Solved

Own serialization of Java classes (SecretKey)

Posted on 2002-07-26
3
365 Views
Last Modified: 2008-03-10
Hi

I’ve read on a web site (http://www.securingjava.com/chapter-seven/chapter-seven-1.html) that it is not a good idea (for security reasons) to use serialization.  I’ve implemented the security suggestions.

Now my class that’s the most critical concerning security needs to “save” its state.  I was thinking of encrypting the member variables and then writing it out to disk. (This is not foolproof but its better)
The member variable that I need to store is: javax.crypto.SecretKey

My thinking is to get the object into a byte [] or stream of some sort, encrypt it and then write it out to disk.  But how? (getting the object into a byte[])

How does serialization do this?
Or
Can one serialize to a memory file?

Thanx
André
0
Comment
Question by:Fortress_Initiative
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
antons061400 earned 350 total points
ID: 7179791

SecretKey key = .....
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bos);
oos.writeObject(key);
oos.flush();
byte[] barray = bos.toByteArray();

Is this what you need for overwriting serialization of your class?
0
 
LVL 1

Expert Comment

by:klf
ID: 7179810
>My thinking is to get the object into a byte [] or stream of >some sort, encrypt it and then write it out to disk.  But >how? (getting the object into a byte[])

This sounds like serialization to me.  I have not done a lot with serialization but it seems to me that you should be able to serialize the object (javax.crypto.SecretKey) into an in memory stream, encrypt it , then write it to disk.  To unserialize it just decrypt and then unserialize it.  
0
 

Author Comment

by:Fortress_Initiative
ID: 7179940
Thanx antons and klf.

I'll try antons' suggestion, just now.  I can encrypt the barray and write it out to file.
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An old method to applying the Singleton pattern in your Java code is to check if a static instance, defined in the same class that needs to be instantiated once and only once, is null and then create a new instance; otherwise, the pre-existing insta…
INTRODUCTION Working with files is a moderately common task in Java.  For most projects hard coding the file names, using parameters in configuration files, or using command-line arguments is sufficient.   However, when your application has vi…
Viewers learn how to read error messages and identify possible mistakes that could cause hours of frustration. Coding is as much about debugging your code as it is about writing it. Define Error Message: Line Numbers: Type of Error: Break Down…
Viewers will learn about the different types of variables in Java and how to declare them. Decide the type of variable desired: Put the keyword corresponding to the type of variable in front of the variable name: Use the equal sign to assign a v…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question