简体繁体 English

保护 Java 中的 TCP 连接

[英]Secure TCP Connections in Java

原文 2011-07-01 20:47:57 2 4 java/ security/ authentication/ tcp

I was wondering what is the best way to secure a TCP connection in Java.我想知道在 Java 中保护 TCP 连接的最佳方法是什么。 I want communications to my server to only come from authenticated clients and where possible, encrypt the transmitted data.我希望与我的服务器的通信仅来自经过身份验证的客户端，并在可能的情况下加密传输的数据。

What sort of issues am I going to need to watch out for and cover, what technologies could I use?我需要注意和涵盖哪些类型的问题，我可以使用哪些技术？

Thanks,谢谢，

Tim.蒂姆。

4 个解决方案

Java offers an extension of sockets that is secure ie JSSE which supports SSLv3 and TLS. Java 提供了安全的 sockets 的扩展，即支持 SSLv3 和 TLS 的JSSE 。
It is designed so that your code is similar to handling normal sockets.它的设计使您的代码类似于处理普通 sockets。
You just initialize the SSLContext and configure it to use the certificates to use and various parameters, eg client authentication, handshake listener etc and the rest is handled transparently.您只需初始化 SSLContext 并将其配置为使用要使用的证书和各种参数，例如客户端身份验证、握手侦听器等，并且 rest 是透明处理的。
Read the tutorial to start on it.阅读教程以开始使用它。

The usual way would be SSL, as already said.如前所述，通常的方法是 SSL。 This supports (obligatory) server authentication and encryption by default, client authentication is optional (eg depending on configuration - the server can make sure the clients are authenticated).默认情况下，这支持（强制）服务器身份验证和加密，客户端身份验证是可选的（例如，取决于配置 - 服务器可以确保客户端经过身份验证）。

In Java, you can use SSLSocket (and SSLServerSocket) (or the respective factory classes), or the SSLEngine (if you want to do nonblocking IO).在 Java 中，您可以使用 SSLSocket（和 SSLServerSocket）（或各自的工厂类）或 SSLEngine（如果您想做非阻塞 IO）。 Or some higher level API which uses this under the cover.或者一些更高级别的 API 在封面下使用它。

Another option would be the SSH protocol.另一种选择是SSH协议。 This allows an encrypted and (normally) both-side authenticated connection, over which one can route multiple channels .这允许加密和（通常）双方认证的连接，可以通过该连接路由多个通道。 This is usually used for remote command execution or file transfer, but also allows port-forwarding.这通常用于远程命令执行或文件传输，但也允许端口转发。

In Java this would be implemented (on the client side) for example by JSch .在 Java 中，这将由例如JSch实现（在客户端）。 I know of no server-side Java implementation - but you can use a normal OpenSSH server and forward the ports to your Java server process.我知道没有服务器端 Java 实现 - 但您可以使用普通的 OpenSSH 服务器并将端口转发到您的 Java 服务器进程。

SSL is really well supported (it's used in HTTPS afterall). SSL 得到了很好的支持（毕竟在 HTTPS 中使用过）。 Based on Publik Key Infrastructure, it offers a variety of encryption and authentication schemes.基于公钥基础设施，它提供了多种加密和认证方案。

You need to ask yourself what you are protecting against.你需要问问自己你在保护什么。 If you want to only allow authentic clients, you need to define how you determine this.如果您只想允许真实的客户，您需要定义如何确定这一点。 If you allow completely plaintext traffic, this is insecure, as any man-in-the-middle will be able to modify the traffic.如果您允许完全明文流量，这是不安全的，因为任何中间人都可以修改流量。 At the minimum you need integrity protection on the data you are exchanging.您至少需要对正在交换的数据进行完整性保护。

I would agree with most people that SSL is probably the most straightforward approach to do this.我同意大多数人的观点，即 SSL 可能是最直接的方法。 You will need to use client certificates to allow for authenticating the client side of the connection.您将需要使用客户端证书以允许对连接的客户端进行身份验证。 You have two approaches for using client certificates:您有两种使用客户端证书的方法：

create self signed certificate for each client, then keep a database of the certificate hash->client mapping and query the database at the time of verifying the client certificate为每个客户端创建自签名证书，然后保存证书哈希->客户端映射的数据库，并在验证客户端证书时查询数据库
alternatively, create your own root CA certificate and issue each client a certificate, then you need to verify the client certificate is properly chained to your root CA cert when doing client cert verification或者，创建您自己的根 CA 证书并为每个客户端颁发证书，然后在进行客户端证书验证时，您需要验证客户端证书是否正确链接到您的根 CA 证书

The choice of which approach to take is entirely yours and equally secure.选择哪种方法完全由您自己决定，同样安全。 Pick the design that best fits your current project.选择最适合您当前项目的设计。