Skip to main content

SSL in Information Security and configure SSL in Apache Tomcat 9

In the Information Security secure/protected communication is essential to keep the CIA triangle (confidentiality, integrity and availability). When its come to secure communication encryption and hashing are the main important mechanisms. Hashing is a one way conversion, that means we can’t recover the original information (e.g. Passwords inside the database). Encryption is a 2 way conversion, that means data can locked and it can be retrieve again to its original form. Encryption can be done in 2 ways such as symmetric encryption and asymmetric encryption.



What is Symmetric Encryption?

It is a simple encryption method. Here it is having only ONE key for the encryption and decryption. This means if a sender wants to send an information sender and receiver wants to know the same key. 
 
What is Asymmetric Encryption?

It is an advance method for the encryption and decryption. Here it is managing TWO keys, such as public key and the private key. If a sender wants to send a message to the receiver, sender can get the receiver’s public key freely. Then encrypt the information using the received public key and this cipher/encrypted informations can be decrypt only by using the receivers private key (private keys are confidential and secret for the receivers).
 
SSL – Secure Socket Layer

This is a layer which is establishing the encrypted information sharing between the server and the client. As we can say a user is typing a web address in a browser and the browser send the address to the web server to find that resources/make communication. Here browser and web servers are communicating. When it comes to Information Security we have need to encrypt that communication to prevent eavesdropping. So SSL proving this facility by providing public and private keys for the web server (like as asymmetric encryption). Browser encrypt its messages by using the web servers public key and the server decrypt it using its own public key.

For this secured/encrypted communication the web servers are need to have SSL certificates.



What is SSL certificate?

It is a small digitally bind date file which is containing the organization’s cryptographic keys (public and private keys). After receiving the SSL certificate and install it into the server then it will run under the Secured Hypertext Protocol [https://]. This certificate can valid only for the limited periods.

How to get SSL certificate?

These certificates are issued by the trusted Certificate Authorities – CA of web browsers, operating systems and mobile devices. Web service providers can purchase their SSL certificate by paying money anally for the certificate providers. You can view the list of SSL certificate providers by clicking this link here. CA Authorities.

How to get Self Signed SSL certificate?

Self Signed Certificate means, the SSL certificate which is can be created by the organization itself. It can be created in many ways. But here is a documentation of “How to configure SSL in Apache Tomecat” by using Java Keytool which is an open source. 

SSL – Secure Socket Layer overview.

As we said before this is providing the facilities to make the communication confidentially by enforcing public and private keys as asymmetric encryption. When we are comparing both symmetric and asymmetric encryption asymmetric encryption is more secure but the processing time (each public key encryption and decryption by private key) will take more when comparing with symmetric. The problem in the symmetric encryption is the key transaction. So, this SSL make use of the both encryption mechanism to provide secure and efficient communication between server and client.

By SSL, client sends the symmetric key through the asymmetric encryption (because client is the person communicating with the server) to the server and server get/create the same symmetric key by encrypting the information by using its private key. After that the server and the client will communicate each others through the symmetric encryption.

Here is a picture showing how the handshakes occurring between client and server. 
©IT Today

Comments

Post a Comment

Popular posts from this blog

What is Google Hacking?

As an ethical hacker we have need to follow some general steps to be a good ethical hacker. Such that steps/stages can be listed as follows. But these steps are not a defined one. We can change them according to our needs. 1    . Reconnaissance – Gathering the information which are having the security vulnerability. 2   . Scanning - Examine/explore a target machine/network for the vulnerability that can be make use to go inside. 3    .Gaining Access – After scanning process make use of the vulnerability and attempt to move inside to the system to exploit. 4    . Maintaining Access – After moved into the machine/network hacker needs to make some backdoor to gain the access again. 5    . Clearing Tracks (unethical) – Clearing the traces of all the activities what they done in their hacking process. 6    . Reporting – End of the ethical hacking process in order to make some notes on the findings, things done in the hacking...
Post a Comment
Read more

1st Program in Maven @ Ubuntu

Maven What is Maven? It is a Build tool – building a code in a development environment Project management tool – it helps to generate reports, helps in the dependency management, etc. Maven as a Build tool. Why we are using Maven? To reduce the common problems and activities which are needed, when we are developing applications. 1. Multiple jars – Program may contain one/many frameworks and frameworks are need to include it all the required “jar”. “jar” are need to available in compile time, need to bundle them in the distribution. (We can miss something/ we don’t know what is jar?) 2. Dependencies and versions – a jar can depend on another jar, so we have need to make sure that all my dependencies are closed and make sure that I have supplied all the dependencies. Dependencies could differ bases on the versions. 3. Project structure – Proper structure for the application. (E.g. Directories, libraries , etc.) 4. Building, publis...
Post a Comment
Read more

Hack Windows 2000 by Kali Linux through the Metasploit Framwork

It is a sample documentations to record what I have did to hack Windows 2000 by Kali Linux. ©IT Today
Post a Comment
Read more