Java Reference
In-Depth Information
Step 12—Change cipher spec:
Now, it's the server's turn to send a message to the client asking
it to change to an encrypted mode of communication.
Step 13—Handshake establishment at the server side:
he server tells the client that it is
ready for secure data communication to begin. his indicates the completion of the SSL
handshake.
Step 14—Encrypted data exchange:
Henceforth, the client and the server start communicating
using the symmetric encryption algorithm and the cryptographic hash function negotiated in
Steps 1 and 2, as well as using the secret key that the client sent to the server in Step 8.
Step 15—Close:
At the end of the communication process, each side will send a close_notify
message to inform the peer that the connection is closed.
8.4.1.2 Implementation Best Practices for Secure
Transmission—Web Applications
he following are some of the important implementation practices that are to be followed for
Web applications:
◾
passwords, credit card information, health care information, and so on.
Encrypted transmission needs to be established for the transport and exchange of keys for
SSL/TLS needs to be deployed for exchange of all sensitive information like usernames,
◾
the Web application.
It is recommended that a strong certiicate from a certiication provider (also known as
◾
cer-
tiicate authority
[CA]) be deployed for high-risk Web applications like banking applications
and e-commerce applications.
8.5 Java Secure Socket extensions for
Secure Data transmissions
We are already aware that the secure sockets layer (SSL) and transport layer security (TLS) pro-
tocols were designed to help protect the privacy and integrity of data while it is transferred across
a network. We also indicated that the SSL and TLS protocols were designed to help protect the
privacy and integrity of data while it is in transit. To do so in the Java environment, the Java
Secure Socket Extension (JSSE) has been designed to secure Internet communications during
the development of Java applications. JSSE provides a broad framework and an implementation
strategy for a Java version of the SSL and TLS protocols and include several security-related func-
tionalities—data encryption, server authentication, message integrity, and optional client authen-
tication. Using JSSE classes and frameworks, application developers can build in a safe and secure
passage of information between any two systems. For the sake of brevity, we will be distinguishing
these two systems as
client
and
server
. he client and a server running any application protocol,
such as hypertext transfer protocol (HTTP), Telnet, or FTP, over TCP/IP are the participants for
this data transport.
For secure application developers, JSSE provides both an API framework and an imple-
mentation of that API. he beauty of this JSSE API is that it supplements the “core” network
and cryptographic services deined by the packages
java.security
and
java.net
by
Search WWH ::
Custom Search