堆栈内存溢出
  简体   繁体   English

Java通过TCP的可序列化安全性

[英]Java serializable security over TCP

 原文  2014-03-09 13:20:41       java/ security/ serializable/ objectinputstream/ objectoutputstream

问题描述

I have a TCP/IP chat application that sends back and forth ChatMessage objects that hold the int type and String message of a message. 我有一个TCP/IP聊天应用程序,它来回发送包含消息的int类型和String消息的ChatMessage对象。

My question is: How can I make it more secure? 我的问题是:如何使它更安全?

Thank you! 谢谢!

2 个解决方案

解决方案1
 1 已采纳  2014-03-09 13:43:55

There are two ways that I can think up of: CipherOutputStream and SSLSocket 我可以想到两种方法: CipherOutputStreamSSLSocket

CipherOutputStream : CipherOutputStream 

byte[] keyBytes = "1234123412341234".getBytes();
final byte[] ivBytes = new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 
     0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }; //example

final SecretKey key = new SecretKeySpec(keyBytes, "AES");
final IvParameterSpec IV = new IvParameterSpec(ivBytes);
final Cipher cipher = Cipher.getInstance("AES/CFB8/NoPadding"); 
cipher.init(Cipher.ENCRYPT_MODE, key, IV);

//assuming your Socket is called "socket"
CipherOutputStream cstream = new CipherOutputStream(socket.getOutputStream(), cipher);
... 
//code to write ChatMessage object

OR, you can use SSL: how to do ssl socket programming 或者,您可以使用SSL: 如何进行SSL套接字编程

解决方案2
 0  2014-03-09 13:33:19

Here's how you do it in pseudocode, assuming you need a secure system providing data Confidentiality , Integrity and User Authenticity . 假设您需要一个提供数据ConfidentialityIntegrityUser Authenticity的安全系统,这就是使用伪代码进行User Authenticity ( http://en.wikipedia.org/wiki/Information_security ). http://en.wikipedia.org/wiki/Information_security )。 These are the general requirements for a secure chat system anyways. 无论如何,这些都是对安全聊天系统的一般要求。

  1. Use Public Key Crypto to give each a public/private key pair 使用公钥加密为每个公钥/私钥对
  2. When a chat is started between 2 users for the first time, user A generates a Symmetric Key SK to be used to encrypt the messages between himself and user B. 首次在2个用户之间开始聊天时,用户A生成一个对称密钥 SK,该密钥用于加密他与用户B之间的消息。
  3. User A Encrypt the SK with the public key of B and send it to B 用户A用B的公钥加密SK并将其发送给B
  4. B decrypt the SK and now they use SK to encrypt further messages between them. B解密SK,现在他们使用SK加密它们之间的进一步消息。

Now you can go learn these concepts and they fairly straightforward to implement. 现在,您可以学习这些概念,并且它们很容易实现。 For Algorithms, the most popular used are: 对于算法,最受欢迎的是:

  1. RSA for Public Key Encryption RSA用于公钥加密
  2. AES for Symmetric Key Encryption AES用于对称密钥加密

Both of these algorithms have Java implementations available, checkout the Bouncy Castle crypto API package. 这两种算法都有可用的Java实现,请查看Bouncy Castle加密API软件包。

Note: If you are using a web application, and just need to securely transfer the messages, you can use SSL as someone suggested in the comments. 注意:如果您使用的是Web应用程序,并且只需要安全地传输消息,则可以按照注释中的建议使用SSL

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Java-通过套接字传输时,可序列化映像为黑色 - Java - Serializable Image is black when transferred over sockets 不可序列化的Java - Not Serializable Java Java Serializable - Java Serializable 通过副本TCP套接字发送Java对象 - Sending Java Objects over replica tcp sockets 通过Java中的TCP套接字安全地传输密码 - Securely transmitting password over TCP Socket in Java 通过LAN上的TCP / IP进行Java聊天 - Java Chat with TCP/IP over LAN Java:通过TCP读/写压缩对象 - Java: Read/Write compressed objects over TCP 如何在Java中通过TCP发送对象? - How to send an OBJECT over TCP in java? 解析在Java中通过TCP发送的字节数组 - Parsing a byte array sent over TCP in Java 在java中通过TCP发送混合字符串和字节 - Sending Mixed String and bytes over TCP in java
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM