通过TLS使用Java进行密码学和认证 [英] Cryptography and Authentication via TLS with Web of Trust in Java
问题描述
对于我正在编写的程序,我想使用TLS(或类似的东西)来封装我的应用程序的协议。这样可以尽量减少工作量以及可能意外创建的漏洞数量。
For a program I am writing, I would like to use TLS (or something similar) to encapsulate my application's protocol. This will minimize both the amount of work I have to do as well as the number of vulnerabilities I could accidentally create.
我的程序设计为对等虽然一个或多个服务器提供一些服务来帮助一个用户定位另一个(它注册IP地址/端口组合),但是做其他一些事情。我想使这个系统非常容错,因此这些服务器充当证书颁发机构是不可接受的,因为服务器或其密钥的妥协会影响太多的用户。因此,我打算使用信托网。
My program is designed to be peer-to-peer although one or more servers provide some services to help one user locate another (it registers IP address/port combos) but do little else. I want to make this system very fault-tolerant so having these servers act as a Certificate Authority is unacceptable because a compromise of a server or its key would affect too many users. Therefore I plan on using a Web of Trust.
使用TLS的主要问题是原始TLS 1.2规范(RFC 5246)不提供使用OpenPGP证书。似乎以x.509为中心。 RFC 6091,其中删除了RFC 5081并扩展了RFC 5246,为TLS的扩展做了规定,可以做到我想要的。问题是我不认为BouncyCastle实现这个扩展,我找不到一个Java加密库。我也不想自己写/贡献给BC,因为我真的不会犯错误,我也很懒。
The main problem with using TLS is that the original TLS 1.2 specification (RFC 5246) does not provide for using OpenPGP certificates. It seems to be very x.509 centric. RFC 6091, which obsoletes RFC 5081 and extends RFC 5246, makes provisions for an extension to TLS that does what I want. The problem is that I don't think BouncyCastle implements this extension and I can't find a Java crypto library that does. I also don't want to write my own / contribute to BC because I'm really bad at not making mistakes and I'm also very lazy.
另一个问题这就是BouncyCastle提供了轻量级的客户端TLS API,但是由于这个软件是P2P,所以服务器端的API也是必需的,因此我可以使用TLS来认为发起连接的对端是客户端。我很确定一旦握手完成,这是一样的。
Another problem with this is that BouncyCastle provides "a light weight client-side TLS API" but because this software is P2P, a server-side API is also necessary so that I can use TLS by making it believe that the peer originating the connection is the client. I'm pretty sure that once the handshake is complete that it's the same.
问题:
有什么办法吗仍然可以使用TLS(我非常怀疑)?有没有像P2P这样的协议,如P2P设计,至少可以以这种方式运行(像我相信TLS可以),但是可以使用OpenPGP证书?如果两者都不是这样,我应该追求在这个问题,并实现我自己的层采用TLS的概念?
Questions: Is there any way that I can still use TLS (which I highly doubt)? Is there a protocol like TLS that is designed for P2P, or at least can function in this way (like I believe TLS can), but can work with an OpenPGP certificate? If neither is the case, should I pursue the idea explained in this question and implement my own layer taking concepts from TLS?
推荐答案
我知道支持RFC 6091的唯一库(即带有openpgp证书的TLS )是 GnuTLS ,但我不知道是否可以在Java中使用类似的东西。或者,您可以复制SSH语义,您可以使用自签名
X.509证书存储同行的公钥。
The only library that I know to support RFC 6091 (i.e. TLS with openpgp certificates) is GnuTLS but I don't know whether you can use something like that in Java. Alternatively you could replicate the SSH semantics, where you store the public keys of your peers using self-signed X.509 certificates.
这篇关于通过TLS使用Java进行密码学和认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
