 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / Security / April 2004Good security solution
Hello, I'm currently developing an application that downloads data (plain ascii) from the Internet. I want this data encrypted and saved on disk. Then I want this data to be decrypted when needed. Everything is done by this app alone. My question is what would be the best decryption/encryption solution for a system like this? I was thinking about using keys and DES algorithm, but this would require that the key is supplied with the application and anyone with a little knowledge could extract the key from the application. Is there a secure way in accomplishing this? :: cheers, rob > I'm currently developing an application > that downloads data (plain ascii) from [quoted text clipped - 16 lines] > > Is there a secure way in accomplishing this? You can use public key encryption. Generate a key pair, and give the private key to the owner, who is eventually to decrypt the data. Have the application generate a random secret key and use it to encrypt the data (using AES (DES if you insist) and a proper encryption mode and a Message Authentication Code). Have the application encrypt the random secret key using the public key of the owner. The owner then uses the private key of the key pair to recover the random secret key, which she then uses to decrypt the data. There are a fair number of details involved in getting this to work right, but it can be done. --Mike Amling [snip] > You can use public key encryption. Generate a key pair, and give the > private key to the owner, who is eventually to decrypt the data. [quoted text clipped - 9 lines] > > --Mike Amling Thank you for the help Michael, I will give it a try. .:. rob >Is there a secure way in accomplishing this? One way is to make the user key in a passphrase to decrypt. You never store the passphrase and you wipe all trace of it after you use it. Then access to the class files in no help. That is annoying for the user, so what you can do is use a Thumbdrive http://mindprod.com/jgloss/thumbdrive.html. It looks like a keychain fob that you can plug into a USB port. Basically it stores small amounts of confidential data, e.g. encryption keys. It is only available when plugged in. -- Canadian Mind Products, Roedy Green. Coaching, problem solving, economical contract programming. See http://mindprod.com/jgloss/jgloss.html for The Java Glossary. > That is annoying for the user, so what you can do is use a Thumbdrive > http://mindprod.com/jgloss/thumbdrive.html. 404: The requested URL /jgloss/thumbdrive.html was not found on this server. I assume the referenced thumbdrive is a source of a plaintext password. There are also USB devices that store public/private key pairs. The good ones generate the private key on board and never divulge it, but will use it to decrypt or form a signature if the user supplies a password. --Mike Amling > The good ones generate the private key on board and never divulge it, but > will use it to decrypt or form a signature if the user supplies a password. Have you ever used one of these tokens? How does the decryption aspect work? Do you have to 'wire' input and output streams to the device? How easy are they to work with in java? -- Shane >> The good ones generate the private key on board and never divulge it, >> but will use it to decrypt or form a signature if the user supplies a [quoted text clipped - 3 lines] > work? Do you have to 'wire' input and output streams to the device? How > easy are they to work with in java? I use a Rainbow iKey all the time for S/MIME with MS Outlook 2000. I have the SDK around here somewhere, but I haven't used it, and it's not Java-oriented. I have yet to see any Java interface to USB, not that I've been looking. --Mike Amling [snip] > I have yet to see any Java interface to USB, not that I've been looking. > > --Mike Amling I know of only one Java interface to USB, however I have never tried it and I don't know how well it works. Here is the URL if you want to take a look: jUSB: http://jusb.sourceforge.net/ .:. rob >That is annoying for the user, so what you can do is use a Thumbdrive >http://mindprod.com/jgloss/thumbdrive.html. oops that should be http://mindprod.com/bgloss/thumbdrive.html It is in the computer buyer's glossary, not the java glossary. -- Canadian Mind Products, Roedy Green. Coaching, problem solving, economical contract programming. See http://mindprod.com/jgloss/jgloss.html for The Java Glossary. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.