Hello all,
I am developing a j2me application and i am extremely concerned about the security
and encryption of data. I am planning to implement this using the https implementation
of java for MIDP2.0 profile and cldc1.1 configuration.
My question concerns how exactly the kvm performs the https negotiation beetween the sever
and the client and particularly if the client sends a certificate, so the sever knows that
the request is from a valid source.
Lets examine the following scenario:
I have a digitally signed Midlet and i have a https server with a valid certificate.The Midlet
performs a https connection with the server.During the "handshake" client and server exchange
some messages so they can authenticate each other.
I know that server's Certificate is used and client can authenticate that server is a trusted source.
Does this happen also from client side? Meaning that the client Midlet is using it's own certificate?
What certificate? Does the programmer have to implement/materialize anything or this is done
automatically and transparently from kvm?
Please Advice
NiKolaos
j2me https negotiation - Client Certificate
3 posts
• Page 1 of 1
j2me https negotiation - Client Certificate
by menis » Tue Dec 04, 2007 7:42 pm
- menis
- Posts: 12
- Joined: Sun Nov 25, 2007 6:11 pm
Re: j2me https negotiation - Client Certificate
by DevelopmentTeam » Wed Dec 05, 2007 3:27 am
There is a very good document explaining https connection from sun developers. please check this and if you have further questions let us proceed. 
http://developers.sun.com/mobility/midp/articles/https/
http://developers.sun.com/mobility/midp/articles/https/-
DevelopmentTeam - Site Admin
- Posts: 661
- Joined: Tue Aug 15, 2006 8:39 am
- Location: India
Re: j2me https negotiation - Client Certificate
by menis » Wed Dec 05, 2007 2:44 pm
Codetiger,
As i can see the in the url that you have posted ...
"...The Kilobyte SSL (or kSSL) is a client-side implementation of SSL version 3.0. It supports the most commonly used cipher suites,
such as RSA_RC4_128_MD5 and RSA_RC4_40_MD5. Note that kSSL doesn't support client-side authentication,..."
So i suppose that (Unfortunately) no client certificate is involved in the client server handshake.
Subsequently the question that arises is how the server can be sure (lets suppose in an e-commerce business model)
that the j2me client that requests data is a legitimate one, and NOT a malicious Midlet that imitates the behaviour
of a normal Midlet in order to steal data and stuff...? Can you suggest any satisfying mechanism? Can SATSA API
can be helpful on this direction?
As i can see the in the url that you have posted ...
"...The Kilobyte SSL (or kSSL) is a client-side implementation of SSL version 3.0. It supports the most commonly used cipher suites,
such as RSA_RC4_128_MD5 and RSA_RC4_40_MD5. Note that kSSL doesn't support client-side authentication,..."
So i suppose that (Unfortunately) no client certificate is involved in the client server handshake.
Subsequently the question that arises is how the server can be sure (lets suppose in an e-commerce business model)
that the j2me client that requests data is a legitimate one, and NOT a malicious Midlet that imitates the behaviour
of a normal Midlet in order to steal data and stuff...? Can you suggest any satisfying mechanism? Can SATSA API
can be helpful on this direction?
- menis
- Posts: 12
- Joined: Sun Nov 25, 2007 6:11 pm
3 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 1 guest