I am creating a rather large client / server app. It involves the client logining into the server, and then joining any number of rooms, where there can be lots of other users, and then the users interact with eachother (very similar to a chat application), but more than just strings will be sent across to eachother. (currently there is no p2p support (and may not be), everything goes through the server, as it must be processed first, before it is sent out to the other clients.
My problem at this point is security. On both the server and client side, I am using MessageDigest with SHA-1 to encrypt the passwords, but now my concern has shifted to the connections between the client & server.
I have tried looking into JGSS, but got entirely confused, as I think it is beyond the scope of my application. My main concern is that the login information needs to be secure. So here are my questions:
1) Would it be enough to just encrypt the password, and send it over a normal socket (unsecure)?
2) Is there a way to just use JSSE for the login process and then use normal sockets for the rest of the communication?
3) Most importantly, I know using JSSE for the whole connection between the client and server is probably the best idea, but I am worried about performance. How much is the encrypt/decrypt (primarily on the server side), going to hinder my performance as compared to an unsecure connection?
Thanks for all the help!