How to create a custom secure socket connection between client/server?

2018-06-07 02:12:20

I am developing a client/server application based on Java sockets and I would like some guide lines on how to make those secure/encrypted. So, I have been reading the last two weeks about SSL, security, public and private key encryption, symmetric and asymmetric methodologies and I would like to implement a safe connection between client/server with the approach below:

Server: Create a public key for encryption and private key for decryption

Client: Uses Server's public key to encrypt his credentials along with a timestamp of request so as the encrypted value won't be the same every time he wants to authenticate himself. Attached to this message clients also includes the shared key that both client/server should connect (symmetric encryption).

Server: Decrypts the message with his private key, check user's credentials and timestamp. If credentials are correct, then it uses the symmetric key to send a response of success.

Rest of communication continues with client's symmetric key.

The below Java code is an example of how SSL communication can be achieved with SSL sockets. clientKeyStore.jks is the Client's Java Keystore which holds the server's public key. When a socket is created, I guess, that the client uses the public key to initiate the communication. My question is where the exchange of symmetric key happens, (if it happens?). Are there any vulnerabilities that I should have in mind, or is this safe from Man-In-The-Middle-Attack?

Thank you in advance

SSLSocketServer

    public class SSLSocketServer {
       private SSLServerSocket serverSocket;

       public SSLSocketServer(int port) throws IOException {
          System.setProperty("javax.net.ssl.keyStore","serverKeyStore.jks");
          System.setProperty("javax.net.ssl.keyStorePassword", "serverKeyStorePass");

          SSLServerSocketFactory factory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
          serverSocket = (SSLServerSocket) factory.createServerSocket(port);
          start();
       }

       public void start() {
          while (true) {
             try {
                // Client is connected
                SSLSocket clientSocket = (SSLSocket) serverSocket.accept();
                System.out.println("User connected successfully?");
             } // try
             catch (IOException e) {
                e.printStackTrace();
             } // catch
          } // while
       } // run
    } // class SSLSocketServer

SSLSocketClient

    public class SSLSocketClient {
       public SSLSocketClient(String serverHost, int serverPort) throws UnknownHostException, IOException {
          System.setProperty("javax.net.ssl.trustStore","clientKeyStore.jks");
          System.setProperty("javax.net.ssl.trustStorePassword", "clientKeyStorePass");
          SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
          SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(serverHost, serverPort);
       } // SocketClient()
    } // class SSLSocketClient

链接地址: http://www.djcxy.com/p/21804.html

上一篇: 如何获得SSL握手中生成的对称密钥？

下一篇: 如何在客户端/服务器之间创建定制的安全套接字连接？