Securely transmitting password over TCP Socket in Java
Question
I want to write a secure method of authentication over TCP sockets in Java. I've read reasonably extensively on the subject, but I am by no means an expert. There seems to be a bit of variance in opinion on how this is best done.
I know pretty well had to generate my password hashes, but that doesn't do me a whole lot of good if an attacker can simply glean the passwords/password hashes while in transit. So I want to create a reasonably secure method of sending this data across.
The most popular method seems to be using SSL sockets. However, my code will not be used as a single server (as an online game might be) but instead will have many instances run by various consumers. I personally don't have a means to purchase an SSL certificate, and I can't really ask my consumers to do that either. Creating self-signed certificates and then installing them in a keystore for each client seems both difficult and a little insecure. If I were handling all server instances, this would be a much more viable option, since I would only need one certificate, but as it stands now
So I worked on simply securing the TCP socket while performing log ins. I can do this pretty well using a Diffie-Hellman algorithm. However, as I research this, people kept saying to use SSL instead.
How can I securely transmit passwords over Java TCP sockets in an efficient but portable manner?
2 answers
solution1
-2 2016-02-24 11:34:40
Have you considered RSA encryption? RSA encryption is the same encryption that SSL uses:
solution2
-2 2016-02-24 11:44:12
You can use the Diffie-Hellman key exchange algorithm . This is exactly for your use case, to exchange keys over a public network. See the Oracle Diffie-Hellman example .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.