Java serializable security over TCP

Question

I have a TCP/IP chat application that sends back and forth ChatMessage objects that hold the int type and String message of a message.

My question is: How can I make it more secure?

Thank you!

Encrypt the message, you need to read up on encryption and so on — Joshua Kissoon, Mar 09 '14 at 13:22
I suggest not using Java Serialisation for this task. It opens up a whole can of worms. (And use https, of course.) — Tom Hawtin - tackline, Mar 09 '14 at 14:23

score 1 · Accepted Answer · edited May 23 '17 at 12:28

1

There are two ways that I can think up of: CipherOutputStream and SSLSocket

CipherOutputStream:

byte[] keyBytes = "1234123412341234".getBytes();
final byte[] ivBytes = new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 
     0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }; //example

final SecretKey key = new SecretKeySpec(keyBytes, "AES");
final IvParameterSpec IV = new IvParameterSpec(ivBytes);
final Cipher cipher = Cipher.getInstance("AES/CFB8/NoPadding"); 
cipher.init(Cipher.ENCRYPT_MODE, key, IV);

//assuming your Socket is called "socket"
CipherOutputStream cstream = new CipherOutputStream(socket.getOutputStream(), cipher);
... 
//code to write ChatMessage object

OR, you can use SSL: how to do ssl socket programming

edited May 23 '17 at 12:28

Community

1
1

answered Mar 09 '14 at 13:43

inixsoftware

618
2
9
26

obviously make more secure keys & IV than what is provided :) – inixsoftware Mar 09 '14 at 13:44
Embedding secret key in source code may not be the best idea. As the recent loss of half a billion dollars' worth of Bitcoins helps demonstrate. – Tom Hawtin - tackline Mar 09 '14 at 18:08
@TomHawtin-tackline true. The code is just a simple example to demostrate usage. The OP should not use this verbatim as the key is not at all a good one... – inixsoftware Mar 09 '14 at 18:29
But examples get copied. (Even examples that demonstrate exactly what not to do.) Key management is the most difficult part of the problem. – Tom Hawtin - tackline Mar 09 '14 at 18:35

score 0 · Answer 2 · answered Mar 09 '14 at 13:33

Here's how you do it in pseudocode, assuming you need a secure system providing data Confidentiality, Integrity and User Authenticity. (http://en.wikipedia.org/wiki/Information_security). These are the general requirements for a secure chat system anyways.

Use Public Key Crypto to give each a public/private key pair
When a chat is started between 2 users for the first time, user A generates a Symmetric Key SK to be used to encrypt the messages between himself and user B.
User A Encrypt the SK with the public key of B and send it to B
B decrypt the SK and now they use SK to encrypt further messages between them.

Now you can go learn these concepts and they fairly straightforward to implement. For Algorithms, the most popular used are:

RSA for Public Key Encryption
AES for Symmetric Key Encryption

Both of these algorithms have Java implementations available, checkout the Bouncy Castle crypto API package.

Note: If you are using a web application, and just need to securely transfer the messages, you can use SSL as someone suggested in the comments.

Java serializable security over TCP

2 Answers2