<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter 9. Message Encryption</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="JMS-Client-0-8-Binding-URL.html">Prev</a> </td><th align="center" width="60%"> </th><td align="right" width="20%"> <a accesskey="n" href="JMS-Client-Message-Encryption-Sending.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="JMS-Client-Message-Encryption"></a>Chapter 9. Message Encryption</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="JMS-Client-Message-Encryption.html#JMS-Client-Message-Encryption-Overview">9.1. Overview</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html">9.2. Sending an Encrypted Message</a></span></dt><dd><dl><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Setting-TrustStore">9.2.1. Providing the Trust Store</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Enabling-Encryption">9.2.2. Enabling Encryption</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Choosing-Recipients">9.2.3. Choosing Recipients</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Exposing-Properties">9.2.4. Exposing Properties</a></span></dt></dl></dd><dt><span class="section"><a href="JMS-Client-Message-Encryption-Receiving.html">9.3. Receiving an Encrypted Message</a></span></dt><dd><dl><dt><span class="section"><a href="JMS-Client-Message-Encryption-Receiving.html#JMS-Client-Message-Encryption-Sending-Setting-KeyStore">9.3.1. Providing the Key Store</a></span></dt></dl></dd><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html">9.4. Message Encryption Example</a></span></dt><dd><dl><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Introduction">9.4.1. Introduction</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Prerequisites">9.4.2. Prerequisites</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Broker-Config">9.4.3. Broker Configuration</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Client-Config">9.4.4. Client Configuration</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Application">9.4.5. Application Code</a></span></dt></dl></dd></dl></div><p> | |
In some cases it is desirable to ensure no-one but the intended recipient(s) of a message will be able to read | |
its contents. Using SSL/TLS to encrypt traffic travelling between client and broker only ensures that those | |
snooping the network cannot read messages, however once the message arrives at the broker it is decrypted and | |
so anyone with access to the broker can read the message. For such confidential information it is necessary to | |
implement a mechanism of end-to-end encryption such that the sender of the message encrypts the message before | |
sending, and the recipient(s), upon receiving the message, decrypt it with some secret known only to them. | |
</p><p> | |
Neither JMS nor AMQP provide any defined mechanism for message encryption, however it is possible for any | |
application to build a message encryption scheme on top of a JMS API. For convenience the Client | |
provides a built in mechanism for encryption and decrypting messages. This mechanism is currently only | |
implemented in the Client for AMQP 0-8/0-9/0-9-1/0-10. If you use a different client you will be | |
unable to read encrypted messages. | |
</p><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="JMS-Client-Message-Encryption-Overview"></a>9.1. Overview</h2></div></div></div><p> | |
For each encrypted message which the client sends, a new message-specific secret key is generated. This | |
secret key is used encrypt the message contents using symmetric encryption (currently only AES-256 is | |
supported, although other algorithms may be added at a later date). For each intended recipient of the | |
message, the client encrypts the secret key using the public key associated with the recipient, and adds | |
this as a message header. On receipt of an encrypted message, the client looks to see if it has a private | |
key which can decrypt the secret key. If the client is unable to decrypt the message (for instance, because | |
they were not one of the intended recipients) then the message will be presented to the application as a | |
BytesMessage containing the encrypted data. | |
</p><p> | |
In order to send an encrypted message it is necessary to know the Certificates of the intended recipients. | |
Certificates can be distributed either through out-of-band mechanisms, or the Apache Qpid Broker-J can be used | |
to distribute them to clients. | |
</p><p> | |
In order to receive an encrypted message it is necessary to have a Certificate (which needs to be | |
distributed to those who you wish to send messages to you) and to have the private key associated with the | |
certificate so that you can decrypt messages sent to you. | |
</p><p> | |
This feature requires the Java Cryptography Extension (JCE) Unlimited Strength policy files are installed | |
in the JVM. | |
</p></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="JMS-Client-0-8-Binding-URL.html">Prev</a> </td><td align="center" width="20%"> </td><td align="right" width="40%"> <a accesskey="n" href="JMS-Client-Message-Encryption-Sending.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">Chapter 8. Binding URL </td><td align="center" width="20%"><a accesskey="h" href="JMS-Client-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 9.2. Sending an Encrypted Message</td></tr></table></div></div> |