Welcome!

Java IoT Authors: Elizabeth White, Liz McMillan, Pat Romanski, Yeshim Deniz, Mehdi Daoudi

Related Topics: Java IoT

Java IoT: Article

Understanding JSSE

Message exchange between a Java client and server communicating over SSL

The hello message typically contains a random structure that's used later in the protocol. The random structure contains the current time and date in standard Unix 32-bit format and 28 bytes generated by the secure random generator. This is the same SecureRandom class that was instantiated during the SSLSocketFactory implementation. The following represents an example of a random structure.


[java] RandomCookie: GMT: 1068318819 bytes = {179, 149, 240, 59, 32,
133, 114, 223, 214, 179, 158, 252, 216, 163, 195, 81, 38, 109, 86,
103, 87, 233, 180, 113, 250, 85, 224, 249 }

The client hello message also includes a variable length session identifier. This is the identity of the session corresponding to the connection. Generally, this field is empty when no session_id is available as shown below, or the client is initiating a new session and wants to generate new security parameters.


[java] Session ID:  {}

The next field in the Hello message is the cipher suites supported by the client. The client sends the list of all the cipher suites it supports. This is the list of cryptographic algorithms supported by the client in the order of the client's choice (first choice first). Each CipherSuite defines a key exchange algorithm, a bulk encryption algorithm (including secret key length), and a MAC algorithm. The server will select a cipher suite (usually the first in the list, if supported by the server) or, if no acceptable choices are presented, return a handshake failure alert and close the connection.

The following is an example of the cipher suites sent by the client to the server.


[java] Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5,………………………………… TLS_DHE_
RSA_WITH_AES_, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]

Along with the CipherSuites, the client also sends a list of the compression methods supported by the client, sorted by client preference. The compression algorithm translates an SSLPlaintext structure into an SSLCompressed structure. This algorithm may be used to compress the data prior to encryption. In the following debug output, the compression method.


[java] Compression Methods:  { 0 }

In essence, during the hello message, the following security attributes are established.

  • Protocol Version: The version of the SSL protocol by which the client wishes to communicate during this Session and is typically the highest valued version supported by the client. In the above example, the protocol version is TLSv1.
  • Session ID: Used to identify any existing session between the same client and the server.
  • Cipher Suite
  • Compression Method
In response to the above Hello request from the client, the server can either send a Hello message back or return with a handshake_failure alert. The following sections explain the messages on the server side in response to the Hello Request from the client.

Server Hello
The server will send this message in response to a client hello message when it finds an acceptable set of algorithms. If it can't find a match, it will respond with a handshake failure alert. The following is the debug output from the Java client:


[java] *** ServerHello, TLSv1

Just as the client generated a random structure, the server also generates a random structure to be used later in the protocol. The random structure is similar to the one shown below.


[java] RandomCookie:  GMT: 1068318819 bytes = { 152, 122, 230, 150,
51, 26, 74, 27, 140, 113, 192, 13, 22, 76, 228, 17, 150, 251, 234,
30, 155, 33, 77, 179, 30, 31, 60, 155 }

The server then generates a session id for the connection. If the client session id wasn't empty, the server will look in its cache to find a match. If a match is found, the server can reuse this session, otherwise it will generate a new session id (as shown below).


[java] Session ID:  {254, 66, 184, 128, 0, 67, 156, 252, 120, 36,
183, 89, 192, 173, 85, 191}

If the server sends an empty session id back to the client, it implies that the server doesn't want to re-use the existing sessions.

In the next step, the server traverses the list of cipher suites supported by the client and selects the highest supported between the client/server. It also selects the available compression algorithm from the list sent by the client. As you'll see in the following output, the server has picked the following Ciphersuite (the first in the list sent by the client):


[java] Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
And the compression method, again from the client list.
[java] Compression Method: 0

If either the ciphersuite or the compression method does not match, the session will fail.


[java] %% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]

Certificate Exchange

In its response to the client request, the server sends a certificate. Although this step can be optional, in most cases it's mandatory because in typical SSL implementations the client invariably requests the server's authentication. In an anonymous key exchange, none of the parties (neither the client nor the server) are authenticated.

This mode is vulnerable to a man-in-middle attack and isn't a widely used key exchange mode. The following is a sample of a server certificate key exchange:


[java] *** Certificate chain
[java] chain [0] = [
[java] [
[java]   Version: V1
[java]   Subject: CN=username, OU=FOR TESTING ONLY, O=MyOrganization,
L=MyTown, ST=MyState, C=US
[java]   Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

The server certificate will always immediately follow the server hello message. Once the certificate message is sent from the server to the client, the server hello is over.


[java] *** ServerHelloDone

Key Exchange
Once the server has sent a certificate to the client, a Key Exchange message is initiated. It is always sent by the client. It will immediately follow the client certificate message, if it's sent. Otherwise it will be the first message sent by the client after it gets the server hello done message.

Client Key Exchange Message


[java] *** ClientKeyExchange, RSA PreMasterSecret, TLSv1

The purpose of the key exchange process is to get a token encryption key (TEK), which is used to wrap data encryption keys, client write keys, server write keys, and master secret encryption keys. The encrypted pre_master_secret is sent to the server in a client key exchange message. The pre_master_secret will be used to generate the master_ secret. The master_secret is needed to generate the finished messages, encryption keys, and MAC secrets. By sending a correct finished message, the parties prove that they know the correct pre_master_secret.

Finished Message
The last message in the SSL handshake process is the "finished message." A finished message is always sent immediately after a change cipher spec message to verify that the key exchange and authentication processes were successful. It's essential that a change cipher spec message be received between the other handshake messages and the finished message. The following output demonstrates a finished message exchange.


[java] *** Finished
[java] verify_data:  { 155, 104, 57, 51, 140, 66, 235, 165, 133, 234, 48, 234 }
[java] ***
[java] main, WRITE: TLSv1 Handshake, length = 32
[java] main, READ: TLSv1 Change Cipher Spec, length = 1
[java] JsseJCE: Using JSSE internal implementation for cipher RC4
[java] main, READ: TLSv1 Handshake, length = 32
[java] *** Finished
[java] verify_data:  { 237, 42, 200, 45, 111, 152, 20, 147, 77, 110, 221, 199 }
[java] ***

The finished message is the first protected message with the just-negotiated algorithms, keys, and secrets. Once a side has sent its finished message and gotten and validated a finished message from its peer, it may begin to send and receive application data over the connection. At this point, the SSL handshake has been established and both the client and server are now ready to exchange data over a secured connection.

Summary

This article provided you with the message exchange between a Java client and a server when communicating over a secured socket layer, as implemented by JSSE. The multiple message exchange between the client and the server are crucial to establishing the identity of the each party, agreeing on different cryptographic algorithms, protocol version, compression, and encryption methods.

References

  • Java Secure Socket Extension Guide http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html
  • Cryptography FAQ www.rsa-security.com/rsalabs/faq/files/rsalabs_faq41.pdf
  • More Stories By Sudhir Upadhyay

    Sudhir Upadhyay is currently with Architecture and Shared services at JP Morgan Chase where he is an application architect. Prior to joining JPMorgan, he was a principal consultant with BEA Professional Services where he helped customers design and implement enterprise J2EE solutions. He is a BEA Certified WebLogic Developer and a Sun Certified Java Developer.

    Comments (0)

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


    IoT & Smart Cities Stories
    At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
    Druva is the global leader in Cloud Data Protection and Management, delivering the industry's first data management-as-a-service solution that aggregates data from endpoints, servers and cloud applications and leverages the public cloud to offer a single pane of glass to enable data protection, governance and intelligence-dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it. Druva's...
    BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.
    The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, compared the Jevons Paradox to modern-day enterprise IT, examin...
    With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
    DSR is a supplier of project management, consultancy services and IT solutions that increase effectiveness of a company's operations in the production sector. The company combines in-depth knowledge of international companies with expert knowledge utilising IT tools that support manufacturing and distribution processes. DSR ensures optimization and integration of internal processes which is necessary for companies to grow rapidly. The rapid growth is possible thanks, to specialized services an...
    At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
    There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
    Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
    Scala Hosting is trusted by 50 000 customers from 120 countries and hosting 700 000+ websites. The company has local presence in the United States and Europe and runs an internal R&D department which focuses on changing the status quo in the web hosting industry. Imagine every website owner running their online business on a fully managed cloud VPS platform at an affordable price that's very close to the price of shared hosting. The efforts of the R&D department in the last 3 years made that pos...