File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes Login to a ssl enabled site using encrypted password Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Login to a ssl enabled site using encrypted password" Watch "Login to a ssl enabled site using encrypted password" New topic
Author

Login to a ssl enabled site using encrypted password

Kreez Kay
Greenhorn

Joined: Jul 11, 2011
Posts: 2
I have got the public key of a site from which I need to download some information. I have used (SHA1/RSA) algorithms to encrypt
the password.

Now i written another java program which uses HttpSocket connection with the encrypted password sent to login to
the site. But my login fails.

Can anyone tell me what the problem is and whether this technique is correct. My thinking is that the remote site
will use its private key to decrypt the password and automatically login.

Welcoming help.

--Kreez

James Sabre
Ranch Hand

Joined: Sep 07, 2004
Posts: 781

Your approach will only work if you are using the protocol expected by the site you want to contact. It would seem logical that the site will use it's private key to decrypt the password but the devil is in the detail - you need to contact the site maintainers to get the detail of the protocol.

Since this site is 'ssl enabled' then I would expect you to be using HTTPS rather than HTTP and I would not expect the password to be encrypted using the public key key. Assuming that the certificate associated with the public key is self signed then I would expect that it should be added to the 'cacerts' key store. If it is not self-signed but, as it should be, signed by one of the major Certificate Authorities then it should not be needed at all !

Retired horse trader.
 Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
Kreez Kay
Greenhorn

Joined: Jul 11, 2011
Posts: 2
Thanks for giving some insights.

Still would like to know what protocol details I would need to get from the site administrators. The site is using HTTPS and
the certificate is associated with Verisign.

I am using a java program to connect to the site using HttpsScoket connection with the password added as a parameter
in cleartext.

My idea was to add an extra layer of security by encrypting the password with public key and send.

can you give your ideas on this approach.

-Krrez
James Sabre
Ranch Hand

Joined: Sep 07, 2004
Posts: 781

Kreez Kay wrote:
Still would like to know what protocol details I would need to get from the site administrators. The site is using HTTPS and
the certificate is associated with Verisign.


You need to know how the site expects the user name and password to be presented.


I am using a java program to connect to the site using HttpsScoket connection with the password added as a parameter
in cleartext.


I'm not sure this makes sense. If you mean you are using HttpsURLConnection then it does make sense but only if that is the protocol expected by the site. If not then ask the site administrators. HTTPS does not itself mandate how the password should be presented.


My idea was to add an extra layer of security by encrypting the password with public key and send.


So will the site expect the password to be encrypted with the public key and that the encrypted password has to decrypt it before checking against the password database?


can you give your ideas on this approach.


I don't see any advantage unless of course the site protocol dictates it. HTTPS is secure (as long as the recently discovered 'renegotiation flaw' fix has been applied) and you are unlikely to make it more secure by adding this extra level of encryption. Any attacker who gets access to the encrypted password can then just submit it directly - he doesn't need to know the actual password.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Login to a ssl enabled site using encrypted password