Solved

Own serialization of Java classes (SecretKey)

Posted on 2002-07-26
3
349 Views
Last Modified: 2008-03-10
Hi

I’ve read on a web site (http://www.securingjava.com/chapter-seven/chapter-seven-1.html) that it is not a good idea (for security reasons) to use serialization.  I’ve implemented the security suggestions.

Now my class that’s the most critical concerning security needs to “save” its state.  I was thinking of encrypting the member variables and then writing it out to disk. (This is not foolproof but its better)
The member variable that I need to store is: javax.crypto.SecretKey

My thinking is to get the object into a byte [] or stream of some sort, encrypt it and then write it out to disk.  But how? (getting the object into a byte[])

How does serialization do this?
Or
Can one serialize to a memory file?

Thanx
André
0
Comment
Question by:Fortress_Initiative
3 Comments
 
LVL 4

Accepted Solution

by:
antons061400 earned 350 total points
Comment Utility

SecretKey key = .....
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bos);
oos.writeObject(key);
oos.flush();
byte[] barray = bos.toByteArray();

Is this what you need for overwriting serialization of your class?
0
 
LVL 1

Expert Comment

by:klf
Comment Utility
>My thinking is to get the object into a byte [] or stream of >some sort, encrypt it and then write it out to disk.  But >how? (getting the object into a byte[])

This sounds like serialization to me.  I have not done a lot with serialization but it seems to me that you should be able to serialize the object (javax.crypto.SecretKey) into an in memory stream, encrypt it , then write it to disk.  To unserialize it just decrypt and then unserialize it.  
0
 

Author Comment

by:Fortress_Initiative
Comment Utility
Thanx antons and klf.

I'll try antons' suggestion, just now.  I can encrypt the barray and write it out to file.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
Introduction This article is the second of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers the basic installation and configuration of the test automation tools used by…
Viewers learn how to read error messages and identify possible mistakes that could cause hours of frustration. Coding is as much about debugging your code as it is about writing it. Define Error Message: Line Numbers: Type of Error: Break Down…
Viewers will learn about the regular for loop in Java and how to use it. Definition: Break the for loop down into 3 parts: Syntax when using for loops: Example using a for loop:

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now