schw said:
I store a couple of private keys for encryption/decryption in my java
code as byte[]. What is an easy way to mangle them so they are very
difficult to get?
First off, why are you including private keys at all ? Normally you would
include a public key (only) so that the app can either encrypt or decrypt data
which you read or write using your private key (which never leaves your
building). If the app has to both encrypt /and/ decrypt the same data then
there seems little point in using private/public key pairs at all -- you might
just as well use a symmetric cypher which would be much faster, and no less
secure.
Anyway, those doubts aside, it is (as you apparently know) impossible to
prevent someone reading any data which is embedded in a .class file -- the
format is far too open for it even to be difficult (except for technically
naive users). Only you know how much security you want for a given level of
effort. It may be that your best trade-off between the two is simply to leave
the data "in clear" and trust to luck. If not then maybe a simple "encryption"
trick like reversing or xor-ing the data would provide a little more peace of
mind at very little cost in complexity. It's not a /lot/ of peace of mind,
though.
I think that about the best you could do is create some very complicated code
(perhaps a known encryption algorithm) which decrypted the data on the basis of
information which it is hard for a cracker to control (such as a crypto-quality
hash of the bytecodes of the classes which are active on the stack at the time
it is called). Then buy the best obfuscator you can find, use it on your
decryption routine, and embed your data (the keys you want to protect) in the
delivered app "encoded" in a way that you new routine will decode. And then go
on trusting to luck. A lot of effort for not much gain -- I repeat that only
you can judge whether it is worth it.
-- chris