Skip to main content

SSL in Information Security and configure SSL in Apache Tomcat 9

In the Information Security secure/protected communication is essential to keep the CIA triangle (confidentiality, integrity and availability). When its come to secure communication encryption and hashing are the main important mechanisms. Hashing is a one way conversion, that means we can’t recover the original information (e.g. Passwords inside the database). Encryption is a 2 way conversion, that means data can locked and it can be retrieve again to its original form. Encryption can be done in 2 ways such as symmetric encryption and asymmetric encryption.



What is Symmetric Encryption?

It is a simple encryption method. Here it is having only ONE key for the encryption and decryption. This means if a sender wants to send an information sender and receiver wants to know the same key. 
 
What is Asymmetric Encryption?

It is an advance method for the encryption and decryption. Here it is managing TWO keys, such as public key and the private key. If a sender wants to send a message to the receiver, sender can get the receiver’s public key freely. Then encrypt the information using the received public key and this cipher/encrypted informations can be decrypt only by using the receivers private key (private keys are confidential and secret for the receivers).
 
SSL – Secure Socket Layer

This is a layer which is establishing the encrypted information sharing between the server and the client. As we can say a user is typing a web address in a browser and the browser send the address to the web server to find that resources/make communication. Here browser and web servers are communicating. When it comes to Information Security we have need to encrypt that communication to prevent eavesdropping. So SSL proving this facility by providing public and private keys for the web server (like as asymmetric encryption). Browser encrypt its messages by using the web servers public key and the server decrypt it using its own public key.

For this secured/encrypted communication the web servers are need to have SSL certificates.



What is SSL certificate?

It is a small digitally bind date file which is containing the organization’s cryptographic keys (public and private keys). After receiving the SSL certificate and install it into the server then it will run under the Secured Hypertext Protocol [https://]. This certificate can valid only for the limited periods.

How to get SSL certificate?

These certificates are issued by the trusted Certificate Authorities – CA of web browsers, operating systems and mobile devices. Web service providers can purchase their SSL certificate by paying money anally for the certificate providers. You can view the list of SSL certificate providers by clicking this link here. CA Authorities.

How to get Self Signed SSL certificate?

Self Signed Certificate means, the SSL certificate which is can be created by the organization itself. It can be created in many ways. But here is a documentation of “How to configure SSL in Apache Tomecat” by using Java Keytool which is an open source. 

SSL – Secure Socket Layer overview.

As we said before this is providing the facilities to make the communication confidentially by enforcing public and private keys as asymmetric encryption. When we are comparing both symmetric and asymmetric encryption asymmetric encryption is more secure but the processing time (each public key encryption and decryption by private key) will take more when comparing with symmetric. The problem in the symmetric encryption is the key transaction. So, this SSL make use of the both encryption mechanism to provide secure and efficient communication between server and client.

By SSL, client sends the symmetric key through the asymmetric encryption (because client is the person communicating with the server) to the server and server get/create the same symmetric key by encrypting the information by using its private key. After that the server and the client will communicate each others through the symmetric encryption.

Here is a picture showing how the handshakes occurring between client and server. 
©IT Today

Comments

Post a Comment

Popular posts from this blog

Bandit Wargame – Documentation

Basically wargames are providing the basic knowledge on the security concepts. It is a game that contain many tricks to break the borders to gain the access especially passwords (commands are mostly on the Linux CLI). You can find many wargames through the Internet and they are very interest and fun full too. “Bandit” is also a wargame which is for the beginners. You all can access that through the link given bellow. And this article is an document for this game. I have used Ubuntu as the operating system. Bandit – Clickhere . Level 0: Case study → Clickhere Here we have need to connect the host through the SSH (secure socket shell) server. The informations are provided as follows. Host name: bandit.labs.overthewire.org Port No: 2220 User name: bandit0 Password: bandti0 There are many ways to connect through the SSH server. Method 1: Download and run the “PuTTY SSH client”. ( https://the.earth.li/~...
Post a Comment
Read more

How OIDC run on top of OAuth - Demo by a maven web application

As I said in the previous blog about OIDC, OIDC is running on top of OAuth in-order to provide authentication and authorization. When it comes to real scenario, we have need to clearly understand the flows between authorization server, and resource server. For OAuth it needs token introspection endpoint in-order to validate the token. But, in OIDC it doesn't need to have this introspection endpoint because OIDC response token (JWT) it contains the idtoken which contains information about the token to validate by the resource server. OIDC is running as authorization grant type is pretty much safe way for the web applications. Let's see how a real world application using this OIDC on top of OAuth. Note: I have created an sample application to provide the graphical interface for this explanation. When you are trying to login a online web application account you may see another login options also available. For example, login with Google, login with Facebook,etc. Those ...
Post a Comment
Read more

Introduction to OAuth

What is OAuth? OAuth is a protocol that allows distinct parties to share information and resources in a secure and reliable manner. OAuth needs to consider the 2 concept to provide the informations in secure and reliable manner. They are authentication and authorization. Authentication -> Validating the person/system who need the information Authorization -> After authentication what action can be performed by the person/system. By maintaining this 2 concept OAuth is providing federated identity and delegated identity. Federated identity -> User can use his/her one application account to login another application. [Example: If a user having Facebook account then he can login Instagram with the same login as Facebook] Delegated identity -> One service can access another service resources. [Example: When creating a Facebook account with eMail address that will suggest the contacts in the eMail to add as friends] Without OAuth With OAuth User ...
Post a Comment
Read more