Protect sensitive string in .class

Thread view:

dagarwal82@gmail.com - 03 Feb 2007 12:02 GMT

If my application use an encryption key to encrypt some data, then
what is the best possible way to get that key?
I mean if i keep the encryption key inside a class file then someone
may decompile the file and get the key..

Reply to this Message

zhengxianfu@gmail.com - 03 Feb 2007 13:20 GMT

On 2月3日, 下午8时02分, "dagarwa...@gmail.com" <dagarwa...@gmail.com> wrote:

> If my application use an encryption key to encrypt some data, then
> what is the best possible way to get that key?
> I mean if i keep the encryption key inside a class file then someone
> may decompile the file and get the key..

Did you use you own algorithm to encrypt? If yes,i think you should
turn to some public algorithms to protect your data.
There are several mature algorithms that you can reference to, such as
RSA,DES ,etc. They can be divided into two main
categories:dissymmetrical encryption and dissymmetrical
encryption.The dissymetric reference to has different keys to
encryption and decryption,so you don't worry about the key to
encrypt,just keep the one to decrypt.

Reply to this Message

Arne Vajhøj - 03 Feb 2007 15:07 GMT

You are aware of that this is pure obfuscating not real
security.

If the app decrypt the string before usage, then anyone can
put in a System.out.println just before the usage.

The secure solution is not to put the info in the code.

If you want to obfuscate to keep 12 year olds from
decompiling, then use any algorithm - Caesar will
probably do.

Arne

Reply to this Message

dagarwal82@gmail.com - 05 Feb 2007 10:28 GMT

The Arne Vajh... wrote:

>The secure solution is not to put the info in the code.

Yeah, I understand. But then where should i keep the key if i have to
distribute my application... ( I guess there is no solution for this).
Asymetric Ciphers are the possible solution but again in a standalone
application i will have to wrap up the encrypt-decrypt mechanism in my
applicatino and hence the private-public key combination.

> dagarwa...@gmail.com wrote:
> > If my application use an encryption key to encrypt some data, then
[quoted text clipped - 15 lines]
>
> Arne

Reply to this Message

Robert Klemme - 05 Feb 2007 22:12 GMT

> The Arne Vajh... wrote:
>> The secure solution is not to put the info in the code.
[quoted text clipped - 3 lines]
> application i will have to wrap up the encrypt-decrypt mechanism in my
> applicatino and hence the private-public key combination.

Whatever you do (meaning: whatever cypher you use) there is no real
security with Java. As soon as someone cat get his hands on the code he
can decompile and recompile it (or even modify bytecode) - including
adding output of your key or decrypted data.

Kind regards

robert

Reply to this Message

Lew - 06 Feb 2007 01:43 GMT

The Arne Vajh... wrote:

>>> The secure solution is not to put the info in the code.

dagarwal82@gmail.com

>> Yeah, I understand. But then where should i keep the key if i have to
>> distribute my application... ( I guess there is no solution for this).

> Whatever you do (meaning: whatever cypher you use) there is no real
> security with Java. As soon as someone cat get his hands on the code he
> can decompile and recompile it (or even modify bytecode) - including
> adding output of your key or decrypted data.

It's a fundamental principle that keys are distributed via a separate channel
from messages. It isn't just Java, it's a truism for any message category.

If the message is corrupted, how can one trust the key within it?

- Lew

Reply to this Message

Rogan Dawes - 06 Feb 2007 10:15 GMT

>> The Arne Vajh... wrote:
>>> The secure solution is not to put the info in the code.
[quoted text clipped - 12 lines]
>
> robert

Having said that, don't make the mistake of thinking that any other
languages are any better. Simply run the application under a debugger,
single stepping through it until you perform the crypto operations. Bang
- there's your key, regardless of whether it was originally written in
Java, C, Pascal or assembly.

Asymmetric crypto could solve your problem, as long as you can enrol
your users in a secure fashion. i.e. let them generate a key pair, and
send you the public key.

As another poster pointed out, this should be done out of band, most likely.

Rogan

Reply to this Message

Rogan Dawes - 06 Feb 2007 10:17 GMT

>> The Arne Vajh... wrote:
>>> The secure solution is not to put the info in the code.
[quoted text clipped - 12 lines]
>
> robert

Reply to this Message

Alex Hunsley - 12 Feb 2007 17:29 GMT

>> The Arne Vajh... wrote:
>>> The secure solution is not to put the info in the code.
[quoted text clipped - 8 lines]
> can decompile and recompile it (or even modify bytecode) - including
> adding output of your key

Which won't matter a jot if Java is using asymmetric (public key)
encryption. Knowing the public key a message was encrypted with won't
allow someone to intercept an asymettrically msg encrypted message and
decode it - you'd need the private key for that (which only the
server/service has).

> or decrypted data.

Yeah, you could spoof the Java app to send plaintext elsewhere
before it is encrypted with the public key....

Reply to this Message

Arne Vajhøj - 09 Feb 2007 02:59 GMT

You have not written what your real problem is.

But a typical one is a Java desktop app which
accesses a database and the sensitive information
is username and password for the database.

And probably the best solution is to give users individual
usernames/passwords and let them enter it into the app.

Arne

Reply to this Message

Protect sensitive string in .class

Free Magazines