Protect sensitive string in .class

Discussion in 'Java' started by dagarwal82@gmail.com, Feb 3, 2007.

  1. Guest

    If my application use an encryption key to encrypt some data, then
    what is the best possible way to get that key?
    I mean if i keep the encryption key inside a class file then someone
    may decompile the file and get the key..
    , Feb 3, 2007
    #1
    1. Advertising

  2. Guest

    On 2ÔÂ3ÈÕ, ÏÂÎç8ʱ02·Ö, "" <> wrote:
    > If my application use an encryption key to encrypt some data, then
    > what is the best possible way to get that key?
    > I mean if i keep the encryption key inside a class file then someone
    > may decompile the file and get the key..


    Did you use you own algorithm to encrypt? If yes,i think you should
    turn to some public algorithms to protect your data.
    There are several mature algorithms that you can reference to, such as
    RSA,DES ,etc. They can be divided into two main
    categories:dissymmetrical encryption and dissymmetrical
    encryption.The dissymetric reference to has different keys to
    encryption and decryption,so you don't worry about the key to
    encrypt,just keep the one to decrypt.
    , Feb 3, 2007
    #2
    1. Advertising

  3. wrote:
    > If my application use an encryption key to encrypt some data, then
    > what is the best possible way to get that key?
    > I mean if i keep the encryption key inside a class file then someone
    > may decompile the file and get the key..


    You are aware of that this is pure obfuscating not real
    security.

    If the app decrypt the string before usage, then anyone can
    put in a System.out.println just before the usage.

    The secure solution is not to put the info in the code.

    If you want to obfuscate to keep 12 year olds from
    decompiling, then use any algorithm - Caesar will
    probably do.

    Arne
    =?ISO-8859-1?Q?Arne_Vajh=F8j?=, Feb 3, 2007
    #3
  4. Guest

    The Arne Vajh... wrote:
    >The secure solution is not to put the info in the code.

    Yeah, I understand. But then where should i keep the key if i have to
    distribute my application... ( I guess there is no solution for this).
    Asymetric Ciphers are the possible solution but again in a standalone
    application i will have to wrap up the encrypt-decrypt mechanism in my
    applicatino and hence the private-public key combination.




    On Feb 3, 8:07 pm, Arne Vajhøj <> wrote:
    > wrote:
    > > If my application use an encryption key to encrypt some data, then
    > > what is the best possible way to get that key?
    > > I mean if i keep the encryption key inside a class file then someone
    > > may decompile the file and get the key..

    >
    > You are aware of that this is pure obfuscating not real
    > security.
    >
    > If the app decrypt the string before usage, then anyone can
    > put in a System.out.println just before the usage.
    >
    > The secure solution is not to put the info in the code.
    >
    > If you want to obfuscate to keep 12 year olds from
    > decompiling, then use any algorithm - Caesar will
    > probably do.
    >
    > Arne
    , Feb 5, 2007
    #4
  5. On 05.02.2007 11:28, wrote:
    > The Arne Vajh... wrote:
    >> The secure solution is not to put the info in the code.

    > Yeah, I understand. But then where should i keep the key if i have to
    > distribute my application... ( I guess there is no solution for this).
    > Asymetric Ciphers are the possible solution but again in a standalone
    > application i will have to wrap up the encrypt-decrypt mechanism in my
    > applicatino and hence the private-public key combination.


    Whatever you do (meaning: whatever cypher you use) there is no real
    security with Java. As soon as someone cat get his hands on the code he
    can decompile and recompile it (or even modify bytecode) - including
    adding output of your key or decrypted data.

    Kind regards

    robert
    Robert Klemme, Feb 5, 2007
    #5
  6. Lew Guest

    The Arne Vajh... wrote:
    >>> The secure solution is not to put the info in the code.



    >> Yeah, I understand. But then where should i keep the key if i have to
    >> distribute my application... ( I guess there is no solution for this).


    Robert Klemme wrote:
    > Whatever you do (meaning: whatever cypher you use) there is no real
    > security with Java. As soon as someone cat get his hands on the code he
    > can decompile and recompile it (or even modify bytecode) - including
    > adding output of your key or decrypted data.


    It's a fundamental principle that keys are distributed via a separate channel
    from messages. It isn't just Java, it's a truism for any message category.

    If the message is corrupted, how can one trust the key within it?

    - Lew
    Lew, Feb 6, 2007
    #6
  7. Rogan Dawes Guest

    Robert Klemme wrote:
    > On 05.02.2007 11:28, wrote:
    >> The Arne Vajh... wrote:
    >>> The secure solution is not to put the info in the code.

    >> Yeah, I understand. But then where should i keep the key if i have to
    >> distribute my application... ( I guess there is no solution for this).
    >> Asymetric Ciphers are the possible solution but again in a standalone
    >> application i will have to wrap up the encrypt-decrypt mechanism in my
    >> applicatino and hence the private-public key combination.

    >
    > Whatever you do (meaning: whatever cypher you use) there is no real
    > security with Java. As soon as someone cat get his hands on the code he
    > can decompile and recompile it (or even modify bytecode) - including
    > adding output of your key or decrypted data.
    >
    > Kind regards
    >
    > robert


    Having said that, don't make the mistake of thinking that any other
    languages are any better. Simply run the application under a debugger,
    single stepping through it until you perform the crypto operations. Bang
    - there's your key, regardless of whether it was originally written in
    Java, C, Pascal or assembly.

    Asymmetric crypto could solve your problem, as long as you can enrol
    your users in a secure fashion. i.e. let them generate a key pair, and
    send you the public key.

    As another poster pointed out, this should be done out of band, most likely.

    Rogan
    Rogan Dawes, Feb 6, 2007
    #7
  8. Rogan Dawes Guest

    Robert Klemme wrote:
    > On 05.02.2007 11:28, wrote:
    >> The Arne Vajh... wrote:
    >>> The secure solution is not to put the info in the code.

    >> Yeah, I understand. But then where should i keep the key if i have to
    >> distribute my application... ( I guess there is no solution for this).
    >> Asymetric Ciphers are the possible solution but again in a standalone
    >> application i will have to wrap up the encrypt-decrypt mechanism in my
    >> applicatino and hence the private-public key combination.

    >
    > Whatever you do (meaning: whatever cypher you use) there is no real
    > security with Java. As soon as someone cat get his hands on the code he
    > can decompile and recompile it (or even modify bytecode) - including
    > adding output of your key or decrypted data.
    >
    > Kind regards
    >
    > robert


    Having said that, don't make the mistake of thinking that any other
    languages are any better. Simply run the application under a debugger,
    single stepping through it until you perform the crypto operations. Bang
    - there's your key, regardless of whether it was originally written in
    Java, C, Pascal or assembly.

    Asymmetric crypto could solve your problem, as long as you can enrol
    your users in a secure fashion. i.e. let them generate a key pair, and
    send you the public key.

    As another poster pointed out, this should be done out of band, most likely.

    Rogan
    Rogan Dawes, Feb 6, 2007
    #8
  9. wrote:
    > The Arne Vajh... wrote:
    >> The secure solution is not to put the info in the code.

    > Yeah, I understand. But then where should i keep the key if i have to
    > distribute my application... ( I guess there is no solution for this).
    > Asymetric Ciphers are the possible solution but again in a standalone
    > application i will have to wrap up the encrypt-decrypt mechanism in my
    > applicatino and hence the private-public key combination.


    You have not written what your real problem is.

    But a typical one is a Java desktop app which
    accesses a database and the sensitive information
    is username and password for the database.

    And probably the best solution is to give users individual
    usernames/passwords and let them enter it into the app.

    Arne
    =?ISO-8859-1?Q?Arne_Vajh=F8j?=, Feb 9, 2007
    #9
  10. Alex Hunsley Guest

    Robert Klemme wrote:
    > On 05.02.2007 11:28, wrote:
    >> The Arne Vajh... wrote:
    >>> The secure solution is not to put the info in the code.

    >> Yeah, I understand. But then where should i keep the key if i have to
    >> distribute my application... ( I guess there is no solution for this).
    >> Asymetric Ciphers are the possible solution but again in a standalone
    >> application i will have to wrap up the encrypt-decrypt mechanism in my
    >> applicatino and hence the private-public key combination.

    >
    > Whatever you do (meaning: whatever cypher you use) there is no real
    > security with Java. As soon as someone cat get his hands on the code he
    > can decompile and recompile it (or even modify bytecode) - including
    > adding output of your key


    Which won't matter a jot if Java is using asymmetric (public key)
    encryption. Knowing the public key a message was encrypted with won't
    allow someone to intercept an asymettrically msg encrypted message and
    decode it - you'd need the private key for that (which only the
    server/service has).

    > or decrypted data.


    Yeah, you could spoof the Java app to send plaintext elsewhere
    before it is encrypted with the public key....
    Alex Hunsley, Feb 12, 2007
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. E11
    Replies:
    1
    Views:
    4,749
    Thomas Weidenfeller
    Oct 12, 2005
  2. Mosas
    Replies:
    1
    Views:
    412
    Maarten Sneep
    Mar 22, 2005
  3. tomy
    Replies:
    5
    Views:
    448
    Marcus Kwok
    Jul 24, 2006
  4. Rafe
    Replies:
    11
    Views:
    548
  5. Stephanie

    case sensitive / insensitive string equality

    Stephanie, Oct 3, 2005, in forum: ASP General
    Replies:
    2
    Views:
    178
    Steven Burn
    Oct 3, 2005
Loading...

Share This Page