security - Secure Communication in Java - Serialized CipherText-Objects vs. Transport-Layer-Encryption vs. RMI over SSL -

-

i want implement encrypted communication between 2 java servers, both under control. there 3 architectures have in mind , want input on pros , cons of them.

architecture 1: whenever invoke remote method, not pass parameters plain text serialized ciphertext-object. use esapi-library this, actual implementation not matter. what's important ciphertext-object contains arbitrary data encrypted symmetric key including mac authentication. symmetric key available pre-shared secret on both servers.

architecture 2: don't care encryption on application level delegate transport layer. vpn-tunnel or sort of server-to-server encryption supported. don't have information available on modern application server @ moment. input on welcome well.

architecture 3: using javax.rmi.ssl use rmi on ssl.

it feels architecture 1 complicated , pain implement. architecture 2 leaves encryption application server. application developer have no control on configuration these features. that's bad because want ensure application cannot used without proper encryption. architecture 3 seems best way have no experience technology.

how rate 3 architectures? did miss better way implement this? main goal ensure secure encrypted communication, complexity of resulting source code, performance issues , of course concern well.

first of all, security solutions not one-size-fits-all. must evaluate threats(who interested in snoping/attacking), risks (what lose if attacker succeeded) , cost of implementation , use.

second, security solutions not exclusive. implement 3 solutions @ same time (communication on vpn of rmi-ssl calls encripted parameters). issue cost of implementation , overhead.

now question @ hand:

1) not it, because:

  • it allows snopping know metods called, if not know data passed.
  • as far know, macs can spoofed
  • you have keep control of servers , in future shared secret not discovered. maybe next month 1 of servers taken away location/branch/departament , more people starts having access it. or maybe deploy servers in bussiness without changing secret.

2 , 3) more or less equivalent. 2, though, have sure servers accept connections coming through openvpn, , not other ni. not know rmi on ssl well, if has not hidden vulnerability looks ok.

imho, go 3 (standard, integrated in server , more flexible). 2 option too, easier implement requires have better control of server. 1 reinventing wheel there valid options, discard it.


Comments

Post a Comment

Popular posts from this blog

objective c - Change font of selected text in UITextView -

-
can suggest me how change font of selected text in uitextview.i cannot use uiwebview since have edit text. have seen pages app.how possible in app. see formatting text within uilabel differently . since need editing, should @ javascript-based editors such ckeditor or tinymce . highly recommend wwdc 2011 video session 511: "rich text editing in safari on ios."
Read more

php - Accessing POST data in Facebook cavas app -

-
so i've got simple form in canvas / iframe facebook app, , i'm trying pass along values post. reading on s.o. , fb's latest docs, understand it, data send via post form can accessed on receiving end $_request object. i read on thread on s.o. in order post forms work need pass along input named "signed_request" value current signed_request (i have signed request working ok otherwise...all login , authentication stuff working fine). isnt mentioned anywhere in official fb docs. so problem comes in $_request object signed request, , bunch of other session stuff. form inputs found. the way can read them set method of form "request" isn't real form method. takes of inputs , sends them args in url. horrible. here's sample page canvas app form i'm using try debug (leaving out authentication stuff): <form enctype="application/x-www-form-urlencoded" method="post" target="_top" id="my_form" action=...
Read more

c# - Getting control value when switching a view as part of a multiview -

-
i have following code in aspx page: <asp:button id="display_button" runat="server" text="display" onclick="button1_click" /> &nbsp; <asp:button id="edit_button" runat="server" text="edit" onclick="button2_click" /> &nbsp; <asp:button id="save_button" runat="server" text="save" onclick="button3_click" visible="false" /> &nbsp; <asp:multiview id="multiview1" runat="server" activeviewindex="0"> <asp:view id="view1" runat="server"> <asp:formview id="view_program" runat="server"> <itemtemplate> <%# eval("status").tostring().trim() %> </itemtemplate> </asp:formview> </asp:view> <asp:view id="view2" runat="server"> ...
Read more