wood burning stoves 2.0*
The moose likes Security and the fly likes Encryption using public key and decrypt using private kry Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Encryption using public key and decrypt using private kry" Watch "Encryption using public key and decrypt using private kry" New topic
Author

Encryption using public key and decrypt using private kry

Raghu Sha
Ranch Hand

Joined: Feb 02, 2013
Posts: 122
Hi,

How to encrypt the particular fields from user request using public key and decrypt the same using private key.
Could you please explain the how to do it in java and how to register the certificates?
(We are not going to use implicit SSL encryption / decryption)

Thanks
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

Raghu Sha wrote:Hi,

How to encrypt the particular fields from user request using public key and decrypt the same using private key.
Could you please explain the how to do it in java and how to register the certificates?
(We are not going to use implicit SSL encryption / decryption)

Thanks


Presumably you will be implementing the encryption in Javascript in the client's browser and decrypting in a Servlet using Java. The Java side is covered in "Beginning Cryptography with Java" by David Hook but the Javascript side is more problematic. I haven't yet found an Javascript public key library that I can recommend but Google will find several libraries.

Why are you not going to use SSL? It would solve pretty much all your problems with you only having to configure the Web server. There are many tutorials on how to do this.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
+1 on using SSL instead of rolling your own.

What kind of client is this? Browser? Desktop app? Something else?


Ping & DNS - my free Android networking tools app
Raghu Sha
Ranch Hand

Joined: Feb 02, 2013
Posts: 122
SSL solves encryption & decryption problem.-That's true Richard.
But we need it in custom way.

If possible give your approach to proceed (without using javascript)
It is browser based client.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

Raghu Sha wrote:SSL solves encryption & decryption problem.-That's true Richard.
But we need it in custom way.


I would need to be convinced that your 'custom' approach did something that SSL/HTTPS did not!


If possible give your approach to proceed (without using javascript)
It is browser based client.


Use an Applet and really add to your problems.
Winston Gutkowski
Bartender

Joined: Mar 17, 2011
Posts: 7545
    
  18

Raghu Sha wrote:SSL solves encryption & decryption problem.-That's true Richard.
But we need it in custom way.

I'll make Richard's point even clearer: Why?

That is: what is it about your app that makes it special? There may well be a perfectly valid reason, but some background would help.
Otherwise, I'd tend to file it under: "Stupid Management Requests, 2013".

Winston

Isn't it funny how there's always time and money enough to do it WRONG?
Articles by Winston can be found here
Raghu Sha
Ranch Hand

Joined: Feb 02, 2013
Posts: 122
Forgot to mention.
I am using Webservices (SOAP)
Encrypt the specific data and form the xml, WS will send those data, target system is going to decrypt the same
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 18529
    
  40

Raghu Sha wrote:Forgot to mention.
I am using Webservices.
Encrypt the specific data and form the xml, WS will send those data, target system is going to decrypt the same



Isn't this a great use case for SSL? Just configure the webservice to use https.... and you are done. Data is fully encrypted on the wire, without any need to add encryption/decryption to the payload anywhere.

Henry

Books: Java Threads, 3rd Edition, Jini in a Nutshell, and Java Gems (contributor)
Winston Gutkowski
Bartender

Joined: Mar 17, 2011
Posts: 7545
    
  18

Raghu Sha wrote:Forgot to mention.
I am using Webservices.
Encrypt the specific data and form the xml, WS will send those data, target system is going to decrypt the same

Erm...then forgive me, why are you even considering using asymmetrical encryption, other than as required by a standard protocol?

I fear you (or your management) are over-thinking this problem. Web services have used SSL (or HTTPS) for yonks; and it works very well. Gather the data, marshall it whatever way you want, and then send it via an encrypted pipe. It really is very straightforward. You appear to be adding "layers" that simply aren't required - unless you still haven't told us the whole story.

Winston
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
A better solution for SOAP WS would be to use WS-Security, which is supported by all major SOAP stacks. But since you said this is a browser client, that brings some practical difficulties, so it's probably not the solution for this case.

Assuming that no RESTful WS is available (which would the usual approach for browser clients), I concur with the advice of using SSL. JavaScript-based encryption is nasty kludge. Or do you specifically need message-level encryption instead of transport-level encryption?
Raghu Sha
Ranch Hand

Joined: Feb 02, 2013
Posts: 122
Thanks

Hi i have a question.

How web service know how to encrypt and decrypt the messages ?
If it is Yes, please speicify hwo it handled?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
The WS generally doesn't know if parts of it are encrypted, at least not if you're using WS-Security. That is done separately from the work of generating the (unencrypted) response.
Winston Gutkowski
Bartender

Joined: Mar 17, 2011
Posts: 7545
    
  18

Raghu Sha wrote:How web service know how to encrypt and decrypt the messages ?

By the protocol. And that has nothing (or probably nothing) to do with any "Web service". It's a basic by-product of how you send whatever data you do.

I'm a bit worried that you're thinking about "web services" as some kind of cohesive protocol. It isn't. It's simply a term (probably an MS one) that covers all sorts of things that make up an interactive website.

HTTPS and SSL, on the other hand, ARE protocols; and they were specifically designed for encryption, including, if needed, PK encryption.
The protocol deals with the encryption/decryption, so you can rest assured that your application layer doesn't need to do any of that stuff, unless you've added extra layers of it yourself.

Winston
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
A few of these statements are just off by enough that I feel the need to reply.

Winston Gutkowski wrote:
How web service know how to encrypt and decrypt the messages ?

By the protocol. And that has nothing (or probably nothing) to do with any "Web service".

You need to differentiate between SOAP WS and REST WS. REST relies entirely on HTTP, and can use exactly those security mechanisms that HTTP makes available - SSL encryption and BASIC or DIGEST authentication, chiefly. But this entire discussion has been about SOAP WS, and SOAP is independent of any underlying protocol. While the vast majority of SOAP APIs certainly use HTTP, there is nothing about it (in terms of encryption or anything else) that is specific to HTTP.

I'm a bit worried that you're thinking about "web services" as some kind of cohesive protocol. It isn't. It's simply a term (probably an MS one) that covers all sorts of things that make up an interactive website.

WS (both SOAP and REST) have nothing specifically to do with Microsoft. They were a party to the various SOAP spec processes, but not a predominant one. I wouldn't associate WS chiefly with interactive web sites. While many web sites use REST APIs to load data (as do many mobile apps), I would guess that the majority of WS (and certainly the vast majority of SOAP WS), are used by non-browser clients, whether they be desktop apps. mobile apps or server-based apps.

HTTPS and SSL, on the other hand, ARE protocols; and they were specifically designed for encryption, including, if needed, PK encryption.
The protocol deals with the encryption/decryption, so you can rest assured that your application layer doesn't need to do any of that stuff, unless you've added extra layers of it yourself.

I wouldn't say that HTTP was designed for encryption - SSL/TLS was bolted on later on, but that isn't germane to this discussion. But as far as SOAP is concerned, the protocol does nothing for encryption, because that is, in fact, done by an application layer that runs on top of SOAP (called WS-Security). While it is possible to use SSL for SOAP WS that run over HTTP, that is a practice that has been obsolete for years, and suffers from various drawbacks that WS-Security was designed to overcome.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Encryption using public key and decrypt using private kry
 
Similar Threads
Asymmetric Cryptography
Is this Right regarding PKI
Do you encrypt password yourselves?
Encryption & Decryption
New mock tests!