data transfer (string/byte + files) secure

X

xmarlawx

Hi all!

I'm writing a client-server project in java and i decided I want the
client to communicate
with the server using a secure channel and viceversa.
I learned about both symmetric and asymmetric encryption systems and
I'd like
to have accountability, non repudiation, etc and security.
I've seen examples on how to create a secure socket (ssl) and i've also
seen
how to manually create keys for asymmetric, make a simple protocol to
exchange a key and
then use a symmetric cipher which is much cheaper (cpu wise).
The public keys are assumed to be exchanged in a secure mode (ex. by
hand) and no third party
is considered.

I need to transfer strings and files, or byte arrays and files, shall i
write my own protocol
using crypto facilities offered by java or skip all that and go
straight to ssl secure socket ?
From the client, for instance, I always want to check that the key of
the server (the public key) its always the same, to avoid man in the
middle attacks.

Also, do you think that since i'm writing this application from
scratch, shall I use channels instead of threads that pick up sockets
from a pool ? I'm a little confused with advantages/disadvantages and
channels looks harder.

Thank you !
 
W

Wesley Hall

I need to transfer strings and files, or byte arrays and files, shall i
write my own protocol
using crypto facilities offered by java or skip all that and go
straight to ssl secure socket ?

Use SSL socket. It is a proven solution. Depending on your requirements
you may wish to get a certificate authority (such as Thawte) to provide
you with a authenticated certificate, this does the job of confirming
that the public key that is used by the client is actually the public
key of your organisation, not someone pretending to be you. This will
cost money though, and if your requirement is simply secure data
exchange it may not be required.
the server (the public key) its always the same, to avoid man in the
middle attacks.

It is this requirement that may require the certificate authority.
Also, do you think that since i'm writing this application from
scratch, shall I use channels instead of threads that pick up sockets
from a pool ? I'm a little confused with advantages/disadvantages and
channels looks harder.

Unless you anticipate a very high throughput application, I advise
avoiding channels like the plague. Using SSL + NIO is a pain in the rear
(speaking from experience!) and the benefits of NIO will only begin to
present themselves when you have thousands of simultaneously connected
users. I would stick to regular sockets until this becomes a realistic
expectation.
 
E

EJP

I've seen examples on how to create a secure socket (ssl) and i've also
seen
how to manually create keys for asymmetric, make a simple protocol to
exchange a key and
then use a symmetric cipher which is much cheaper (cpu wise).

Cheaper than what? SSL uses a key-exchange protocol and then a symmetric
cipher too.
I need to transfer strings and files, or byte arrays and files, shall i
write my own protocol
using crypto facilities offered by java or skip all that and go
straight to ssl secure socket ?

I agree with Wesley here. Use SSL. It's already there, it already works,
you don't have to prove its security. Roll your own and you do. And you
will make mistakes. The mistakes in SSL were ironed out years ago,
mostly ten years ago.
> Also, do you think that since i'm writing this application from
scratch, shall I use channels instead of threads that pick up sockets
from a pool ? I'm a little confused with advantages/disadvantages and
channels looks harder.

Again I agree with Wesley. NIO is already maybe 10 times as hard as
streams, and SSL/NIO is much harder again. Much much much harder. The
number of successful implementors and implementations of SSL over NIO is
*extremely* small.
 
R

Richard Maher

Hi,
I'm writing a client-server project in java and i decided I want the
client to communicate
with the server using a secure channel and viceversa.

Could IPsec possibly be another option for you? Let the System/Network
Manager lock down all communication to your server, or only communication
to the Port you're listening on, and you don't have to code for it at all.

Unknown/dynamic IP addresses? No support for IPsec?

Regards Richard Maher
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top