CS 5430 Spring 2016 A5 Problem 2
Step 1. Build a simple socket application
Compile and execute EchoServer.java and EchoClient.java with the following commands:
In one terminal:
javac EchoServer.java
javaEchoServer
In another terminal:
javac EchoClient.java
javaEchoClient
Now type some text into the client. It will be echoed by the server.
Answer the following questions:
- In EchoClient.java, what line(s) of code causes the text to be sent over the network?
- In EchoServer.java what line(s) of code receive the text that is sent over the network?
Step 2. Change the Echo server and client to use SSL
Change SocketFactory.getDefault()in EchoClient.java to SSLSocketFactory.getDefault(). Also change ServerSocketFactory.getDefault()in EchoServer.java to SSLServerSocketFactory.getDefault().
Now recompile and run the EchoServerand EchoClientas in step 1. Something will go wrong.
Answer the following questions:
- What exception is raised? What line of code in EchoServer.java raises it?
Although it’s probably not very clear from the error message and documentation, the underlying problem is that your server a certificate that your client is willing to trust.
Step 3. Equip the server with an RSA key pair
- Generate an RSA key pair and store it as a certificate in a Java keystore:
$ keytool -genkeypair -alias mykey -keyalg RSA \
-keystorekeystorefilename.jks
You may replace mykey and keystorefilename with strings of your choice. keystorefilename.jks is the name of the keystore file that the command will create (or modify, if the file already exists). A keystore may contain many certificates, each of which is named by an “alias.” So mykey is the name that will be given to the particular certificate you are creating in keystorefilename.jks.
You will be prompted to create a password for the keystore, to enter your distinguished name, and to create a password for the key pair itself.
Check your work by running the following command to examine the keystore:
$ keytool -list -v -keystorekeystorefilename.jks
Then:
Answer the following questions:
- What is the serial number of the certificate?
- What is the entry type of the certificate?
- What is the common name (CN) of the certificate owner?
- What is the common name (CN) of the certificate issuer?
- When does the certificate’s validity expire?
- Try entering an incorrect password. What happens? What can you infer about whether the password is being used for purposes of confidentiality or integrity?
- Tell the server how to access the keystore by adding the following code to EchoServer.java immediately before the construction of the SSLServerSocketFactory:
System.setProperty("javax.net.ssl.keyStore", "keystorefilename.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
Answer the following questions:
- Do you think it is generally a good practice to hardcode passwords in source code?
- Suggest an alternative implementation that doesn’t involve hardcoding the keystore password.
- Recompile and run the EchoServer as in step 1. It should now successfully start and wait for the client to connect.
Run the EchoClient as in step 1. Something will go wrong.
Answer the following questions:
- The exception raised is SSLHandshakeException. What line of code in EchoClient.java raises it?
- Consult the documentation of that exception. (The API documentation is at this URL: What does the exception signal?
Step 4. Equip the client with the server’s public key
- Export the server’s certificate (including the server’s public key, but excluding the server’s private key):
$ keytool -export -alias mykey\
-keystorekeystorefilename.jks\
-rfc -file certfilename.cer
You may replace certfilename with a string of your choice.
- Import the certificate into a Java truststore. A truststore is like a keystore except that it doesn’t contain any private keys. (But note that keytool will refer to the truststore as a “keystore”, which is a little confusing.)
$ keytool -import -alias mykey\
-filecertfilename.cer \
-keystoretruststorefilename.jks
You may replace truststorefilenamewith a string of your choice. You will be prompted to create a password for the new truststore. It may differ from the password you chose for the original keystore. The certificate will be displayed, then you will be asked whether to “trust” the certificate. Answer yes, and the certificate will be added to the truststore.
- Check your work by running the following command to examine the truststore:
$ keytool -list -v -keystoretruststorefilename.jks
Then:
Answer the following questions:
- What is the entry type of the certificate?
- Comparing the truststore to the keystore, did the serial number of the certificate change? Did its fingerprint change?
- Tell the client how to access the truststore by adding the following code to EchoClient.java immediately before the construction of the SSLSocketFactory:
System.setProperty("javax.net.ssl.trustStore", "truststorefilename.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "password");
- Recompile and run the EchoClient as in step 1. (Don’t forget to have the EchoServer running, too.)
- Congratulations! You have secured the connection between the client and server with SSL.
Step 5. Investigate the crypto
- There’s a debug flag for Java’s SSL implementation that you can set. Rerun the client and server, but run the client as follows:
$ java -Djavax.net.debug=sslEchoClient
Answer the following questions by examining the debug output:
- What is the SSL cipher suite that is used by the client and server? You will find it as part of the “ServerHello” message on a line that begins “Cipher Suite: ”.
- What is the serial number of the trusted certificate, according to the debug output? Is it the same or different than the certificate you put in the truststore?
- What kind of key is in the trusted certificate, and what is its size? Is that size reasonable according to the NIST recommendations on key size?
- Find the “Master Secret.” According to section 6.3 of the TLS 1.2 spec [RFC 5246], what is the purpose of the Master Secret?
- What are the first few bytes of the Master Secret used in your SSL session? If you run the applications again, does the Master Secret change? Suggest a reason why or why not.