Solved

Own serialization of Java classes (SecretKey)

Posted on 2002-07-26
3
360 Views
Last Modified: 2008-03-10
Hi

I’ve read on a web site (http://www.securingjava.com/chapter-seven/chapter-seven-1.html) that it is not a good idea (for security reasons) to use serialization.  I’ve implemented the security suggestions.

Now my class that’s the most critical concerning security needs to “save” its state.  I was thinking of encrypting the member variables and then writing it out to disk. (This is not foolproof but its better)
The member variable that I need to store is: javax.crypto.SecretKey

My thinking is to get the object into a byte [] or stream of some sort, encrypt it and then write it out to disk.  But how? (getting the object into a byte[])

How does serialization do this?
Or
Can one serialize to a memory file?

Thanx
André
0
Comment
Question by:Fortress_Initiative
3 Comments
 
LVL 4

Accepted Solution

by:
antons061400 earned 350 total points
ID: 7179791

SecretKey key = .....
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bos);
oos.writeObject(key);
oos.flush();
byte[] barray = bos.toByteArray();

Is this what you need for overwriting serialization of your class?
0
 
LVL 1

Expert Comment

by:klf
ID: 7179810
>My thinking is to get the object into a byte [] or stream of >some sort, encrypt it and then write it out to disk.  But >how? (getting the object into a byte[])

This sounds like serialization to me.  I have not done a lot with serialization but it seems to me that you should be able to serialize the object (javax.crypto.SecretKey) into an in memory stream, encrypt it , then write it to disk.  To unserialize it just decrypt and then unserialize it.  
0
 

Author Comment

by:Fortress_Initiative
ID: 7179940
Thanx antons and klf.

I'll try antons' suggestion, just now.  I can encrypt the barray and write it out to file.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
jsp login check 12 42
How to configure empty element in XML Document parser? 15 36
Bot application - advice 3 38
Fast way to search item into Java Array (Rhino compatible) 2 31
An old method to applying the Singleton pattern in your Java code is to check if a static instance, defined in the same class that needs to be instantiated once and only once, is null and then create a new instance; otherwise, the pre-existing insta…
Introduction This article is the second of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers the basic installation and configuration of the test automation tools used by…
Viewers learn about the “for” loop and how it works in Java. By comparing it to the while loop learned before, viewers can make the transition easily. You will learn about the formatting of the for loop as we write a program that prints even numbers…
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question