Solved

password protecting JAR files

Posted on 2001-07-05
30
665 Views
Last Modified: 2013-11-23
Does anyone know how to password protect JAR files?
0
Comment
Question by:limnestor
  • 11
  • 8
  • 5
  • +5
30 Comments
 
LVL 92

Expert Comment

by:objects
ID: 6258223
You could try using a password protected zip file.
Why do you need it?
0
 
LVL 92

Expert Comment

by:objects
ID: 6258246
But if you want a JAR that requires a password to run it then the answer is you can't.
0
 

Author Comment

by:limnestor
ID: 6258353
Thanks for you reply.  All I want to do is to protect the classes I developed so that no one would be able to disassemble it when I distribute them.  I am hoping that a password protected JAR file would do the trick.
0
 
LVL 92

Expert Comment

by:objects
ID: 6258356
Sorry there's no solid way of doing this as the JVM's class loader needs to be able to read the class files.
Have a look at obfusication, it won't stop people disassembling your classes, but it will make it hard to use the resulting source.
0
 
LVL 3

Expert Comment

by:dnoelpp
ID: 6258842
0
 
LVL 92

Expert Comment

by:objects
ID: 6258862
Don't pick on my spelling/typing :-)

Also have alook at Retroguard at www.retrologic.com.
Even has source code.

0
 
LVL 3

Expert Comment

by:dnoelpp
ID: 6258900
I am sorry! For doing research with search engines you need correctly spelt words... That's why I mentioned it. So peace, please! :-)

By the way, it's a good link of yours. :-)
0
 
LVL 92

Expert Comment

by:objects
ID: 6258945
English has too many keywords for my little head :-)
0
 
LVL 15

Expert Comment

by:mohan_sekar
ID: 6258947
Hi limnestor,

      Try the following link

http://developer.java.sun.com/developer/Books/JAR/sign/signing.html

bye
0
 
LVL 92

Expert Comment

by:objects
ID: 6258968
Signing a jar does not 'protect' the jar in any way, it just adds a signature to it.
0
 
LVL 3

Expert Comment

by:malcx
ID: 6259022
If you want some fun...
http://mindprod.com/unmain.html

Mal
0
 
LVL 92

Expert Comment

by:objects
ID: 6259067
:-)

And for a more serious article on the subject:
http://www.cigital.com/hostile-applets/maginot.html
0
 
LVL 9

Expert Comment

by:doronb
ID: 6262203
Hi,


I couldn't help notice that none of you suggested using a password protected ZIP file with the extension JAR and writing a ClassLoader that could open the JAR file. If you go this way just be sure to use YOUR class loader where-ever you use Class.forName(..);


Doron
0
 
LVL 3

Expert Comment

by:dnoelpp
ID: 6262841
Good idea... Did you program such a classloader, doronb?
0
 
LVL 9

Expert Comment

by:doronb
ID: 6262909
Hi dnoelpp,


Unfortunatly, no because I've never found how to unzip a passworded zip file through Java... But, I've written my own - however simple - encryption method and after encrypted a normal JAR/ZIP file was able to open it and load the classes with the ClassLoader I wrote

So, partially, yes, I did do that, but not with normal ZIP-passworded files :)


Doron
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 92

Expert Comment

by:objects
ID: 6263417
doronb,

I mentioned password protected zip in my first comment.
Don't see that it helps much though as anyone WITH the password could then create an unprotected jar.
And having a ClassLoader that can open it doesn't help much as it's just as simple to open the password protected zip and extracting the classes into an unprotected jar.
0
 
LVL 9

Expert Comment

by:doronb
ID: 6264348
Hi objects,


Since I encrypted the JAR/ZIP file myself I put the password inside the encrypted file and the decryption algorythem did all the work without asking the person to put in a password. Also, since the JAR file was encrypted AGAIN after it was read, it's not so easy to take out the class files unless you know exactly how the decryption algorythem opened the JAR file.


Doron
0
 
LVL 9

Expert Comment

by:doronb
ID: 6264359
Hi again :)


btw.. programming the ClassLoader is NOT the hard part! The hard bit is devising a protection algorythem/scheme that will enable only YOUR software to safely use the classes! I'm not sure which way's the best, but if there's another tool that can open your JAR's other than your software then your software is a bit less protected than is possible, right?


Doron
0
 
LVL 3

Expert Comment

by:dnoelpp
ID: 6264565
I thought about a good protection scheme. ProtectedClassLoader is a class loader which reads classes from a protected file.

1. Encrypt the whole jar.

2. The password is calculated by a message digest from the ProtectedClassLoader class binary data and some other reproducible data sources you want to protect against tampering.
0
 
LVL 92

Expert Comment

by:objects
ID: 6267236
But what's protecting the classloader.
You can provide all the encryption under the sun for your jar, but as your class loader is unprotected getting at the class files is not that hard.
0
 
LVL 3

Expert Comment

by:dnoelpp
ID: 6268130
Disclaimer: I am not providing a "working" solution. I just would like to discuss ideas for a good protection scheme. Let's think and discuss! :-)

Yes, the classloader and a few helper startup classes aren't protected. Here some obfuscation and convoluted code will help a little.

The idea is that these classes are the only "visible" classes and their work is to bootstrap the real application which is hidden in the encrypted jar file.

I was trying to "invent" a protection which will make a hacker very hard to find the password to the protected classes. With a good debugger, however, it will be rather easy to step through the code and get the password for the jar, even if you stripped away debugging information, I am afraid.

So, I think additionally 1. obfuscation and 2. mangled code can help a little. The mangled code calculates the password in a convoluted way, but the weak point will be the invocation of the cryptography routines, like, say the generation of a SecretKeySpec object like this:

SecretKeySpec keySpec = new SecretKeySpec(password, "DES");

Even if we invoke it in a convoluted way using reflection and other tricks, nobody can stop a hacker replacing the SecretKeySpec class in the classpath by an eavesdropping class.

To protect against it, the program could load the SecretKeySpec class and run a message digest against its bytes. If the message digest is different, either it is running on a different JVM version or a hacked JVM.

*** SUMMARY ***

1. Encrypt the jar file

2. The bootstrap classes like ProtectedClassLoader which decrypt the jar file, load and run the classes aren't encrypted.

3. The password is a message digest of some important and constant data, like the bytes of the ProtectedClassLoader class, to protect this data against tampering.

4. The bootstrap classes are obfuscated and additionally written convolutedly. They make false calls, use invocation to hide "normal" calls to the cryptography library and other tricks.

5. The bootstrap classes make a check of some cryptography classes to protect against a hacked JVM with eavesdropping classes. The password of step 3 could contain a message digest of important classes of the cryptography library.

*** CONCLUSION ***

With enough energy this can be hacked anyway. There's no absolute protection. But hacking can be made hard, very hard, I think so.

*** LINK ***

For more information, please read

http://anticrack.hypermart.net/ (especially the Anti Cracking FAQ)
0
 
LVL 9

Expert Comment

by:doronb
ID: 6268153
Hi,


Just a quick word for objects and whoever thinks there's such a thing like a "safe" protection scheme... :)

Well, there isn't any %100 safe protection scheme simply cause whoever's gonna use the encrypted material just HAS to open it, and speaking from experiance - I did some major game/software cracking in my early computer days >:) - as long as there's a way to open it, ppl will be able to crack it.


Doron
0
 
LVL 3

Expert Comment

by:dnoelpp
ID: 6268171
That's the problem. The only way is to make this as hard as possible... And as Java is "secure", this has the side effect to make cracking it easier than for other programming languages.
0
 
LVL 92

Accepted Solution

by:
objects earned 50 total points
ID: 6268255
> Just a quick word for objects and whoever thinks there's
> such a thing like a "safe" protection scheme...

I must be giving off the wrong impression, cause personally I believe attempting to protect your source code is a waste of time.
And the only people it ends up hindering are your customers and that doesn't make a lot of sense.
If a hacker wants to crack your scheme (especially if it's Java code) then theirs a pretty good chance they will. All security is about is buying time.

Best form of software protection IMO is great customer service, and an ever evolving product.

Just my 2c of course :)

0
 
LVL 3

Expert Comment

by:dnoelpp
ID: 6268311
objects, I agree. I just wanted to think about protection schemes... as an intellectual challenge. :-)

I learnt a lot in this thread and if I wanted to crack a Java program I know where to begin... :-)
0
 

Author Comment

by:limnestor
ID: 6310906
hi everyone, thanks for all those who responded.  I also did my own search and I bumped into the use of JAX from alphaworks.ibm.com.  Did anyone here has had experience using this tool?  Please refer to this forum for more info: http://forums.java.sun.com/thread.jsp?forum=22&thread=30449.  I'm still investigating if this is the solution to my problem.
0
 
LVL 92

Expert Comment

by:objects
ID: 6311455
Does it do anything more than obfuscation?
0
 
LVL 3

Assisted Solution

by:dnoelpp
dnoelpp earned 50 total points
ID: 6316224
No, limnestor, but I just wanted to remind you of my post above with three links (Zelix incremental obfuscation, Crema, etc.).

As far as I gathered, JAX is a sort of obfuscator, i.e. it does about the same as, say, Crema.
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6892898
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if still open in seven days.  Please post closing recommendations before that time.

Question(s) below appears to have been abandoned. Your options are:
 
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> You cannot delete a question with comments, special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click the Help Desk link on the left for Member Guidelines, Member Agreement and the Question/Answer process for further information, if needed.  http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and keep them all current with updates as the collaboration effort continues, to track all your open and locked questions at this site.  If you are an EE Pro user, use the Power Search option to find them.  Anytime you have questions which are LOCKED with a Proposed Answer but does not serve your needs, please reject it and add comments as to why.  In addition, when you do grade the question, if the grade is less than an A, please add a comment as to why.  This helps all involved, as well as future persons who may access this item in the future to seek help.

To view your open questions, please click the following link(s) and keep them all current with updates.
http://www.experts-exchange.com/questions/Q.20146620.html
http://www.experts-exchange.com/questions/Q.20176670.html


To view your locked questions, please click the following link(s) and evaluate the proposed answer.
http://www.experts-exchange.com/questions/Q.20127437.html

PLEASE DO NOT AWARD THE POINTS TO ME.  
 
------------>  EXPERTS:  Please leave any comments regarding your closing recommendations if this item remains inactive another seven (7) days.  Also, if you are interested in the cleanup effort, please click this link http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643

Moderators will finalize this question if still open in 7 days, by either moving this to the PAQ (Previously Asked Questions) at zero points, deleting it or awarding expert(s) when recommendations are made, or an independent determination can be made.  Expert input is always appreciated to determine the fair outcome.
 
Thank you everyone.
 
Moondancer
Moderator @ Experts Exchange
0
 
LVL 14

Expert Comment

by:sudhakar_koundinya
ID: 9017558
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:


[split points between dnoelpp and objects]


Please leave any comments here within the next seven days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
 
sudhakar_koundinya
EE Cleanup Volunteer
---------------------
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post your concern in THIS thread.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

For customizing the look of your lightweight component and making it look lucid like it was made of glass. Or: how to make your component more Apple-ish ;) This tip assumes your component to be of rectangular shape and completely opaque. (COD…
Java had always been an easily readable and understandable language.  Some relatively recent changes in the language seem to be changing this pretty fast, and anyone that had not seen any Java code for the last 5 years will possibly have issues unde…
Viewers learn how to read error messages and identify possible mistakes that could cause hours of frustration. Coding is as much about debugging your code as it is about writing it. Define Error Message: Line Numbers: Type of Error: Break Down…
Viewers will learn one way to get user input in Java. Introduce the Scanner object: Declare the variable that stores the user input: An example prompting the user for input: Methods you need to invoke in order to properly get  user input:

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now