Meaningless Drivel is fun!*
The moose likes Security and the fly likes Encryption at Application Layer Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Encryption at Application Layer" Watch "Encryption at Application Layer" New topic
Author

Encryption at Application Layer

Edmund Yong
Ranch Hand

Joined: Nov 16, 2003
Posts: 164
We have a web based application which has been implemented for a client (a bank). HTTPS is used for the application. Recently the client has a request to implement end-to-end encyption at the application layer. This means that whatever fields that are passed between the application and browser must be encrypted first. My questions are:

1. Since HTTPS is already being used, is it really necessary to provide another encrption? Isn't data already being encrypted at a lower layer?

2. How to provide the application layer encryption? Do we need something like an applet to run on the client browser?

Thanks.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
What exactly does the client mean by "application layer"? In the ISO/OSI network model that term refers to the layer where HTTP (and thus HTTPS) lives. So in that sense, application layer encryption is provided.

But the encryption provided by HTTPS ends when the data stream arrives at the web server - as soon as it enters your application code, it's no longer encrypted. For a banking application I could imagine that some data should be encrypted even when inside the application code. So you may want to add code that encrypts data as soon as possible - maybe in a servlet filter that's run before any other processing happens.


Ping & DNS - my free Android networking tools app
Edmund Yong
Ranch Hand

Joined: Nov 16, 2003
Posts: 164
Hi Ulf,

Thanks for the reply. I am not sure what the client mean by "application layer". I will find out when I meet them tomorrow.
Edmund Yong
Ranch Hand

Joined: Nov 16, 2003
Posts: 164
Hi Ulf,

I now know what the client means. Actually HTTPS is used between web browser and the web server. However, the data flowing between web server and application is not encrypted. So there is a need to ensure that data is encrypted end-to-end, from web browser to application server.

One proposal is to use a Java applet running on the web browser. When there is data to submit back to application server, JavaScript will be used to pass the clear data to the applet. The applet will encrypt the data and pass the encrypted data back to the JavaScript. After that, encrypted data will be passed all the way to the application server. This is on top of the HTTPS which does another encryption. Similarly, when the application server wants to send data to the web browser, it will encrypt the data, then sends it. The applet on the browser will do the decryption.

My question now is: isn't there an existing solution which provides encryption between the web server and application server (running using WebLogic)?

Thanks.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
I'd advise against this solution. Applets are frequently not a great experience for the user, and JavaScript <--> Applet communication isn't very dependable in my experience. Unless you have control over the client browser (say, in a corporate environment) this is asking for trouble.

But the client part is actually unnecessary - with SSL, the data is encrypted right from within the browser. If it's the web server -> app server part that worries you, then you can use a servlet filter with an HttpServletRequestWrapper to re-encrypt the request data as soon as the servlet container gets it from the web server. (This assumes that web server and servlet container are running on the same machine. If that's not the case then obviously this won't help.)
Edmund Yong
Ranch Hand

Joined: Nov 16, 2003
Posts: 164
Hi Ulf,

The web server and application server are different machines. I doubt that the web server part can do encryption/decryption for data to/from application server.

I found a solution at the following web site, which uses an applet for the encryption/decryption at the web browser.

http://polyarista.tripod.com/

Just click on the "End to End Encryption" at the top of the page for explanation.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

Edmund Yong wrote:The web server and application server are different machines. I doubt that the web server part can do encryption/decryption for data to/from application server.

I believe you are asking the wrong question, or your customer is. You use encryption to protect messages in transit over a hostile medium between trusted hosts. One can think of storing encrypted data as being in transit from yourself to yourself over time.

The point is that you must have trusted hosts at both ends. Then you can look at the exposure in transit. Almost all setups have a web server that is a foot or so from the application server. If Mallet (the bad guy) can get access to that foot of Ethernet cable, you have other problems.

Most modern web server can talk encrypted links to an application server, and most good RDBMS packages can talk over encrypted links between the application server and the DBMS server.

But first, you have to talk about what your real trust model and threat models are.
Edmund Yong
Ranch Hand

Joined: Nov 16, 2003
Posts: 164
Hi Pat,

You mentioned that most modern web servers can talk over encrypted links to an application server. How is the encrypted link implemented? Is it transparent to the web server software (e.g. Sun Java System Web Server) and application server software (e.g. WebLogic Application Server).
Carey Evans
Ranch Hand

Joined: May 27, 2008
Posts: 225

It’s not unusual for the communications between the web server and the application server to be encrypted; see http://e-docs.bea.com/wls/docs103/plugins/apache.html#wp123199 for example. Alternatively, you can use NAT or port forwarding to connect HTTPS from the web browser directly to the application server.
Edmund Yong
Ranch Hand

Joined: Nov 16, 2003
Posts: 164
Hi Carey,

Thanks for the information.
Edmund Yong
Ranch Hand

Joined: Nov 16, 2003
Posts: 164
I have come across a couple of web sites that use applets for their login page. Basically, the applet is used for encrypting the user ID and password entered. However, the URLs are all starting with HTTPS.

Is the applet used because the connection from web server to application server is just HTTP?

If the login information must be encrypted by an applet, then I suppose that after logging in, other sensitive information must also be encrypted by an applet for other transactions.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

Edmund Yong wrote:Is the applet used because the connection from web server to application server is just HTTP?

I can't see any reason to use an applet this century. We tried a bunch last century. As others have said upthread, javascript to applet is just not robust enough for professional application deployment.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Encryption at Application Layer
 
Similar Threads
My SCEA Part 1Study Notes
HTTPS Client Authentication
Protocols
qn about sending message digest over https
Question on HTTPS ?