Your SSL conversation between Java and PHP will protect it your data while it's in transit. Should you properly protect the private key with a strong password (10+ symbols) and make sure your algorithms strong no one will be able to break it by snooping on the conversation.
Your SSL conversation between Java and PHP will protect it your data while it's in transit. Should you properly protect the private key with a strong password (10+ symbols) and make sure your algorithms strong no one will be able to break it by snooping on the conversation. You won't get any extra protection by encrypting the data before sending it over the SSL conversation.
And you actually might be weakening your security because in order for you to encrypt data you'll have to share some key should you choose symmetric encryption. And, by trading secret keys you're undoing much of the protection SSL gives you because the huge benefit of SSL is the fact we can encrypt data without agreeing on a secret key. If I were trying to get at your encrypted text I'd attack your client because it's easier to find your symmetric encryption key than it is to break SSL.
And while you could use asymmetric encryption you'll be basically re-inventing SSL. I would focus on making sure your SSL conversation is strong. Using only the strongest symmetric encryption: TripleDES, IDEA, AES if your server supports it.
Take out the weaker algorithms so conversations can't use the weaker encryption. Generate 1024+ public/private key pairs. That might not always be easy on your shared server, but your Java application could only choose to use TripleDES, IDEA, and AES.
Make sure you validate the server's certificate on the client side so you ensure you aren't talking to a false service. That basically means taking the server's certificate and adding it to the keystore used on the client. If that's Java you can use keytool to import a certificate and use that keystore as your TrustManager/KeyManager in your SSL conversation.
If you want to encrypt the data after it's gone over the SSL conversation then you can encrypt/decrypt on the server only. But, you still have a key management problem. If you encrypt/decrypt how do you plan on securing the secret key on the server?
That's always the ugly problem that doesn't have a simple answer.
Aug 27 at 16:58 Yes you are right AES would be best, but I don't think Apache supports it out of the box. Thanks for mentioning it. I added it to the answer just in case.
– chubbard Aug 27 at 16:59 @chubbard:sorry for the delayed reply and thank you very much for your answer. I will definitely just settle for the security of my SSL certificate now; I am very glad that you warned be that I could actually compromise my SSL by adding another layer of encryption-especially seeing as though I'm not an expert at PHP at the best of times! You have also told me about importing the certificate into my Java application, which is something that I wasn't aware I should do and I will definitely look into-so I thank you for that as well!(I just thought it was a simple case of putting https not http) – Andy Aug 27 at 18:00 Unfortunately, I'm not sure that I have the time, or knowledge to start ensuring that my "SSL conversation" is strong at the minute - but I am looking at investing into a dedicated server etc, etc. In the near future so hopefully that will allow me to take security to the next level... – Andy Aug 27 at 18:04.
I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.