tags:

views:

34

answers:

2
Q: 

Is data is encrypted (128 bit encryption) in SSL layer?

Hi, I configured SSL mechanism in tomcat 6 by generated certificate using java keytool with RSA algorithm and I’m able access the urls using the HTTPS.

Now I have few doubts

  1. While communicating client with server (browser to server or server to browser), is Data also encrypted using 128 bit encryption?
  2. If stand alone application is communicating with server do I get encrypted data only?

Please clarify my doubts. Thanks in advance

+1  A: 

  1. Yes, once the SSL connection has been negotiated (which is the first thing that happens), all data (client and server) is encrypted.

  2. Any application communicating over an SSL-secured channel will have all its data encrypted and (because of certificate signing) it will be relatively confident that it's speaking with the actor it thinks it should be speaking with (ie, it will have protection against MITM attacks).

David Wolever  2010-10-27 13:06:22
Thx for help my basic doubts are cleared..Can give me sample exaple for HTTPS communication from stand alone application How this certificate exchange will happen? and is it possible to get encrypted data only? please help in this. thx
 2010-10-27 13:28:39
Any HTTP client that supports HTTPS will probably have sensible defaults for certificate negotiation, and will also give you options to customize it. Just for example, Python's SSL client lets you specify a certificate and your own list of trusted CAs.
David Wolever  2010-10-27 16:27:40
And I'm not sure what you mean by “get encrypted data only”… If you mean “use SSL without HTTP” then yes — it's very easy (although the implementation details depend heavily on available libraries). If not that… Please clarify.
David Wolever  2010-10-27 16:28:34
+1  A: 

If you're connecting with an SSL-enabled client (whether that's a browser, libcurl, or something else) to whatever port you have configured for SSL, your entire communication path will be encrypted. If you try to connect with a non-SSL-enabled client to an HTTPS listener, you'll get a Bad Request error message like this:

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

If you're really concerned, try using something like Wireshark to view the communication between client and server.

Wyatt Anderson  2010-10-27 13:10:59
+1 on using Wireshark to check. Good call.
David Wolever  2010-10-27 16:29:04

related questions

Is there a standard implementation for Electronic Signatures on fill-in-form web applications?
Best way to handle block ciphers in C++? (Crypto++)
What is the best replacement for Windows' rand_s in Linux/POSIX?
Combination of more than one crypto algorithm
Encryption output always different even with same key
What techniques do you use when writing your own cryptography methods?
Optimize y = x*x in Galois field arithmetic
Best way to prevent duplicate use of credit cards
Enumerating Certificate Fields in C#
I'm using Wincrypt for Diffie-Hellman-- can I export the shared secret in plain text?
Cryptography algorithm
I have P & G-- how do I use the Wincrypt API to generate a Diffie-Hellman keypair?
Good primers on Cryptography
Should I use an initialization vector (IV) along with my encryption?
How do I hash a string with Delphi?
Inter-convertability of asymmetric key containers (eg: X.509, PGP, OpenSSH)
How to implement password protection for individual files?
Is Bouncy Castle API Thread Safe ?
128 bit data encryption using Java
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
App.config connection string Protection error
Is there a best .NET algorithm for credit card encryption?
How to encrypt one message for multiple recipients?
How can I generate a unique, small, random, and user-friendly key?
Why is an s-box input longer than its output?