Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Needs to use cryptography in website

 
apurv suthar
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In a web application if I wants to encrypt/decrypt data going to server and coming back from server, then from where should I start from.
I have searched on web , and found books like - "Beginning cryptography with java by David Hook " , " Java Security(O'rielly)". Should I Prefer these books Or not.

 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can you be more specific. For most designers, it is sufficient to use HTTPS/TLS between the client's browser and the web server. That handles all the cryptography that most folks ever need.
 
apurv suthar
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ok . like an e-procurement system. where all information provides to company is being encrypted first & sign that data by a certificate which bidder choose.
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I still can't tell what you are asking about. I guess that English is not your native language. I can't follow what you are saying.

Nearly all ecommerce sites simply use HTTPS/TLS.

You seem to be talking about having the user/client software 'sign' some document. That is rarely needed in practice. Having clients try to deal with certificates is nearly always a disaster.
 
apurv suthar
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Show the images I have attached It will express more then I can.
1.png
[Thumbnail for 1.png]
img1
2.png
[Thumbnail for 2.png]
img2
3.png
[Thumbnail for 3.png]
img3
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I just don't understand what you are trying to encrypt and decrypt and I dont' see why you want to do it on the client.

What are your business requirements, without using the words encrypt or decrypt?

What is the basic architecture of your application? Are you planning to write a web-app, using Servlets and JSP and HTML?

Again, what are you trying to do with certificates? In practice, having a user deal with certificates is a disaster.
 
apurv suthar
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If i am making an application like e-procurement then data authentication & integrity should be maintain so I wants to use cryptography.

In an e-procurement system there is a section of bid preparation where user prepare bid documents and filling forms. After completing that one he generate the hash for the documents so that the documents he had attached during the bid preparation can't be altered till bid submission process.And encrypt form data and submit it during bid submission.

At the admin side after time elapsed for bid preparation admin generates super hash (which is similar to signing envelopes to ensure that the bid is closed and no changes are acceptable)

At last in bid submission process bidder finally submit all documents and forms he had prepared during bid preparation time.(He can only read data filled in forms during this stage & submitting documents by comparing their hash values with documents they have attached during bid preparation)

(I have no prior experience in cryptography )
 
apurv suthar
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am using struts in my web application.
 
apurv suthar
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And I refer one web site which implement same functionality that i need.In which a certificate was needed for signing the data before submitting it. So I ask about certificate.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm confused - you variously talk of the documents needing to be signed, and of a hash needing to be computed of the documents - which one is it?
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
apurv suthar wrote:If i am making an application like e-procurement then data authentication & integrity should be maintain so I wants to use cryptography. (I have no prior experience in cryptography )


I think you simply want to use a server that supports HTTPS protocol. So far, you have not said anything that would drive me to chose to use more complex cryptography. HTTPS does everything you should need.

But you really have to start with the business requirements. You must talk about where code runs, which computers are trusted, etc. You do this before you start cryptography.

There are many good libraries that implement the cryptographic functions, but they do not do the application's business requirements analysis.

I strongly recommend that you forget everything you have read about crypto-certificates until you can describe the business needs.
 
apurv suthar
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry if I embarrassing you.

Ok can you prefer some material if I wants to implement HTTPS protocol & generate HASH of the document being uploaded.
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
apurv suthar wrote:Sorry if I embarrassing you. Ok can you prefer some material if I wants to implement HTTPS protocol & generate HASH of the document being uploaded.


You are not embarrassing me, you are simply confusing me.

One relies upon the web server to handle HTTPS. So you need to find the documentation for whatever web server you will be using. Many people us Apache, it has very strong support for HTTPS and is well documented.

Again, what is the business requirement for the hash prior to uploading. I see no value in that. We use underlying protocols that ensure that the data/file is transferred properly and without change.
 
apurv suthar
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There is a section called "Briefcase" which keeps all documents of the bidders. Bidder can attach any of them in any tender notice.But once he had attached in "bid envelope" during "bid preparation" cant be altered till "bid submission" stage.So I wants to generate HASH for that documents during "preparation" stage so, that it can be ensure during "submission" stage that document is same.

And also that before submitting it on server each document hash also submits with their hash so that on server side it can be ensure that documents are not altered during transmission.
 
Jayesh A Lalwani
Rancher
Posts: 2756
32
Eclipse IDE Spring Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Do these documents need to be submitted to a server differrent than your web server? I think you might be confusing us by overusing the word "server".

 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
apurv suthar wrote: on server side it can be ensure that documents are not altered during transmission.


When you use HTTPS, there is no need to worry about alteration during transmission. HTTPS solves all of those problems.

Again, what are your business requirements?
 
apurv suthar
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It seems like , I actually don't know what I wants to do or I cant explain it properly.
Thanks for replying.


 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
apurv suthar wrote:It seems like , I actually don't know what I wants to do or I cant explain it properly.


Good luck, you will need to know exactly what you need, either to get help or to implement it yourself.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic