1

I am developing a secured file sharing project using Java RMI. The files' content has to be secured. The server will store the encrypted files and the client will be able to upload/download/list files (with password authentication). I am new to security and would appreciate any additional security measures I could implement/correct.

Right now I am thinking of using encryption on the files/passwords/metadata to transport them from the client to the server. Once they reach the server, I would store the encrypted files and would decrypt the passwords, so I could store the SHA256/SHA512 passwords on the database. (Does this make sense?)

Now, I have heard of SSL which encrypts the content of the packets sent and received (if I'm not wrong) and provides some kind of authentication.

Is it necessary to add SSL (or replace with SSL instead of what I idealized) in my case?

Thank you.

3 Answers3

1

Yes, please use SSL to secure the transport channel you're delivering the files over. Crypto is hard, and you should never try to implement your own. For more information on exactly what SSL is, please see: How does SSL/TLS work?

Xander
  • 35,525
  • 27
  • 113
  • 141
  • Well, I am not trying to implement my own encryption algorithms. I will have to store AES/RSA encrypted files on the server, anyway. – João Rodrigues Oct 11 '14 at 14:14
  • @JoãoRodrigues I understand that, but the algorithm isn't the only hard bit. The protocol is just as tricky and fraught with danger. Using SSL allows you to let someone else worry about that. – Xander Oct 11 '14 at 14:15
1

Oh, god yes. First of all, SSL uses Diffie-Helfman, which means that attackers can't listen to clients negotiate encryption keys with the server (obviously, if they sniffed the key, it would kind of ruin the point of encrypting your communications at all). Second, it uses a CA system, which makes it very difficult for attackers to imitate the server to the client (thus securing your password when the client tries to authenticate). Both of these protocols are difficult to implement correctly, and I highly recommend letting professionals do it for you.

KnightOfNi
  • 2,247
  • 3
  • 18
  • 23
  • Sorry, misread the question initially. This edit should make my answer relevant. – KnightOfNi Oct 11 '14 at 14:24
  • Well, I can't really let others implement it for me because it is a project for a security course and it is for academic purposes only. I know nothing about SSL. I have found some implementations of SSL with Java RMI and I am probably going to use them since I have no other choice. – João Rodrigues Oct 11 '14 at 14:35
  • @JoaoRodrigues Sorry, that was poorly worded. I meant that you want to let other people do as much of your work for you as possible, particularly if they're professionals. I'm fairly certain that this applies to most programming situations :) – KnightOfNi Oct 11 '14 at 15:15
0

Yes to your SSL question as has been answered above. However, I would suggest for password storage you consider using bcrypt as opposed to SHA512. It is a slower to calculate algorithm so it makes your passwords harder to crack if your hashes are dumped.

theterribletrivium
  • 2,679
  • 17
  • 18