*
The moose likes Security and the fly likes Needs to use cryptography in website Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Needs to use cryptography in website" Watch "Needs to use cryptography in website" New topic
Author

Needs to use cryptography in website

apurv suthar
Ranch Hand

Joined: Feb 05, 2012
Posts: 35
In a web application if I wants to encrypt/decrypt data going to server and coming back from server, then from where should I start from.
I have searched on web , and found books like - "Beginning cryptography with java by David Hook " , " Java Security(O'rielly)". Should I Prefer these books Or not.

Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

Can you be more specific. For most designers, it is sufficient to use HTTPS/TLS between the client's browser and the web server. That handles all the cryptography that most folks ever need.
apurv suthar
Ranch Hand

Joined: Feb 05, 2012
Posts: 35
ok . like an e-procurement system. where all information provides to company is being encrypted first & sign that data by a certificate which bidder choose.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

I still can't tell what you are asking about. I guess that English is not your native language. I can't follow what you are saying.

Nearly all ecommerce sites simply use HTTPS/TLS.

You seem to be talking about having the user/client software 'sign' some document. That is rarely needed in practice. Having clients try to deal with certificates is nearly always a disaster.
apurv suthar
Ranch Hand

Joined: Feb 05, 2012
Posts: 35
Show the images I have attached It will express more then I can.



[Thumbnail for 1.png]


[Thumbnail for 2.png]


[Thumbnail for 3.png]

Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

I just don't understand what you are trying to encrypt and decrypt and I dont' see why you want to do it on the client.

What are your business requirements, without using the words encrypt or decrypt?

What is the basic architecture of your application? Are you planning to write a web-app, using Servlets and JSP and HTML?

Again, what are you trying to do with certificates? In practice, having a user deal with certificates is a disaster.
apurv suthar
Ranch Hand

Joined: Feb 05, 2012
Posts: 35
If i am making an application like e-procurement then data authentication & integrity should be maintain so I wants to use cryptography.

In an e-procurement system there is a section of bid preparation where user prepare bid documents and filling forms. After completing that one he generate the hash for the documents so that the documents he had attached during the bid preparation can't be altered till bid submission process.And encrypt form data and submit it during bid submission.

At the admin side after time elapsed for bid preparation admin generates super hash (which is similar to signing envelopes to ensure that the bid is closed and no changes are acceptable)

At last in bid submission process bidder finally submit all documents and forms he had prepared during bid preparation time.(He can only read data filled in forms during this stage & submitting documents by comparing their hash values with documents they have attached during bid preparation)

(I have no prior experience in cryptography )
apurv suthar
Ranch Hand

Joined: Feb 05, 2012
Posts: 35
I am using struts in my web application.
apurv suthar
Ranch Hand

Joined: Feb 05, 2012
Posts: 35
And I refer one web site which implement same functionality that i need.In which a certificate was needed for signing the data before submitting it. So I ask about certificate.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41124
    
  45
I'm confused - you variously talk of the documents needing to be signed, and of a hash needing to be computed of the documents - which one is it?


Ping & DNS - my free Android networking tools app
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

apurv suthar wrote:If i am making an application like e-procurement then data authentication & integrity should be maintain so I wants to use cryptography. (I have no prior experience in cryptography )


I think you simply want to use a server that supports HTTPS protocol. So far, you have not said anything that would drive me to chose to use more complex cryptography. HTTPS does everything you should need.

But you really have to start with the business requirements. You must talk about where code runs, which computers are trusted, etc. You do this before you start cryptography.

There are many good libraries that implement the cryptographic functions, but they do not do the application's business requirements analysis.

I strongly recommend that you forget everything you have read about crypto-certificates until you can describe the business needs.
apurv suthar
Ranch Hand

Joined: Feb 05, 2012
Posts: 35
Sorry if I embarrassing you.

Ok can you prefer some material if I wants to implement HTTPS protocol & generate HASH of the document being uploaded.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

apurv suthar wrote:Sorry if I embarrassing you. Ok can you prefer some material if I wants to implement HTTPS protocol & generate HASH of the document being uploaded.


You are not embarrassing me, you are simply confusing me.

One relies upon the web server to handle HTTPS. So you need to find the documentation for whatever web server you will be using. Many people us Apache, it has very strong support for HTTPS and is well documented.

Again, what is the business requirement for the hash prior to uploading. I see no value in that. We use underlying protocols that ensure that the data/file is transferred properly and without change.
apurv suthar
Ranch Hand

Joined: Feb 05, 2012
Posts: 35
There is a section called "Briefcase" which keeps all documents of the bidders. Bidder can attach any of them in any tender notice.But once he had attached in "bid envelope" during "bid preparation" cant be altered till "bid submission" stage.So I wants to generate HASH for that documents during "preparation" stage so, that it can be ensure during "submission" stage that document is same.

And also that before submitting it on server each document hash also submits with their hash so that on server side it can be ensure that documents are not altered during transmission.
Jayesh A Lalwani
Bartender

Joined: Jan 17, 2008
Posts: 2273
    
  28

Do these documents need to be submitted to a server differrent than your web server? I think you might be confusing us by overusing the word "server".

Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

apurv suthar wrote: on server side it can be ensure that documents are not altered during transmission.


When you use HTTPS, there is no need to worry about alteration during transmission. HTTPS solves all of those problems.

Again, what are your business requirements?
apurv suthar
Ranch Hand

Joined: Feb 05, 2012
Posts: 35
It seems like , I actually don't know what I wants to do or I cant explain it properly.
Thanks for replying.


Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

apurv suthar wrote:It seems like , I actually don't know what I wants to do or I cant explain it properly.


Good luck, you will need to know exactly what you need, either to get help or to implement it yourself.
 
Consider Paul's rocket mass heater.
 
subject: Needs to use cryptography in website
 
Similar Threads
AES256, cryptoPerms and Unlimited Cryptography
cryptography examples
about java cryptography
Security & Cryptography - Best Book ?
java cryptography primer?