Java: TCP Encryption, SSL and Netty

Question

Ok so I have a peer to peer (client/server on one host) setup (over a local LAN), this is using Netty, a Java networking framework. I use raw TCP/IP (as in, no HTTP) for communication and transfers.

Currently all data is transferred in "plain-text" and i'm starting the process of securing such transmitted data.

I've had a good read of types of encryption/practices etc (but probably only touched the surface and its melting my brain already)

Netty includes a SSL implemntation, heres some links to hopefully better explain myself:

http://docs.jboss.org/netty/3.2/xref/org/jboss/netty/example/securechat/package-summary.html

Inside "SecureChatTrustManagerFactory" there are 2 methods:

          public void checkClientTrusted(
                  X509Certificate[] chain, String authType) throws CertificateException {
              // Always trust - it is an example.
              // You should do something in the real world.
              // You will reach here only if you enabled client certificate auth,
              // as described in SecureChatSslContextFactory.
              System.err.println(
                      "UNKNOWN CLIENT CERTIFICATE: " + chain[0].getSubjectDN());
          }

          public void checkServerTrusted(
                 X509Certificate[] chain, String authType) throws CertificateException {
             // Always trust - it is an example.
              // You should do something in the real world.
              System.err.println(
                      "UNKNOWN SERVER CERTIFICATE: " + chain[0].getSubjectDN());
          }

"SecureChatKeyStore" contains a hard coded certificate from what I can see.

So my questions are:

• Do I need to generate a certificate?
• if so, each time the application is run?
• if so, per client?
• if so, is this certification passed between client and server?
• if so, how is it done securely?

I'm not entirely sure where to start. From what I can see the Netty implementation is saying "Here's the basis of creating secure connections, but we have left out the part that actually makes them secure/authenticated".

Any other pointers/tips I should know about?

Thank you in advance.

Answer 1

As others have pointed out, there is a difference between application security and transport link security. I think you are aiming for the last one as you mainly mention encryption. Encryption offers confidentiallity from eavesdroppers. Furhermore, as SSL also incorporates message authentication code, it will also offer protection of a third party altering packets during transit. It does not provide any protection of messages once received.

As you may have noticed on the internet for HTTPS connections, you will need at least a server certificate. This certificate can remain static, although it should contain an expiry date at which time you should replace the certificate. The server certificate should be trusted by the client (eg by embedding it as a resource). You can also use SSL with client authentication, but that means you need to have ample security measures to keep the private key on the client safe.

It's probably best to start off with a "self-signed" server certificate only. Thats the one you need to trust in the checkServerTrusted method. Basically, the chain is simply that one certificate.