Protect sensitive string in .class

[dagarwal82]

If my application use an encryption key to encrypt some data, then
what is the best possible way to get that key?
I mean if i keep the encryption key inside a class file then someone
may decompile the file and get the key..

 

[zhengxianfu]

If my application use an encryption key to encrypt some data, then
what is the best possible way to get that key?
I mean if i keep the encryption key inside a class file then someone
may decompile the file and get the key..

Did you use you own algorithm to encrypt? If yes,i think you should
turn to some public algorithms to protect your data.
There are several mature algorithms that you can reference to, such as
RSA,DES ,etc. They can be divided into two main
categories:dissymmetrical encryption and dissymmetrical
encryption.The dissymetric reference to has different keys to
encryption and decryption,so you don't worry about the key to
encrypt,just keep the one to decrypt.

 

[=?ISO-8859-1?Q?Arne_Vajh=F8j?=]

If my application use an encryption key to encrypt some data, then
what is the best possible way to get that key?
I mean if i keep the encryption key inside a class file then someone
may decompile the file and get the key..

You are aware of that this is pure obfuscating not real
security.

If the app decrypt the string before usage, then anyone can
put in a System.out.println just before the usage.

The secure solution is not to put the info in the code.

If you want to obfuscate to keep 12 year olds from
decompiling, then use any algorithm - Caesar will
probably do.

Arne

 

[dagarwal82]

The secure solution is not to put the info in the code.

Yeah, I understand. But then where should i keep the key if i have to
distribute my application... ( I guess there is no solution for this).
Asymetric Ciphers are the possible solution but again in a standalone
application i will have to wrap up the encrypt-decrypt mechanism in my
applicatino and hence the private-public key combination.

 

[Robert Klemme]

Yeah, I understand. But then where should i keep the key if i have to
distribute my application... ( I guess there is no solution for this).
Asymetric Ciphers are the possible solution but again in a standalone
application i will have to wrap up the encrypt-decrypt mechanism in my
applicatino and hence the private-public key combination.

Whatever you do (meaning: whatever cypher you use) there is no real
security with Java. As soon as someone cat get his hands on the code he
can decompile and recompile it (or even modify bytecode) - including
adding output of your key or decrypted data.

Kind regards

robert

 

[Lew]

(e-mail address removed)

Whatever you do (meaning: whatever cypher you use) there is no real
security with Java. As soon as someone cat get his hands on the code he
can decompile and recompile it (or even modify bytecode) - including
adding output of your key or decrypted data.

It's a fundamental principle that keys are distributed via a separate channel
from messages. It isn't just Java, it's a truism for any message category.

If the message is corrupted, how can one trust the key within it?

- Lew

 

[Rogan Dawes]

Whatever you do (meaning: whatever cypher you use) there is no real
security with Java. As soon as someone cat get his hands on the code he
can decompile and recompile it (or even modify bytecode) - including
adding output of your key or decrypted data.

Kind regards

robert

Having said that, don't make the mistake of thinking that any other
languages are any better. Simply run the application under a debugger,
single stepping through it until you perform the crypto operations. Bang
- there's your key, regardless of whether it was originally written in
Java, C, Pascal or assembly.

Asymmetric crypto could solve your problem, as long as you can enrol
your users in a secure fashion. i.e. let them generate a key pair, and
send you the public key.

As another poster pointed out, this should be done out of band, most likely.

Rogan

 

[Rogan Dawes]

Whatever you do (meaning: whatever cypher you use) there is no real
security with Java. As soon as someone cat get his hands on the code he
can decompile and recompile it (or even modify bytecode) - including
adding output of your key or decrypted data.

Kind regards

robert

Having said that, don't make the mistake of thinking that any other
languages are any better. Simply run the application under a debugger,
single stepping through it until you perform the crypto operations. Bang
- there's your key, regardless of whether it was originally written in
Java, C, Pascal or assembly.

Asymmetric crypto could solve your problem, as long as you can enrol
your users in a secure fashion. i.e. let them generate a key pair, and
send you the public key.

As another poster pointed out, this should be done out of band, most likely.

Rogan

 

[=?ISO-8859-1?Q?Arne_Vajh=F8j?=]

Yeah, I understand. But then where should i keep the key if i have to
distribute my application... ( I guess there is no solution for this).
Asymetric Ciphers are the possible solution but again in a standalone
application i will have to wrap up the encrypt-decrypt mechanism in my
applicatino and hence the private-public key combination.

You have not written what your real problem is.

But a typical one is a Java desktop app which
accesses a database and the sensitive information
is username and password for the database.

And probably the best solution is to give users individual
usernames/passwords and let them enter it into the app.

Arne

 

[Alex Hunsley]

Whatever you do (meaning: whatever cypher you use) there is no real
security with Java. As soon as someone cat get his hands on the code he
can decompile and recompile it (or even modify bytecode) - including
adding output of your key

Which won't matter a jot if Java is using asymmetric (public key)
encryption. Knowing the public key a message was encrypted with won't
allow someone to intercept an asymettrically msg encrypted message and
decode it - you'd need the private key for that (which only the
server/service has).

> or decrypted data.

Yeah, you could spoof the Java app to send plaintext elsewhere
before it is encrypted with the public key....