• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Login to a ssl enabled site using encrypted password

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have got the public key of a site from which I need to download some information. I have used (SHA1/RSA) algorithms to encrypt
the password.

Now i written another java program which uses HttpSocket connection with the encrypted password sent to login to
the site. But my login fails.

Can anyone tell me what the problem is and whether this technique is correct. My thinking is that the remote site
will use its private key to decrypt the password and automatically login.

Welcoming help.

--Kreez

 
Ranch Hand
Posts: 781
Netbeans IDE Ubuntu Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Your approach will only work if you are using the protocol expected by the site you want to contact. It would seem logical that the site will use it's private key to decrypt the password but the devil is in the detail - you need to contact the site maintainers to get the detail of the protocol.

Since this site is 'ssl enabled' then I would expect you to be using HTTPS rather than HTTP and I would not expect the password to be encrypted using the public key key. Assuming that the certificate associated with the public key is self signed then I would expect that it should be added to the 'cacerts' key store. If it is not self-signed but, as it should be, signed by one of the major Certificate Authorities then it should not be needed at all !
 
Kreez Kay
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for giving some insights.

Still would like to know what protocol details I would need to get from the site administrators. The site is using HTTPS and
the certificate is associated with Verisign.

I am using a java program to connect to the site using HttpsScoket connection with the password added as a parameter
in cleartext.

My idea was to add an extra layer of security by encrypting the password with public key and send.

can you give your ideas on this approach.

-Krrez
 
James Sabre
Ranch Hand
Posts: 781
Netbeans IDE Ubuntu Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Kreez Kay wrote:
Still would like to know what protocol details I would need to get from the site administrators. The site is using HTTPS and
the certificate is associated with Verisign.



You need to know how the site expects the user name and password to be presented.


I am using a java program to connect to the site using HttpsScoket connection with the password added as a parameter
in cleartext.



I'm not sure this makes sense. If you mean you are using HttpsURLConnection then it does make sense but only if that is the protocol expected by the site. If not then ask the site administrators. HTTPS does not itself mandate how the password should be presented.


My idea was to add an extra layer of security by encrypting the password with public key and send.



So will the site expect the password to be encrypted with the public key and that the encrypted password has to decrypt it before checking against the password database?


can you give your ideas on this approach.



I don't see any advantage unless of course the site protocol dictates it. HTTPS is secure (as long as the recently discovered 'renegotiation flaw' fix has been applied) and you are unlikely to make it more secure by adding this extra level of encryption. Any attacker who gets access to the encrypted password can then just submit it directly - he doesn't need to know the actual password.
 
reply
    Bookmark Topic Watch Topic
  • New Topic