start() {
while (true) {
try {
// Client is connected
SSLSocket clientSocket = (SSLSocket) serverSocket.accept();
System.out.println("User connected successfully?");
} // try
catch (IOException e) {
e.printStackTrace();
} // catch
} // while
} // run
} // class SSLSocketServer
SSLSocketClient
public class SSLSocketClient {
public SSLSocketClient(String serverHost, int serverPort) throws UnknownHostException, IOException {
System.setProperty("javax.net.ssl.trustStore","clientKeyStore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "clientKeyStorePass");
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(serverHost, serverPort);
} // SocketClient()
} // class SSLSocketClient
链接地址: http://www.djcxy.com/p/21804.html
上一篇: 如何获得SSL握手中生成的对称密钥?