• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Rob Spoor
  • Devaka Cooray
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
  • Tim Holloway
Bartenders:
  • Jj Roberts
  • Al Hobbs
  • Piet Souris

Do you encrypt password yourselves?

 
Ranch Hand
Posts: 3851
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Do you encrypt password yourselves on �login page� before transferring it over network or trust on post method?

Thanks.
 
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You should use SSL if you want to encrypt anything with some confidence. Send the credentials via https
 
ankur rathi
Ranch Hand
Posts: 3851
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by John Meyers:
You should use SSL if you want to encrypt anything with some confidence. Send the credentials via https



Well I read little bit about SSL on net but didn't understand much, how it works and how should I use it. And moreover we need to buy SSL Certificate for this, though there were something called 'self-sign' but I didn't understand SSL at the first place.

Can anyone please explain this?

Thanks.
 
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by ankur rathi:
Do you encrypt password yourselves on �login page� before transferring it over network or trust on post method?

Thanks.



POST never encrypts anything.Only the key=Value&key1=Value2 query string would be part of body of HTTP request instead on the URL as done in case of GET.

BASE64 encoding is done in case your are authenticating user on BASIC authentication scheme.
 
Ranch Hand
Posts: 360
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
http://www.interwebinc.com/security/ssl.html

This funny tutorial may help you with understanding of SSL. In addition, sel-signed certificate may be perfectly sufficient for you.
 
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
SSL is configured at the container level.
You shouldn't have to do anything in your JSP/Servlet code to use it.

Since setting this up varies according to your container and the vendor who sold you the certificate, it is best to read their documentation for details on setting it up.

How it works is a bit complicated and is not a subject for the JSP forum.
Moving to the Security forum...
[ April 18, 2007: Message edited by: Ben Souther ]
 
ankur rathi
Ranch Hand
Posts: 3851
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Pavel Kubal:
http://www.interwebinc.com/security/ssl.html

This funny tutorial may help you with understanding of SSL. In addition, sel-signed certificate may be perfectly sufficient for you.



I knew the concept of public and private key before. One encrypts a message with own private key and sends, and other decrypts it with public key of sender.

But my doubt is, though it�s a public key by name but how others will know about that key? And if I am sending my public key before secure communication starts then it might get hacked by someone and so rest of the communication also with this public key�
:roll:
 
Bartender
Posts: 1638
IntelliJ IDE MySQL Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by ankur rathi:


I knew the concept of public and private key before. One encrypts a message with own private key and sends, and other decrypts it with public key of sender.

But my doubt is, though it�s a public key by name but how others will know about that key? And if I am sending my public key before secure communication starts then it might get hacked by someone and so rest of the communication also with this public key�
:roll:


Public key is not used for decrypting. It is used for encrypting.
You always encrypt using public key and it can only be decrypted using the private key.
 
ankur rathi
Ranch Hand
Posts: 3851
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Nitesh Kant:

Public key is not used for decrypting. It is used for encrypting.
You always encrypt using public key and it can only be decrypted using the private key.



Oh sorry, I just made it reverse.

Okay so sender encrypts message with receiver's public key and sends and receiver decrypts it with own private key.

But how does sender know receiver's public key at the first place. :roll:

Thanks.
 
author
Posts: 23909
142
jQuery Eclipse IDE Firefox Browser VI Editor C++ Chrome Java Linux Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by ankur rathi:


Oh sorry, I just made it reverse.

Okay so sender encrypts message with receiver's public key and sends and receiver decrypts it with own private key.

But how does sender know receiver's public key at the first place. :roll:

Thanks.



The sender asks the receiver for it. And the receiver sends it, in the clear (not encrypted) without any fear that a hacker can use it.

[EDIT: of course, this assumes that PKI is not in use. It gets much more complicated once PKI is in use ... ]

Henry
[ April 18, 2007: Message edited by: Henry Wong ]
 
Rahul Bhattacharjee
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You do not need to hack a public key , its made freely available by the person who has its private key.

Now the question is how does the browser get the public key.The server sends the browser the certificate and the public key is embedded in that.

How to run application in SSL.As Ben Souther mentioned ; refer the container that you are using.Its vendor specific.
 
Deepak Bala
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The certificates that a container will accept are also vendor specific. Self signed as opposed to being signed by a CA. Self signed certificates may not be configurable on some containers
 
Rancher
Posts: 43027
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by John Meyers:
The certificates that a container will accept are also vendor specific. Self signed as opposed to being signed by a CA. Self signed certificates may not be configurable on some containers



I'm not sure what you want to "configure" about a certificate, especially in the container. The certificate is imported into the keystore by the JRE; the container merely reads what is in there. Do you have an example of a container that can't (or won't) work with self-signed certificates?

The client (i.e. web browser) may not accept a self-signed certificate without asking the user, since it doesn't recognize the signing authority. But that has nothing to do with the container.
[ April 19, 2007: Message edited by: Ulf Dittmer ]
 
Rahul Bhattacharjee
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by John Meyers:
The certificates that a container will accept are also vendor specific. Self signed as opposed to being signed by a CA. Self signed certificates may not be configurable on some containers



For all my testing purposes , I have created self signed certificates and configured them in container.IT WORKS.
 
ankur rathi
Ranch Hand
Posts: 3851
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks all. It made me clear.

How container sends public key to browser? Needs to do configuration in container. How? I will search on net, if necessary, will start a new thread. How browser encrypts data with that public key? is it done automatically or what? And what if we want browser NOT to encrypt some of the data?

Thanks a lot again.
[ May 07, 2007: Message edited by: ankur rathi ]
 
Ulf Dittmer
Rancher
Posts: 43027
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

How container sends public key to browser? Needs to do configuration in container. How?

That's server-specific; the procedure for Tomcat is described here.

How browser encrypts data with that public key? is it done automatically or what?

That's a deep subject; start reading here.

And what if we want browser NOT to encrypt some of the data?


Then you don't use SSL. But be aware that mixing HTTPS and HTTP resources in the same page usually results in warning dialogs being shown to the user.
[ May 07, 2007: Message edited by: Ulf Dittmer ]
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic