aspose file tools*
The moose likes Security and the fly likes basic question regarding ssl and certificate Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "basic question regarding ssl and certificate" Watch "basic question regarding ssl and certificate" New topic
Author

basic question regarding ssl and certificate

satish bodas
Ranch Hand

Joined: Jun 19, 2008
Posts: 116
hello ,
have been searching on java ranch and also jdk documentation regarding security .

( I am new to security ! )

My questions were ::
1 >If we use SSL we try and make the communication secure - how is it determined that the communication is secure

2 >Is it always necessary to have certificates when we use SSL ?

How is the encryption decryption happening between client and server ?

Thanks ,
~satish
greg stark
Ranch Hand

Joined: Aug 10, 2006
Posts: 220
1. I don't understand what you are asking here.
2. You need certificates for authentication. Security experts will argue that without authentication you cannot know who you are talking to, so there's little point in using SSL at all. However, SSL does not require authentication and provides the DH anonymous ciphersuites for unauthenticated connections. These ciphersuites are also implemented in the JSSE, and can be identified by the string 'DH_anon' in the SunJSSE provider documentation


Nice to meet you.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Originally posted by satish bodas:
1) If we use SSL we try and make the communication secure - how is it determined that the communication is secure

2) Is it always necessary to have certificates when we use SSL ?


If you use SSL, your communications is pretty secure. Its not absolutely secure. SSL is really only for HTTP, the more general term is TLS. Same idea, algorithms, etc.

Most folks simply use SSL and declare that its suitable.

It is always necessary to have at least one certificate when using SSL. You can make it yourself, you do not need to pay big bucks to get one.

There are many discussions of the proper value of paying big bucks for SSL certs. In most cases, you are paying a lot of money for a number. Most cert vendors do little or nothing to verify identity, which is all that an SSL cert can address in the best case. So if they do little or nothing to verify identity, its hard to argue that its worth a lot of money.
satish bodas
Ranch Hand

Joined: Jun 19, 2008
Posts: 116
Thanks Greg and Pat for your replies .

what I meant by secure regarding ssl ( corrected as tls ! ) is what is it that guarantees its "secureness" ?

To postulate ::
If I were a hacker and lets say someone was posting his login credentials on a form ::

1 >Plain http :: How do I get to "sniff" this data ?
Is it at all possible
I want to know more as an education rather than any ill intent

2 >same as 1 but scenario with https

3 >same again + https + certificate

Regarding certificates - so all that the certificating authority does is
give out an encoding / decoding mechanism ?
( I have my beginner's questions regarding certificates ... which I will ask in a separate thread )

So all that these authorities are supposed to "authenticate" is to verify that I am really who I proclaim to be is that it ?

Scenario ::

================================================================
I start a B to C business and want end users to buy stuff over the internet
To keep it safe decide to use https with certificates
( this is just a simple abstraction .... sure there will be much more involved )

Now I have two choices ::
1 >buy a certificate from a certificating authority ( thawte , verisign etc )
2 >Create my own certificate using jdk

Use this certificate on web server

Any client accessing the site is asked to either "accept / decline / " certificate .

From my personla experience ( and you can call me a fool ! ) I hardly bother reading any of the popo ups or ads .
If I am online and want to do a transaction - I just hit the website - if I get such certificate popup - simply accept and moce on

IN such scenarios ::

1 >How does someone else fake my certificate
2 >Even if we have a valid / false certificate - for people like me who blindly accept - it doesnt matter does it

Last question - for some sites like citibank on https - when I login I do not see this popup ?

is it because these certificates are by default accepted by bropwser ?

so if I purchase a certificate from thawte / verisign - than my site also wouldnt show this popup ?

long post and I agree it may not be very clear but as thoughts came to mind I put them down .

Thanks ,
~satish
================================================================
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42276
    
  64
1 >Plain http :: How do I get to "sniff" this data ? Is it at all possible

2 >same as 1 but scenario with https

3 >same again + https + certificate

#1 - It's possible if you have access to the data flowing through the network, because HTTP sends everything in clear text. Getting access to the network is rather easy if a wireless network is used with weak or non-existing security.

#2 and #3 - Those are the same (HTTPS always involves a certificate). This is generally considered to be impossible for the average attacker, since all data is encrypted. It might be feasible if weak encryption is used (40 bit), but these days always every certificate uses 128 bit, which pushes a successful attack into the realm of 3-letter organizations (like the NSA).

The CA authorities do not hand out an encoding/decoding mechanism, they hand out a certificate that authenticates you, and which includes your public key that can be used to send you encrypted data only you can decrypt. (As an aside, make sure you understand the difference between an encoding and an encryption).

Browser come with a lot of certificates preinstalled, which you'll find buried somewhere deep inside the options/preferences. Those include the certificates of Verisign and Thawte, so if some other site presents a certificate that is created by one of these companies, it is accepted by default.
But if some site presents a certificate signed by an unknown (and thus untrusted) authority (maybe created by you using keytool), then the user is asked to confirm whether to trust it. And if you intend to leave personal or otherwise important information on that site, I'd advise to carefully consider whether to trust that site.

Anybody can create a certificate claiming to be "satish bodas". But only if it came from a trusted source (like the companies mentioned above) would there be reason to think that it is indeed associated with you. If you inspect Citibank's certificate, you'll see that it comes from Verisign.


Ping & DNS - my free Android networking tools app
satish bodas
Ranch Hand

Joined: Jun 19, 2008
Posts: 116
Thanks Ulf for the detailed explanation .

(As an aside, make sure you understand the difference between an encoding and an encryption).


spot on - that should have been encryption / decryption rather than encode /decode . Thank you.

I am still confused with a few points though
To quote Greg in earlier post ::

However, SSL does not require authentication and provides the DH anonymous ciphersuites for unauthenticated connections. These ciphersuites are also implemented in the JSSE, and can be identified by the string 'DH_anon' in the SunJSSE provider documentation


Question A ::
So my understanding is - SSL can also be used without a "authenticating" certificate ?
This may be rarely used - but if so desired can be used without a certificate ?

To further quote ::



#2 and #3 - Those are the same (HTTPS always involves a certificate). ...

So Ulf believe you are referring to the most used and predominant usage of https ( with certificates ) ?


Question B ::
who is responsible for the encryption ?
( when we use ssl with certificates )
Is the encryption an inherent part of https or is it the certificate that specifies the encryption /decryption algorithm

but these days always every certificate uses 128 bit.....


From this statement of yours - i guess its the certificate that decides the algorithm for encryption / decryption

Question C ::
So if I create a certificate using keytool can I guarantee that it uses 128 bit ?
and if so than why should I spend a lot of money to buy a certificate from these companies .
If my certificate is as secure as theirs ( agreed their algorithms will be more complex ) - but as Ulf specified if keytool gives me 128 bit than thats a tought nut to crack right ?

Question D ::
Continuation of question C
So the value addition of a certifying authority is that they are "trusted"
I recently had read a KPMG pdf downloaded article regarding how certifying authorities are now also issuing certificates minus the authentication !
( agreed - end users customers may not trust a certificate posing as "satish bodas" not signed by Thawte / verisign etc )

Question E :: ( final question honest ! )
where can I get a good read / understanding about the public / private key ?

Thank you Greg , Pat and Ulf for enhancing my knowledge .

Regards,
~satish
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42276
    
  64
who is responsible for the encryption ?

The certificate and the key it contains determine which algorithms are used. Of course, SSL doesn't support just any algorithm, just certain predetermined ones. Read up on SSL and PKI for more details.

So if I create a certificate using keytool can I guarantee that it uses 128 bit ?

Yes, keytool allows you to specify the key size.

and if so than why should I spend a lot of money to buy a certificate from these companies.

Because they're trusted. You're not.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Originally posted by satish bodas:
if so than why should I spend a lot of money to buy a certificate from these companies. If my certificate is as secure as theirs ( agreed their algorithms will be more complex )

So the value addition of a certifying authority is that they are "trusted"


Not quite. The cert your buy and the cert your make yourself use the same algorithms and can have the same key length. Its actually easier to make one with longer keys.

The algorithms are not more complex.

The "value" of using a commercial CA is that people "trust" them. Not that they actually deserve to be trusted. Many commercial CAs do nothing to verify that the requesting person is real, or owns the server. At least not for their relatively inexpensive certs. Some of them, when you spend serious money, do some token validation.

I could trivially request that Verisign issue me a cert saying that I'm "satish bodas" and I expect that I can get such as cert quickly and cheaply.

My guess is that I'm really not Satish, but you can't tell that from Verisign.

Most of this cert stuff was invented before the Internet became commercial. There was a lot of concern that naive folks would go to "sears.com" and buy stuff, not knowing that Sears.com was owned by satish bodas, and he's a crook. In practice, this has proven to be not a concern, as sears, walmart, amazon, etc. use trademarks and other legal approaches to protect their name and to establish a reputation.

From a practical standpoint, you gain next to nothing spending big bucks with Verisign, etc. But this is not about security, its as much about marketing and warm and fuzzy feelings.
satish bodas
Ranch Hand

Joined: Jun 19, 2008
Posts: 116
thanks Pat , Ulf and Greg for clearing my concepts.

Thanks ,
~satish
securetechie techie
Greenhorn

Joined: Nov 18, 2008
Posts: 7
This is good! . There is so much to get from this post, had a real interesting time on this thread.To get a SSL certificate from a trusted company is quite useful as if you dont do this, there is not any specific reason to use it for the communication security.Anything that ensures you of the security standards is far more better if you have to get trust from your visitors.SSL certificates are the standards set by IETF for communication security. It encrypts the data with a private key and ensures the reliability of the flow of information in an encrypted form with private key being with the recipient.Well satish, people going with e-commerce sites and requiring the customers to submit personal details need to maintain e-commerce security to be a trusted service provider.


Buy SSL certificates today and secure your website. Visit: http://sslstar.com/
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: basic question regarding ssl and certificate