storing sensitive data in java code

S

schw

HI All,

I store a couple of private keys for encryption/decryption in my java
code as byte[]. What is an easy way to mangle them so they are very
difficult to get?

thanks for you help

cheers
schw
 
A

Alex Hunsley

schw said:
HI All,

I store a couple of private keys for encryption/decryption in my java
code as byte[]. What is an easy way to mangle them so they are very
difficult to get?

thanks for you help

Depends. You want strong crypto, or happy just mangling them a little so
casual memory snooping wouldn't make them stand out?

If strong crypto, search around for java/cryptography - but you probably
want JCE. Plus, providers like Bouncy Castle do crypto stuff you can
download.

http://java.sun.com/products/jce/


Are these for storage in memory only? Do they get written anywhere? Do
they go over network?
lex
 
C

Chris Uppal

schw said:
I store a couple of private keys for encryption/decryption in my java
code as byte[]. What is an easy way to mangle them so they are very
difficult to get?

First off, why are you including private keys at all ? Normally you would
include a public key (only) so that the app can either encrypt or decrypt data
which you read or write using your private key (which never leaves your
building). If the app has to both encrypt /and/ decrypt the same data then
there seems little point in using private/public key pairs at all -- you might
just as well use a symmetric cypher which would be much faster, and no less
secure.


Anyway, those doubts aside, it is (as you apparently know) impossible to
prevent someone reading any data which is embedded in a .class file -- the
format is far too open for it even to be difficult (except for technically
naive users). Only you know how much security you want for a given level of
effort. It may be that your best trade-off between the two is simply to leave
the data "in clear" and trust to luck. If not then maybe a simple "encryption"
trick like reversing or xor-ing the data would provide a little more peace of
mind at very little cost in complexity. It's not a /lot/ of peace of mind,
though.

I think that about the best you could do is create some very complicated code
(perhaps a known encryption algorithm) which decrypted the data on the basis of
information which it is hard for a cracker to control (such as a crypto-quality
hash of the bytecodes of the classes which are active on the stack at the time
it is called). Then buy the best obfuscator you can find, use it on your
decryption routine, and embed your data (the keys you want to protect) in the
delivered app "encoded" in a way that you new routine will decode. And then go
on trusting to luck. A lot of effort for not much gain -- I repeat that only
you can judge whether it is worth it.

-- chris
 
D

dagarwal82

You can use JNI ( Java Native Interface) for this particular problem.
Actually when you put your encryption key in a class file then it is
quite easy to decompile the class file and get the key. But if the key
is in some native code ,say 'C' compiled code, then it is more
difficult to decompile the native code and get key ( It is difficult ,
not impossible).
So It is like :-
1) Define a native function in your java code , for e.g. public native
String getKey()
2) Define this function in some other native code languages and that
will return the key to the java code and then use it...
I guess i am clear!
 
A

Alex Hunsley

schw said:
HI All,

I store a couple of private keys for encryption/decryption in my java
code as byte[]. What is an easy way to mangle them so they are very
difficult to get?

thanks for you help

Depends. You want strong crypto, or happy just mangling them a little so
casual memory snooping wouldn't make them stand out?

If strong crypto, search around for java/cryptography - but you probably
want JCE. Plus, providers like Bouncy Castle do crypto stuff you can
download.

http://java.sun.com/products/jce/


Are these for storage in memory only? Do they get written anywhere? Do
they go over network?
lex
 
G

Graham

HI All,

I store a couple of private keys for encryption/decryption in my java
code as byte[]. What is an easy way to mangle them so they are very
difficult to get?

thanks for you help

cheers
schw

If you are considering the distribution of private keys then your
implementation of public key cryptography is wrong!

The security of the system relies on the secrecy of these keys so I'd
review your policy of just making them "very difficult to get". And
mangling is not the answer *obscurity is not security*.
 
C

Chris Uppal

1) Define a native function in your java code , for e.g. public native
String getKey()
2) Define this function in some other native code languages and that
will return the key to the java code and then use it...

So the evil cracker simply calls your native function himself, and your DLL
passes back the secret key -- job done!

;-)

-- chris
 
S

schw

thanks for your help.


I store a couple of private keys for encryption/decryption in my java
code as byte[]. What is an easy way to mangle them so they are very
difficult to get?
thanks for you help
cheers
schw

If you are considering the distribution of private keys then your
implementation of public key cryptography is wrong!

The security of the system relies on the secrecy of these keys so I'd
review your policy of just making them "very difficult to get". And
mangling is not the answer *obscurity is not security*.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top