Java Reference
In-Depth Information
Securing the transport layer
If you were to create a mission-critical application with just the bare concepts we have
learned until now, you are not guaranteed to be shielded from all security threats. For
example, if you need to design a payment gateway, where the credit card information
is transmitted by means of an EJB or servlet, using just the authorization and authen-
tication stack is really not enough, as the sensitive information is still sent across a
network and it could be disclosed by an hacker.
In order to prevent disclosure of critical information to unauthorized individuals or sys-
tems, you have to use a protocol that provides encryption of the information. Encryp-
tion is the conversion of data into a form that cannot be understood by unauthorized
people. Conversely, decryption is the process of converting encrypted data back into
its original form so that it can be understood.
The protocols used to secure the communication are SSL and TLS, the latter being
considered a replacement for the older SSL.
Tip
The differences between the two protocols are minor and very technical. In short,
TLS uses stronger encryption algorithms and has the ability to work on differ-
ent ports. For the rest of this chapter, we will refer to SSL for both protocols.
Check Wikipedia for more information on it:
http://en.wikipedia.org/wiki/Trans-
There are two basic techniques for encrypting information: symmetric encryption (also
called secret-key encryption) and asymmetric encryption (also called public-key en-
cryption.)
Symmetric encryption
is the oldest and best-known technique. It is based on a
secret key, which is applied to the text of a message to change the content in a par-
ticular way. As long as both sender and recipient know the secret key, they can en-
crypt and decrypt all messages that use this key. These encryption algorithms typic-
ally work fast and are well suited for encrypting blocks of messages at once.
