Fortress_Initiative
asked on
Own serialization of Java classes (SecretKey)
Hi
I’ve read on a web site (http://www.securingjava.com/chapter-seven/chapter-seven-1.html) that it is not a good idea (for security reasons) to use serialization. I’ve implemented the security suggestions.
Now my class that’s the most critical concerning security needs to “save” its state. I was thinking of encrypting the member variables and then writing it out to disk. (This is not foolproof but its better)
The member variable that I need to store is: javax.crypto.SecretKey
My thinking is to get the object into a byte [] or stream of some sort, encrypt it and then write it out to disk. But how? (getting the object into a byte[])
How does serialization do this?
Or
Can one serialize to a memory file?
Thanx
André
I’ve read on a web site (http://www.securingjava.com/chapter-seven/chapter-seven-1.html) that it is not a good idea (for security reasons) to use serialization. I’ve implemented the security suggestions.
Now my class that’s the most critical concerning security needs to “save” its state. I was thinking of encrypting the member variables and then writing it out to disk. (This is not foolproof but its better)
The member variable that I need to store is: javax.crypto.SecretKey
My thinking is to get the object into a byte [] or stream of some sort, encrypt it and then write it out to disk. But how? (getting the object into a byte[])
How does serialization do this?
Or
Can one serialize to a memory file?
Thanx
André
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanx antons and klf.
I'll try antons' suggestion, just now. I can encrypt the barray and write it out to file.
I'll try antons' suggestion, just now. I can encrypt the barray and write it out to file.
This sounds like serialization to me. I have not done a lot with serialization but it seems to me that you should be able to serialize the object (javax.crypto.SecretKey) into an in memory stream, encrypt it , then write it to disk. To unserialize it just decrypt and then unserialize it.