Java加入信任站点_java-在非安全网络上建立可信任安全的通道(1/3)

看到标题，几乎所有人都会想到SSL，但SSL比较重量级，我想做的是只利用java的JCE体系(不是JSSE)在非安全网络环境下建立起一个可信任的、安全的通道。

所以这篇博文包括两个主题：可信任和安全。

这一节只考虑如何交互密钥。下一节(2/3)讨论如何建立信任关系，并在可信关系上交换密钥(防止中间人攻击)。

非对称密钥不适合做通道加密，通道加密必然使用对称密钥。既然如此，通信的双方(或多方)如何获取一个共同的密钥呢？

下面的代码使用Java security api在socket通道上面演示密钥交换：

参考《Java security,2nd edition》

核心代码

public class DHKeyExchanger implements KeyExchanger {

protected Pipe pipe;

protected KeyPair dhKeyPair;

protected PublicKey peerDHPublicKey;

private byte[] key;

/**

*

* @param pipe 密钥交互管道

*/

public DHKeyExchanger(Pipe pipe) {

this.pipe = pipe;

}

// 初始化DH密钥对

protected void init() throws SkipException {

try {

// Create a Diffie-Hellman key pair.

KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH");

kpg.initialize(SKIP.DHParameterSpec);

dhKeyPair = kpg.genKeyPair();

} catch (InvalidAlgorithmParameterException e) {

throw new SkipException("Invalid DH algorithm parameter.", e);

} catch (NoSuchAlgorithmException e) {

throw new SkipException("DH algorithm not supported.", e);

}

}

// 发送dh公钥

protected void sendDHPublicKey() throws IOException, SkipException {

byte[] keyBytes = dhKeyPair.getPublic().getEncoded();

write(keyBytes);

}

// 接收对方的dh公钥

protected void receiveDHPublicKey() throws IOException, SkipException {

byte[] publicKeyBytes = read();

KeyFactory kf;

try {

kf = KeyFactory.getInstance("DH");

X509EncodedKeySpec x509Spec = new X509EncodedKeySpec(publicKeyBytes);

peerDHPublicKey = kf.generatePublic(x509Spec);

} catch (NoSuchAlgorithmException e) {

throw new SkipException("DH algorithm not supported.", e);

} catch (InvalidKeySpecException e) {

throw new SkipException("Invalid public key", e);

}

}

// 生成密钥

public byte[] generateKey() throws SkipException {

KeyAgreement ka;

try {

ka = KeyAgreement.getInstance("DH");

ka.init(dhKeyPair.getPrivate());

ka.doPhase(peerDHPublicKey, true);

return ka.generateSecret();

} catch (NoSuchAlgorithmException e) {

throw new SkipException("DH algorithm not supported.", e);

} catch (InvalidKeyException e) {

throw new SkipException("Invalid private key.", e);

}

}

// all in one

public void exchange() throws SkipException, IOException {

this.init();

this.sendDHPublicKey();

this.receiveDHPublicKey();

this.key = generateKey();

}

// read a byte array

protected byte[] read() throws IOException {

return pipe.read();

}

// write a byte array

protected void write(byte[] bytes) throws IOException {

pipe.write(bytes);

}

@Override

public byte[] getKey() {

return key;

}

}

public interface KeyExchanger {

public void exchange() throws SkipException, IOException;

/**

* @return 协商好的密钥

*/

byte[] getKey();

}

public class SKIP {

// SKIP's 1024 DH parameters

private static final String SKIP1024String = "F488FD584E49DBCD20B49DE49107366B336C380D451D0F7C88B31C7C5B2D8EF6"

+ "F3C923C043F0A55B188D8EBB558CB85D38D334FD7C175743A31D186CDE33212C"

+ "B52AFF3CE1B1294018118D7C84A70A72D686C40319C807297ACA950CD9969FAB"

+ "D00A509B0246D3083D66A45D419F9C7CBD894B221926BAABA25EC355E92F78C7";

// Modulus

private static final BigInteger SKIP1024Modulus = new BigInteger(

SKIP1024String, 16);

// Base

private static final BigInteger SKIP1024Base = BigInteger.valueOf(2);

public static final DHParameterSpec DHParameterSpec = new DHParameterSpec(

SKIP1024Modulus, SKIP1024Base);

}

数据交互通道：

public interface Pipe {

byte[] read() throws IOException;

void write(byte[] data) throws IOException;

}

public class DataPipe implements Pipe {

DataInput in;

DataOutput out;

public DataPipe(InputStream in, OutputStream out) {

super();

if (in instanceof DataInputStream) {

this.in = (DataInputStream) in;

} else {

this.in = new DataInputStream(in);

}

if (out instanceof DataOutputStream) {

this.out = (DataOutputStream) out;

} else {

this.out = new DataOutputStream(out);

}

}

@Override

public byte[] read() throws IOException {

byte[] bytes = new byte[in.readInt()];

in.readFully(bytes);

return bytes;

}

@Override

public void write(byte[] data) throws IOException {

out.writeInt(data.length);

out.write(data);

}

}

测试代码：

public class Client {

public static void main(String[] args) throws Exception {

String host = "localhost";

int port =1111;

// Open the network connection.

byte[] key = exchangeFrom(host, port);

System.out.println(Base64.encode(key));

}

public static byte[] exchangeFrom(String host, int port)

throws SkipException, IOException {

Socket s = new Socket(host, port);

Pipe pipe = new DataPipe(s.getInputStream(), s.getOutputStream());

KeyExchanger exchanger = new DHKeyExchanger(pipe);

exchanger.exchange();

s.close();

return exchanger.getKey();

}

}

//

public class Server {

public static void main(String[] args) throws Exception {

System.out.println(Base64.encode(exchangeFrom(1111)));

}

public static byte[] exchangeFrom(int port)

throws SkipException, IOException {

ServerSocket ss = new ServerSocket(port);

// Wait for a connection.

Socket s = ss.accept();

DataOutputStream out = new DataOutputStream(s.getOutputStream());

DataInputStream in = new DataInputStream(s.getInputStream());

Pipe pipe = new DataPipe(in, out);

KeyExchanger exchanger = new DHKeyExchanger(pipe);

exchanger.exchange();

s.close();

ss.close();

return exchanger.getKey();

}

}