• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 260
  • Last Modified:

Does using JSSE for client/server app hinder my performace?

Hi all,

I am creating a rather large client / server app. It involves the client logining into the server, and then joining any number of rooms, where there can be lots of other users, and then the users interact with eachother (very similar to a chat application), but more than just strings will be sent across to eachother. (currently there is no p2p support (and may not be), everything goes through the server, as it must be processed first, before it is sent out to the other clients.

My problem at this point is security. On both the server and client side, I am using MessageDigest with SHA-1 to encrypt the passwords, but now my concern has shifted to the connections between the client & server.

I have tried looking into JGSS, but got entirely confused, as I think it is beyond the scope of my application. My main concern is that the login information needs to be secure. So here are my questions:

1) Would it be enough to just encrypt the password, and send it over a normal socket (unsecure)?
2) Is there a way to just use JSSE for the login process and then use normal sockets for the rest of the communication?
3) Most importantly, I know using JSSE for the whole connection between the client and server is probably the best idea, but I am worried about performance. How much is the encrypt/decrypt (primarily on the server side), going to hinder my performance as compared to an unsecure connection?

Thanks for all the help!
0
gmoniey
Asked:
gmoniey
  • 4
  • 3
2 Solutions
 
objectsCommented:
> 1) Would it be enough to just encrypt the password, and send it over a normal socket (unsecure)?

If thats the only information you consider sensitive then yes.

> 2) Is there a way to just use JSSE for the login process and then use normal sockets for the rest of the communication?

You could use a seperate connection for login, but you'd still need some means of identifying that a connection was associated with which authenticated session on the server.

> 3) Most importantly, I know using JSSE for the whole connection between the client and server is probably the best
> idea, but I am worried about performance. How much is the encrypt/decrypt (primarily on the server side), going to
> hinder my performance as compared to an unsecure connection?

Doesn't sound like it would have a whiole lot of impact. One thing you could do is offer the client the choice of secure or non-secure. But if its only the login details that you want to protect then you could simply encrypt them and use a standard socket for all comms.
0
 
aozarovCommented:
> 1) Would it be enough to just encrypt the password, and send it over a normal socket (unsecure)?
No, you will be vulnerable to "repetition attacks"

> 2) Is there a way to just use JSSE for the login process and then use normal sockets for the rest of the communication?
see objects comment. I don't recommend you to go that path which will put you in square one.

> 3) hinder my performance as compared to an unsecure connection?
The most expensive part in SSL is the socket establishment after that the performance penalty
is small. So for applications that keep the connection for a while it is not a big deal.

So, basically if security is important for you then I will recommend you to go with standard approaches (such as SSL) instead of looking for some tricks which will always have loopholes.
0
 
gmonieyAuthor Commented:
Does anyone know how much SSL slows a connection down in general?
It seems that my best bet is to use SSL for the whole connection, but my only concern is how much the server will be slowed down by the encryption/decryption process? Also, is SSL 100% secure, or there any known flaws?

thanks!
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
aozarovCommented:
In security no one will give you 100% guarenty.
But SSL with a good cipher suite should be pretty good protection.
As I said the connection establishment will be noticibly slower (but this is a one time thing for connectionfull
application). The rest of the communication should not be impacted much.
0
 
gmonieyAuthor Commented:
aozarov,

I don't understand what you mean by "but this is a one time thing for connectionfull
application"

could you clarify? thanks!
0
 
aozarovCommented:
Http is a connectionless protocol (though 1.1 keep-alive come to improve it a bit), that means
that each request that your browser is sending will establish a new connection.
In your case, I assume, you are going to keep the chat client sockets open as long as they are active (connectionfull).
That means that the slow part of SSL ,which is when you are accepting a new socket, will happen once
per client.
0
 
gmonieyAuthor Commented:
I'm sorry, I thought I cleared this up before. I am not using HTML, I have created a standalone java client / server app.

On a side note, the more I read about security and cryptography in Java, it seems that JGSS seems to be my best bet, but I am not sure, does anyone have any examples of using JGSS in a standalone app?

thanks
0
 
aozarovCommented:
>> I am not using HTML,
I know this is why I think it is not a bad option for you.
in any case:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/BasicClientServer.html
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now