Java Reference
In-Depth Information
Note that the authentication performed in this scheme is
per request
. Each time the client
sends an HTTP request to the server, it is an entirely separate conversation. Therefore, each
time the client needs to authenticate itself to the server to perform some work, it must go
through the whole process again—creating a timestamp and random number, calculating a
message digest, and sending the whole mess up to the server. In this system, then, you would
probably add parameters to the HTTP request that specify an action or command that should
be performed on behalf of the authenticated user.
Securing Network Data
Let's look at something a little more complicated. Suppose you wish to conceal the data you are
sending over the network. The protected password example showed one way for a client to
authenticate itself to the server, but we've still got the problem of eavesdroppers picking up
credit card numbers or other sensitive information off the network.
This example consists of a matched MIDlet and servlet. The MIDlet,
StealthMIDlet
, has a
simple user interface that allows you to enter a message. This message is encrypted using an
RC4 stream cipher and sent to the servlet. On the server side,
StealthServlet
receives the
encrypted message, decrypts it, and sends back its own encrypted message. Both messages
pass over the insecure Internet as ciphertext, which is difficult for attackers to read without the
proper keys.
RC4 is a symmetric encryption algorithm, which means that the same key is used to encrypt
and decrypt data.
StealthMIDlet
and
StealthServlet
use two keys, one for each direction of
data travel. One key is used to encrypt data in the MIDlet and decrypt it in the servlet; the other
key encrypts data in the servlet and decrypts it in the MIDlet.
The servlet services multiple client MIDlets, each with their own encrypting and decrypting
keys. Therefore, the servlet must keep track of two keys per client without getting them mixed
up. It uses an HTTP session object to do this. Every time a client request is received, the servlet
finds the corresponding ciphers in the session object. If the ciphers don't exist, they are created
and initialized using client-specific keys.
This system provides both data confidentiality and authentication. The client and server
are authenticated to each other because they must possess the correct keys to exchange data.
Figure 18-4 shows the main user interface of
StealthMIDlet
. It allows you to enter a message
you want to encrypt and send to the server. When you're ready, hit the
Send
command to kick
things off.
The servlet decrypts your message and sends back an encrypted response, which is
displayed by the MIDlet as shown in Figure 18-5.
Search WWH ::
Custom Search