I have an applet that communicates with php through http post requests and then my php script inserts data in a mysql database. So the problem is that i guess anyone can make a http post requests and add data to my mysql database if they now the "post" names and of course i dont want that.
So i would like to have som solution where my php can be sure that the http requests are really from my applet and no one else. I would be grateful for ideas on how to solve this. The data being sent contains no secrets so it dont need to be encrypted if it can be solved with no encryption that is.
Thanks in advance.
If you can't use encryption while communicating , so the answer is simply you can't make sure.
In fact, even with encryption, it is impossible to determine whether a request was made by your applet or by something else that is perfectly mimicing its behavior. You will need to build your application such that it can deal with this.
Encryption will help secure any methodology you will put into place in order to achieve what you want, but it will do nothing on its own.
What you want is to authenticate the post message. This is usually achieved by having your client (here, applet) sign (HMAC) the POST message using a key that only the applet AND the server knows. The challenge here is that you need to securely store the key on the client side.
If I were you I would check into authenticating the users and hosting the applet in a secured area of your site, making sure your applet is re-using the HTTP session of the authenticated user when performing POST requests. Add to this basic safeguards against standard attacks (ie Cross Site Request Forgery, Replay attack, etc). This setup would make sure your requests come from your site by authorized users.
You could have the applet register by generating an RSA key pair on the client and sending the public key to the server. The server then keeps track of the public key of each registered client.
On each POST the client signs some piece of data using the private key, and includes the signature and the public key (or a hash of the public key) to identify itself. The server verifies that the public key is registered, and verifies the signature.
There would be no way to mimic this short of stealing the private key from the client, or breaking RSA encryption. Well, I guess you could record and replay somebody else's POST. There is that problem to solve.
However, you could have a fake client follow the steps of registration and send a public key, and then that fake client would be free to POST along with all valid clients. So there is that problem to solve, too.
Related
I'm working on a Java application that asks the user for a username & password, and then connects to a server to verify the entered details. If they are valid, it will then ask the server (by requesting a PHP page) for data about that user. The user can modify this information using the application GUI, and changes are sent back to the server.
The main challenge is that the server doesn't use any Java. I need to make the server only use PHP, and it must be able to handle connections from different users simultaneously.
What would be the best way to go about doing this?
EDIT: The application will be requesting multiple different scripts from the server for different types of data, and will need to send and receive quite a bit of data (Probably up to 500 pieces at a time).
Create a PHP file that accepts POST.
In your JAVA, try passing a custom header KEY:VALUE pair that's verified via your PHP file - or try to think of a more elaborate way.
Then, post along the username and password to the PHP file: POST http://server.com/java-auth.php?user=username&pass=password for pseudo example. Then, have that PHP file return a JSON-encoded string or a serialized string... or go super fancy, and encrypt it all with public/private keys.
Hope this helps :)
We're using Java 6, JBoss 7.1.1 and Spring 3.1.1.RELEASE. I'm trying to write an application that will request data from a WSDL on a corporate web site and then write that data back to a local database. Our corporate group has asked for the public key of a signed-by-authority client certificate (self-signed is fine for QA) of the machine that will be requesting the data, saying that they will use that to send SSL responses back to us and we should use our private key to send requests up to them.
I'm clueless about how to do this. Normally I would use JAX-WS to create client WSDL code and communicating with the web service, adding the server's public certificate to our trust store. But in this case, I have no idea how to tell the web service client to use the requesting machine's private key to encrypt data for the purposes of making a WSDL request.
Grateful for any example code or other reference material to pull this off. -
I have no idea how to tell the web service client to use the requesting machine's private key to encrypt data for the purposes of making a WSDL request.
That doesn't make sense. There is no such thing as encrypting with a private key. Anybody could decrypt it, the public key being, err, public. Let us hope that's not what they are asking for. It's far from clear but they are most probably asking for one of two things:
Use a client certificate when speaking SSL to them. All you have to do for this is use the keystore containing the private key and its certificate: JSSE will do the rest. OR
Digitally sign the request using your private key. There are APIs for this.
Get them to clarify which it is.
I want to make a webapp accessible to some limited users only. So I select a SSL client authentication. I am newbie so not much knowledge about it I follow this tutorial to achive it. here is some quires in my mind. I am using basic self signed SSL.
1) Can we create a single client certificate for all clients which is provide by me? so whoever has a client certificate can access a app. sounds not a good way.
2) if not (1) then is there easy way to create a client certificate and register on tomcat user.xml. I dont want to force user to create a client certificate and send me so I register on server.
3) How to redirect to some other page if SSL certificate not match.?
4) can we use a private public key of one machine to another one?
5) there is multiple apps on my server but I want to authenticate only one app with SSL. Is is possible then how?
please also suggest me any good tutorials for this. Finally My requriment is to give access to limited users up to 50. and my clients can register his system in some user friendly way.
1) Can we create a single client certificate for all clients which is provide by me?
It doesn't make sense. The client certificate is supposed to uniquely identify the client. They should have one each.
so whoever has a client certificate can access a app. sounds not a good way.
It isn't.
2) if not (1) then is there easy way to create a client certificate and register on tomcat user.xml. I dont want to force user to create a client certificate and send me so I register on server.
It's the only secure way. If you create the certificate you have the private key so it isn't private so it can't do what it's supposed to do, legally. For example you can't prove that only the client could have executed any transaction, so you lose legal non-repudiability. You shoudn't be using users.xml for this, you should be using one of the other Tomcat security Realms, for example a database.
3) How to redirect to some other page if SSL certificate not match.?
If you're using Container Managed Authentication, which you should be, that's all defined in web.xml for the application.
4) can we use a private public key of one machine to another one?
It doesn't make sense, see above. A private key is supposed to be private and under the exclusive control of one entity.
I question whether using client certificates is even the right solution here. If you just want to restrict access to the server give each client a login.
5) there is multiple apps on my server but I want to authenticate only one app with SS
I am making app, which would send value to php script. Then php script would conncect to Mysql database and return JSON array. And then the app would read it. How to ensure safety? For now I am not using any safety measures.
It depends, this is such a huge topic that a true answer would take a books worth of material.
What 'safety measures' are you asking about?
If you're talking about involving a web server, then you first need to secure your web server and build an API that is smart enough to protect against most common methods of attack. You need to make sure that other people - just by entering something in URL - cannot do the same thing your intended user can do. This means that you need to validate the user before giving them access to API.
Most common method of doing this is sharing a 'secret key' that only the server and client knows. So your user, with a phone, has a specific key and server has a key. Now user sends data to the server and also sends a validation hash (like sha1(KEY+DATA)). Server then receives data and makes sure that the hash is the same. Never send the key itself together with the request.
Another thing you need to test for are replay attacks. If someone listens in on the communication, then you have to limit the damage. This is usually done by you also sending a timestamp with the request and the server checking if the timestamp is within accepted range, so if someone sends that same request again later, it would fail due to timestamp being different. Server checks for this since timestamp is also taken into account for input data validation.
Then you have to make sure that the data returned from server is correct. So server will ALSO build a validation hash that your phone will check, making sure that someone didn't change the data while it was sent back to your phone.
As an added layer, you can also encrypt data that is sent (and received from API) with a heavy cryptography algorithm like AES/Rijndael 256bit encryption. This will encrypt data with a key that is required to open the data. If phone and server know the key and no one else does, then data can be sent securely.
Then the connection should be HTTPS/SSL, which helps protect communication from being listened in. But this does not help if someone already has access to your phone, so it is recommended to use the other mentioned methods as well.
As for your phone, it is pretty secure by itself as long as you don't have apps installed on it that might compromise that security. Also, if you think you can secure your web server less, thinking that since only phones communicate with it that it is safe, then a hacker can easily listen in on communication on their own phone and figure out the basics of your web service API and then open all the doors. So make sure your security layers go from biggest to smallest: web server is by far the biggest entity in your system.
As you can see, this is a MASSIVE topic that can take a long time to learn. But without knowing what exactly you were asking about, I cannot really help you any further.
I need to pass commands and data between a PHP CodeIgniter based server and a Java Client. I was thinking of using very simple encryption to encrypt / decrypt the messages. I have run into a lot of issues trying to do very basic crypto on the Java side.
Either I would like some help with the Java side of the Crypto, or a different idea to secure communication between the Client and Server.
The data is not sensitive and can be sent in the clear, as long as I can ensure it is coming from the correct source. I was thinking of using the basic encryption as an authentication measure that would not be circumvented by a replay attack. But I could be going about this all wrong.
Any help or comments are appreciated.
There is no method of guaranteeing that the data your server is received comes from a legitimate version of your Java app. If you're using any form of encryption, the key must be stored somewhere in your application bytecode. Also, it is not very difficult to hack the client-side application and let it send invalid data.
The correct approach is to keep in mind, on the server side, that your data might not be coming from the correct source and therefore you'll have to validate all data in order to make sure nothing illegal is being done.
If you just want to guarantee that legitimate users using your client application can be certain that they are communicating with your server, you can use HTTPS or some other method using asymmetric encryption.