Secure Socket Layer : A Netscape Baby

Netscape created the first version (1.1) of the SSL protocol in 1994 and since then it has evolved and the final version 1.3 has been accepted as a standard in the web community for secure wire transfers. SSL is used to send data in encrypted data over the wire. Encryption is necessary when you are sending sensitive data like any funds transaction, credit card related data, or any sh*t in this world that you feel should be secured from an unautherised access and should reach in safe hands.

SSL is meant to ensure that your data reaches the safe hands. How does it all happens but? Before we can actually discuss the process lemme tell you some key terms that are you need to know for better understanding of the whole of the process.

Certificate: A certificate or digital certificate is an electronic document that is used to establish trust between the two parties (client and server) who want to communicate on the wire. It has following information which is used in establishing the authenticity and trust between two parties:

• Information about the owner of the certificate, like e-mail address, owner’s name
• Certificate usage, duration of validity
• Resource location or Distinguished Name (DN) which includes the Common Name (CN) (web site address or e-mail address depending of the usage) and the certificate ID of the person who certifies (signs) this information.

Lets also have a look at how beautiful a certificate look:

Certificate:

Data:
Version: 3 (0×2)
Serial Number: 1 (0×1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=FJ, ST=Fiji, L=Sanjeev, O=SOPAC, OU=ICT, CN=SOPAC Root CA/Email=administrator@directi.com
Validity
Not Before: Nov 20 05:47:44 2001 GMT
Not After : Nov 20 05:47:44 2002 GMT
Subject: C=DI, ST=DIRECT, L=Mansha, O=DIRECT, OU=ICT, CN=www.directi.com/Email=administrator@directi.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ba:54:2c:ab:88:74:aa:6b:35:a5:a9:c1:d0:5a:
9b:fb:6b:b5:71:bc:ef:d3:ab:15:cc:5b:75:73:36:
b8:01:d1:59:3f:c1:88:c0:33:91:04:f1:bf:1a:b4:
7a:c8:39:c2:89:1f:87:0f:91:19:81:09:46:0c:86:
08:d8:75:c4:6f:5a:98:4a:f9:f8:f7:38:24:fc:bd:
94:24:37:ab:f1:1c:d8:91:ee:fb:1b:9f:88:ba:25:
da:f6:21:7f:04:32:35:17:3d:36:1c:fb:b7:32:9e:
42:af:77:b6:25:1c:59:69:af:be:00:a1:f8:b0:1a:
6c:14:e2:ae:62:e7:6b:30:e9
Exponent: 65537 (0×10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FE:04:46:ED:A0:15:BE:C1:4B:59:03:F8:2D:0D:ED:2A:E0:ED:F9:2F
X509v3 Authority Key Identifier:
keyid:E6:12:7C:3D:A1:02:E5:BA:1F:DA:9E:37:BE:E3:45:3E:9B:AE:E5:A6
DirName:/C=FJ/ST=Fiji/L=Suva/O=SOPAC/OU=ICT/CN=SOPAC Root CA/Email=administrator@directi.com
serial:00
Signature Algorithm: md5WithRSAEncryption
34:8d:fb:65:0b:85:5b:e2:44:09:f0:55:31:3b:29:2b:f4:fd:
aa:5f:db:b8:11:1a:c6:ab:33:67:59:c1:04:de:34:df:08:57:
2e:c6:60:dc:f7:d4:e2:f1:73:97:57:23:50:02:63:fc:78:96:
34:b3:ca:c4:1b:c5:4c:c8:16:69:bb:9c:4a:7e:00:19:48:62:
e2:51:ab:3a:fa:fd:88:cd:e0:9d:ef:67:50:da:fe:4b:13:c5:
0c:8c:fc:ad:6e:b5:ee:40:e3:fd:34:10:9f:ad:34:bd:db:06:
ed:09:3d:f2:a6:81:22:63:16:dc:ae:33:0c:70:fd:0a:6c:af:
bc:5a
—–BEGIN CERTIFICATE—–
MIIDoTCCAwqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCRkox
DTALBgNVBAgTBEZpamkxDTALBgNVBAcTBFN1dmExDjAMBgNVBAoTBVNPUEFDMQww
CgYDVQQLEwNJQ1QxFjAUBgNVBAMTDVNPUEFDIFJvb3QgQ0ExJjAkBgkqhkiG9w0B
CQEWF2FkbWluaXN0cmF0b3JAc29wYWMub3JnMB4XDTAxMTEyMDA1NDc0NFoXDTAy
MTEyMDA1NDc0NFowgYkxCzAJBgNVBAYTAkZKMQ0wCwYDVQQIEwRGaWppMQ0wCwYD
VQQHEwRTdXZhMQ4wDAYDVQQKEwVTT1BBQzEMMAoGA1UECxMDSUNUMRYwFAYDVQQD
Ew13d3cuc29wYWMub3JnMSYwJAYJKoZIhvcNAQkBFhdhZG1pbmlzdHJhdG9yQHNv
cGFjLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAulQsq4h0qms1panB
0Fqb+2u1cbzv06sVzFt1cza4AdFZP8GIwDORBPG/GrR6yDnCiR+HD5EZgQlGDIYI
2HXEb1qYSvn49zgk/L2UJDer8RzYke77G5+IuiXa9iF/BDI1Fz02HPu3Mp5Cr3e2
JRxZaa++AKH4sBpsFOKuYudrMOkCAwEAAaOCARUwggERMAkGA1UdEwQCMAAwLAYJ
YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud
DgQWBBT+BEbtoBW+wUtZA/gtDe0q4O35LzCBtgYDVR0jBIGuMIGrgBTmEnw9oQLl
uh/anje+40U+m67lpqGBj6SBjDCBiTELMAkGA1UEBhMCRkoxDTALBgNVBAgTBEZp
amkxDTALBgNVBAcTBFN1dmExDjAMBgNVBAoTBVNPUEFDMQwwCgYDVQQLEwNJQ1Qx
FjAUBgNVBAMTDVNPUEFDIFJvb3QgQ0ExJjAkBgkqhkiG9w0BCQEWF2FkbWluaXN0
cmF0b3JAc29wYWMub3JnggEAMA0GCSqGSIb3DQEBBAUAA4GBADSN+2ULhVviRAnw
VTE7KSv0/apf27gRGsarM2dZwQTeNN8IVy7GYNz31OLxc5dXI1ACY/x4ljSzysQb
xUzIFmm7nEp+ABlIYuJRqzr6/YjN4J3vZ1Da/ksTxQyM/K1ute5A4/00EJ+tNL3b
Bu0JPfKmgSJjFtyuMwxw/Qpsr7xa
—–END CERTIFICATE—–

Besides the above information, you can notice that there is a public key information also in the certificate.

Public Key / Private Key: The key is based on prime numbers and their length in terms of bits ensures the difficulty of being able to decrypt the message without the having the key pairs. This is the key using which the data to be transferred on wire is encrypted. The process is known as Public-key cryptography, or asymmetric cryptography. By asymmetric we mean that the keys used to encrypt and decrypt the message are different. The private key is nothing different than the public key, the only difference being, as the name suggests, it is always kept secret. The message encrypted with the public key can only be decrypted using the private key and vice versa.

Now after knowing all these terms, I would like to pen down the simple steps in which the whole encryption/decryption process happens:

1. A client (browser) requests a secure page (https).
2. The web server first sends it’s public key enclosed within a certificate.
3. The client checks that the certificate was issued by a trusted party (usually a trusted Certificate Authority), that the certificate is still valid, and that the certificate is related to the site contacted.
4. The client uses the public key of the certificate to encrypt the data and sends it to the server.
5. Teh server decrypts the message using the private key.
6. The server then process the request and encrypts the result data using its private key and sends it back to the client.

The above type of encryption mechanism is known as Asymmetric Cryptography as the keys which are involved in encryption and decryption are different. But there is a flaw in the above process. The data that is being sent by the server back to the client, can be decrypted by any of the clients who have ever contacted the server. This is because all those clients would have the public key of the certificate (as you know the public key is distributed openly with the certificate). So basically the above process just offered one way protection of the data.

In order to solve this problem, the above process need to be modified a little. The solution is to have some key that only the client and the server know about and is unique for every single session. This is achieved by the process called Key Exchange. In this process after receiving the public key for the first time from the server certificate, the client generates a random key and encrypts it using the public key. This key is then sent to the server which server decrypts and thus they have a key which only the lint and the server know about. Any further communication between the client and the server happens using this key thereafter. That is the server then uses that key to encrypt the message sent to the client and the does the client. In fact the same key is used to decrypt the messages. So the same key is used for encryption and decryption both. And therefore this process is also known as Symmetric Cryptography. Since the same key is used this process o communication is relatively faster than the asymmetric one.

For the symmetric encryption, the above process is changed as follows:

4. The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted HTTP data.

5. The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and HTTP data.

6. The web server sends back the requested html document and HTTP data encrypted with the symmetric key.

7. The browser decrypts the HTTP data and html document using the symmetric key and displays the information.

 

SSL Limitations:

1. Point to Point Security: SSL only offers point to point security rather than end-to-end. By end to end we mean that when the data needs to go form one one end to the other passing through various nodes in between, where in the data needs to be processed by each node then it requires cumbersome task of encrypting and decrypting data at each point where any processing is required till the data reaches the final destination.
2. Acts at the Transport layer and not on the Message layer: This means that SSL provides security only as long as the data is in the wire i.e. online and as soon as the is downloaded on the physical disk, the security is lost.
3. Its atomic encryption: In SSL if you want to encrypt or secure a part of a long file and keep the rest as such, then it is not possible. It either does the whole data encryption or does not do at all for the whole data.

Anonymous Inner Class

“Meri bheegi bheegi si palkon pe rah gaye, jaise mere sapne bikhar ke – ANAMIKA“. Indian readers can find the relevance here

An anonymous inner class is one which does not have any name. Anonymous inner classes are created on the fly just in time. They introduce the weirdest looking java syntax. Following code shows an example of the anonymous inner class:

class Test
{

public void foo()
{

System.out.println(“main class foo method”);

}

public static void main(String[] args)
{

Test t = new Test()
{

public void foo()
{

System.out.println(“Anonymous class’s foo method”);

}

};

t.foo();

}

}

In this case look at the line in the main method that creates the instance of the Test class. Isn’t the syntax looking weired. Whats happening here is that we are actually creating an anonymous class which is a subclass of the Test class and overriding the foo() method. This is very useful when you just require to override one or two methods of a class, but do not want to create a new class all together for it. Here the anonymous class is created just-in-time and when the above program is run, it prints “Anonymous class’s foo method”.

Anonymous inner classes can also be used as an argument to a method call. The following code shows the same:

class Test
{

public void foo(Test t)
{

t.foo();

}

public void foo()
{

System.out.println(“main class’s foo called”);

}

public static void main(String[] args)
{

Test t = new Test();

t.foo(new Test()
{

public void foo()
{

System.out.println(“Anonymous class’s foo method”);

}

});

}

}

In the above we are calling an overloaded foo() method that takes an object of the Test class. We want to pass in an object that has a different behavior for the foo() method. So what we do is we create a just-in-time anonymous inner class and pass it as an argument to overloaded foo method. So when the no-arg foo method is called on the Test object from within the overloaded foo method, the anonymous inner class’s version of the no-arg foo method is called instead of the Test class’s original no-arg foo method. When this program is run it prints “Anonymous class’s foo method”

I would like to discuss one more case of the anonymous inner class case here. Sometimes you might require passing a just-in-time implementation of an interface which is not yet created. Consider a scenario that you have an interface and you do not have any class implementing that interface. You want to call a method that accepts the interface type. hat do you do? Simple ion this case also you would create an anonymous inner class and pass it as an argument to that method. The following code shows you the same:

class Test
{

public void foo(AnInterface i)
{

i.method1();

}

public static void main(String[] args)
{

Test t = new Test();t.foo(new AnInterface()

{

public void method1()
{

System.out.println(“Created just in time implementation class of the AnInterface”);

}

});

}

}

interface AnInterface
{

void method1();

}

Here we just created an anonymous inner class that is an implementation of the AnInterface interface and passed it to the method foo which takes the AnInterface type as a parameter. You can see that the anonymous inner class has to give the implement the method1() present in the AnInterface (obviously ). When this program is run, it prints “Created just in time implementation class of the AnInterface”.

This is it for the anonymous inner classes . Will keep coming up with more topics till the time I finish preparing for SCJP

Method-Local Inner Classes

Method local inner class is that class which is declared within the curly braces of a method as follows:

class OuterClass
{

public void method1()
{

class MethodLocalInnerClass
{

public void innerClassMethod()
{
}

}

}

}

same as the method method1() can. The The above class MethodLocalInnerClass declared inside the method method1() is called method local inner class. As the name suggests this class is in the scope of the method only and can access any member of the OuterClass. Important point here is that the MethodLocalInnerClass class cannot use any of the local variables of the method1() (except those which have been marked final). the reason being that the method resides on the stack and as soon as the method life is over all the local variables of the method are also vanished. Now imagine if the method local inner class is using the method methods1()’s local variables and setting them as value of one of its instance variables and then method method1() passes an object of the MethodLocalInnerClass in another method’s invocation as a parameter. In that case the local variable will also be passed as a part of the MethodLocalInnerClass object. Now if the method1’s execution completes, then the local variables are vanished and in that case the object of the MethodLocalInnerClass will be carrying a reference to a variable which does not even exist on the stack anymore.

The following code will explain this scenario more clearly:

public class Test2
{

public static void main(String[] args)
{

System.out.println(foo().toString());

}
static Object foo()
{

Object localVar = new Object();
class Foo
{

public String toString()
{

return “Hi:”+localVar.toString();

}

}
return new Foo();

}

}

If you look properly, you can see that the foo() method of the Test class is returning a reference of the method local inner class Foo declared in the foo() method. So now you can call the toStrin() method of the Foo class from outside the method foo(). So whats the problem here. The problem is that the toString() method of the Foo class is using the local variable localVar which does not exists anymore as the method foo() has already returned and its stack has already been blown up. So this would not even compile. The only solution to make this code compilable is to make the localVar being used in the method local inner class Foo class as final.

One more thing about the method local inner class, that an instance of the method local inner class should be made after full declaration of the method local inner class. The following code will explain what I want to say here:

class OuterClass
{

public void method1()
{

class MethodLocalInnerClass
{

public void innerClassMethod()
{
}

}
MethodLocalInnerClass mlic = new MethodLocalInnerClass(); // remember this instantiation of the method //local inner class came after the class declaration.

}

}

If you try to create an instance before the class declaration, the code won’t compile for obvious reasons here
That’s it for the method local inner classes.

JAVA Inner Classes

“One class one responsibility : Cohesive Class. Got it. Its good of course“.

But what about the situation when there is a totally different set of responsibilities that actually require to be together as one unit and at the same time should be tightly bound to your class. The inner classes serve the purpose of having class that has an intimate relationship with your class while your class is hidden from others. This is because the inner class is actually a part of your class and has access to all the members of the class including even the members that have been marked private as any other other instance method would have. The inner classes are declared within the outer classes with curly braces as follows:

class OuterClass
{

class InnerClass { }

}

The InnerClass in the above code is an inner class of the OuterClass class. If you compile the outer class, you will get two classes instead of one as follows:

OuterClass.class
OuterClass$InnerClass.class

As you can see that the inner class is associated with the inner class name with a $ sign joining the name of the inner class with the outer class. This is so true to the behavior also, as the inner class would never be accessible without the existence of the outer class. As in an instance of the inner class does not make any sense without an associated instance of the outer class. Moreover you cannot say like java OuterClass$InnerClass to run the main() method in the InnerClass because the InnerClass cannot have any static declaration (main() is static of course !!).

Instantiating Inner Classes: As I already said, the inner class instance does not make any sense without the instance of the outer class to which it is associated or tied to, so in order to instantiate any inner class, you need an instance of the outer class as well. You may instantiate the inner class from within the outer class or outside the outer class.

Instantiating InnerClass From Within any non-static method of the OuterClass: This is fairly simple. As you would know that the outer class methods always has a this reference (except the static methods), so in order to instantiate you can simply write

InnerClass in = new InnerClass();

from any non-static method of the OuterClass.

Instantiating InnerClass From Outside the OuterClass or From a static method Within the OuterClass: In order to instantiate the InnerClass from within a static method of the OuterClass or from anywhere outside the OuterClass you would first need to make a reference of the OuterClass as follows:

OuterClass outerClass = new OuterClass();
OuterClass.InnerClass inc = outerClass.new InnerClass();

That’s it for now on Inner Classes. there is a lot more to tell about it, but next time (but very soon I guess).