没有身份验证或存储的Java SSL套接字? [英] Java SSL sockets without authentication or stores?

问题描述

我有两个Java应用程序，它们需要通过加密的TCP套接字相互通信，但是它们不需要彼此进行身份验证(一个将接受()彼此的连接).谁能指出我的教程/代码片段，以帮助我进行设置?

I have two java applications that need to talk to each other over an encrypted TCP socket, but they don't need to authenticate each other (one will accept() a connection from the other). Can anyone point me to a tutorial/code-snippet that will help me set these up?

我正在寻找非常简单的东西，我不想提供任何密钥库或信任库材料.

I'm looking for something fairly simple and I'd like to not have to supply any keystore or truststore material.

我应该在这里更具体.我的意思是他们不必通过SSL相互认证.我必须在应用程序级别进行一些非平凡的身份验证，因此我不能使用任何基于SSL的身份验证方案.

I should be more specific here. I meant that they don't have to authenticate each other via SSL. I have some non-trivial authentication that I have to do at the application level, so I can't use any sort of SSL-based authentication scheme.

此外，到目前为止(截至2010年3月3日中午)发布的答案中的某些链接都需要密钥库文件.有没有一种简单的方法可以以编程方式生成所需的密钥?

Also, some of the links in the answers posted so far (as of noon 3/10/2010) require keystore files. Is there a simple way I can programmatically generate the keys I need?

推荐答案

要重申Chris Jester-Young的建议-如果您没有身份验证，那么您可能正在安全通信，但是您没有 知道您要与谁安全地进行通信.您可以简单地与坏人本人进行非常安全的通信(他将您所说的一切转达给您直接与之交谈的人).

To reiterate Chris Jester-Young's advice - if you don't have authentication, then you might be communicating securely, but you have no idea who you're communicating securely with. You could simply be communicating very securely with the bad guy himself (who is relaying everything you're saying onto the person you hoped you were talking directly to).

但是，有一个非常轻量的身份验证方案可能适合您的目的，称为TOFU(首次使用信任).在这里，您可以使用SSL并为每一面生成自签名证书-但是，您不会跳过证书验证.相反，在与给定对等方的 first 连接上，您接受任何证书并将其存储在本地；在与该对等方的后续连接上，您仅接受该保存的证书.这类似于 ssh 在默认情况下用于主机身份验证的方式，并提供对我现在要交谈的人是我昨天与之交谈的人"的身份验证的方式.种类.

However, there is a quite lightweight authentication scheme that might suit your purposes, called TOFU (Trust On First Use). This is where you use SSL and generate self-signed certificates for each side - however you do not skip certificate validation. Instead, on the first connection with a given peer you accept any certificate and store it locally; on subsequent connections with that peer, you only accept that saved certificate. This is similar to the way that ssh works by default for host authentication, and provides authentication of the "the guy I'm talking to now is the same guy I was talking to yesterday" variety.

这篇关于没有身份验证或存储的Java SSL套接字?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！