Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Own serialization of Java classes (SecretKey)

Posted on 2002-07-26
3
Medium Priority
?
367 Views
Last Modified: 2008-03-10
Hi

I’ve read on a web site (http://www.securingjava.com/chapter-seven/chapter-seven-1.html) that it is not a good idea (for security reasons) to use serialization.  I’ve implemented the security suggestions.

Now my class that’s the most critical concerning security needs to “save” its state.  I was thinking of encrypting the member variables and then writing it out to disk. (This is not foolproof but its better)
The member variable that I need to store is: javax.crypto.SecretKey

My thinking is to get the object into a byte [] or stream of some sort, encrypt it and then write it out to disk.  But how? (getting the object into a byte[])

How does serialization do this?
Or
Can one serialize to a memory file?

Thanx
André
0
Comment
Question by:Fortress_Initiative
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
antons061400 earned 1400 total points
ID: 7179791

SecretKey key = .....
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bos);
oos.writeObject(key);
oos.flush();
byte[] barray = bos.toByteArray();

Is this what you need for overwriting serialization of your class?
0
 
LVL 1

Expert Comment

by:klf
ID: 7179810
>My thinking is to get the object into a byte [] or stream of >some sort, encrypt it and then write it out to disk.  But >how? (getting the object into a byte[])

This sounds like serialization to me.  I have not done a lot with serialization but it seems to me that you should be able to serialize the object (javax.crypto.SecretKey) into an in memory stream, encrypt it , then write it to disk.  To unserialize it just decrypt and then unserialize it.  
0
 

Author Comment

by:Fortress_Initiative
ID: 7179940
Thanx antons and klf.

I'll try antons' suggestion, just now.  I can encrypt the barray and write it out to file.
0

Featured Post

The top UI technologies you need to be aware of

An important part of the job as a front-end developer is to stay up to date and in contact with new tools, trends and workflows. That’s why you cannot miss this upcoming webinar to explore the latest trends in UI technologies!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Java contains several comparison operators (e.g., <, <=, >, >=, ==, !=) that allow you to compare primitive values. However, these operators cannot be used to compare the contents of objects. Interface Comparable is used to allow objects of a cl…
In this post we will learn different types of Android Layout and some basics of an Android App.
Viewers will learn about the regular for loop in Java and how to use it. Definition: Break the for loop down into 3 parts: Syntax when using for loops: Example using a for loop:
This tutorial covers a practical example of lazy loading technique and early loading technique in a Singleton Design Pattern.
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question