Signature

[andrewzzz]

Hi guys,
I'm working on my thesis,and my prof. told me that I have to sign a
java object with a public key.
Looks to be impossible, but I asked him again and he confirmed what he
said.
How do I create a digital signature of a java object using a Publik
Key??
Thanks a Lot guys!!!
Bye!

 

[Alex Hunsley]

Hi guys,
I'm working on my thesis,and my prof. told me that I have to sign a
java object with a public key.

I know of no existing standard way of doing that.
Are you sure you mean a "sign a Java object" and not "sign an object
instance"? Or maybe you just mean "sign a Java source file or jar"?

And is it signing quite literally any Java object/instance that may
exist, or only a certain class or instanceS of that class?

Looks to be impossible, but I asked him again and he confirmed what he
said.

Of course it's not impossible. It might not be possible using existing
Java APIs - i.e. there's nothing there already to do this - but you
could implement this yourself. That, however, doesn't look to be a
trivial thing.

How do I create a digital signature of a java object using a Publik
Key??
Thanks a Lot guys!!!

Is a "publik key" different to a "public key"? You use both spellings in
your post...

Like I said, unless there is some built-in ojbect signing technology
I've missed in Java, you'll have to roll your own. If you're
implementing this, you need to go and understand what the public key
encryption concept is about, and how the signing concept works. Then
look at the existing encryption functionality provided by Java (and also
by third party 'providers'). *Then* you are maybe in a position to
implement a technology that verifies signed Java objects or instances
(whereby person A applies a public key, P, to an object/instance X, via
a well known function F, and checks if the resulting checksum C1 matches
a checksum, C2, that was provided along with X.)

A word to the wise: cryptography is not to be taken lightly. This may
just be for a project/hand-in, but if it's for serious use in any way,
you have to be very careful. For example, I've given info to you above.
How do you know I'm not just speaking rubbish, to try and get you to
implement an insecure system? Or suppose I give you good info, and you
implement something, also using correct publicly available information
(e.g. crypto stuff on Wikipedia) - you must be aware that you may
implement it wrongly, so that it is insecure, and never know. How would
you verify you'd done it correctly? (Hint: peer review, by the right
people, goes some way to fixing this problem.)

I've probably gone into far too much detail above (I find it an
interesting subject) - but you really need to speak to your prof/teacher
again and clarify exactly what they mean.

lex

 

[andrewzzz]

Are you sure you mean a "sign a Java object" and not "sign an object
instance"? Or maybe you just mean "sign a Java source file or jar"?

And is it signing quite literally any Java object/instance that may
exist, or only a certain class or instanceS of that class?

Java APIs - i.e. there's nothing there already to do this - but you
could implement this yourself. That, however, doesn't look to be a
trivial thing.

your post...

Like I said, unless there is some built-in ojbect signing technology
I've missed in Java, you'll have to roll your own. If you're
implementing this, you need to go and understand what the public key
encryption concept is about, and how the signing concept works. Then
look at the existing encryption functionality provided by Java (and also
by third party 'providers'). *Then* you are maybe in a position to
implement a technology that verifies signed Java objects or instances
(whereby person A applies a public key, P, to an object/instance X, via
a well known function F, and checks if the resulting checksum C1 matches
a checksum, C2, that was provided along with X.)

A word to the wise: cryptography is not to be taken lightly. This may
just be for a project/hand-in, but if it's for serious use in any way,
you have to be very careful. For example, I've given info to you above.
How do you know I'm not just speaking rubbish, to try and get you to
implement an insecure system? Or suppose I give you good info, and you
implement something, also using correct publicly available information
(e.g. crypto stuff on Wikipedia) - you must be aware that you may
implement it wrongly, so that it is insecure, and never know. How would
you verify you'd done it correctly? (Hint: peer review, by the right
people, goes some way to fixing this problem.)

I've probably gone into far too much detail above (I find it an
interesting subject) - but you really need to speak to your prof/teacher
again and clarify exactly what they mean.

lex

thanks a lot lex...
I will send an email to my prof. right now. I think he misconstrue
misconstrued.
Bye!

 

[Daniel Pitts]

Hi guys,
I'm working on my thesis,and my prof. told me that I have to sign a
java object with a public key.
Looks to be impossible, but I asked him again and he confirmed what he
said.
How do I create a digital signature of a java object using a Publik
Key??
Thanks a Lot guys!!!
Bye!

Perhaps he meant you have to "Digitally sign" your application (byte
code).
I'm not sure how to do this, but I know it is possible and common.
<http://www.developer.com/tech/article.php/602301> is one page I found
from google...
<http://java.sun.com/j2se/1.3/datasheet.html> Talks about signing.
You now need to do the rest of your research yourself Good luck.

Hope this helps,
Daniel.