Secure TCP Connections in Java

Question

I was wondering what is the best way to secure a TCP connection in Java. I want communications to my server to only come from authenticated clients and where possible, encrypt the transmitted data.

What sort of issues am I going to need to watch out for and cover, what technologies could I use?

Thanks,

Tim.

Answer 1

You need to ask yourself what you are protecting against. If you want to only allow authentic clients, you need to define how you determine this. If you allow completely plaintext traffic, this is insecure, as any man-in-the-middle will be able to modify the traffic. At the minimum you need integrity protection on the data you are exchanging.

I would agree with most people that SSL is probably the most straightforward approach to do this. You will need to use client certificates to allow for authenticating the client side of the connection. You have two approaches for using client certificates:

• create self signed certificate for each client, then keep a database of the certificate hash->client mapping and query the database at the time of verifying the client certificate
• alternatively, create your own root CA certificate and issue each client a certificate, then you need to verify the client certificate is properly chained to your root CA cert when doing client cert verification

The choice of which approach to take is entirely yours and equally secure. Pick the design that best fits your current project.

Answer 2

The usual way would be SSL, as already said. This supports (obligatory) server authentication and encryption by default, client authentication is optional (e.g. depending on configuration - the server can make sure the clients are authenticated).

In Java, you can use SSLSocket (and SSLServerSocket) (or the respective factory classes), or the SSLEngine (if you want to do nonblocking IO). Or some higher level API which uses this under the cover.

Another option would be the SSH protocol. This allows an encrypted and (normally) both-side authenticated connection, over which one can route multiple channels. This is usually used for remote command execution or file transfer, but also allows port-forwarding.

In Java this would be implemented (on the client side) for example by JSch. I know of no server-side Java implementation - but you can use a normal OpenSSH server and forward the ports to your Java server process.

Answer 3

Java offers an extension of sockets that is secure i.e. JSSE which supports SSLv3 and TLS.
It is designed so that your code is similar to handling normal sockets.
You just initialize the SSLContext and configure it to use the certificates to use and various parameters, e.g. client authentication, handshake listener etc and the rest is handled transparently.
Read the tutorial to start on it.

Answer 4

SSL is really well supported (it's used in HTTPS afterall). Based on Publik Key Infrastructure, it offers a variety of encryption and authentication schemes.