Solved

Java security

Posted on 2004-08-05
8
157 Views
Last Modified: 2010-03-31
Hi,

I am writing a des3 application.

Class1 generates a key and then writes the key to a file.

Class2 reads the file and generates the SecretKEy object by reading the file. IT then holds a referemce to this SecretKey.

Class3 & Class4 hold a reference to class2 to obtain the SecretKey for encryption and decryption.  This is because performance will not suffer in reading the file  and generating the key each time it needs to be used.

My main concern is that Class2 exposes its SecretKey then it poses a security risk as anyone can then reference this class in there code to obtain the key and decrypt data.

Is there anyway in Java security I can use which prevents this from happening, I only want Class3 & Class4 to see class2 no other code should be able to reference class2 without it going belly up.

I really hope this makes sense.

Many Thanks, this is urgent.
0
Comment
Question by:inzaghi
8 Comments
 
LVL 35

Accepted Solution

by:
girionis earned 150 total points
Comment Utility
There might be a way to find out the calling class. Take a look here: http://www.javaspecialists.co.za/archive/Issue087.html
0
 

Author Comment

by:inzaghi
Comment Utility
This class it mentions is not part of the supported API, can we use the Secuirty Manager and policy files?? I don't know how to do this
0
 
LVL 35

Expert Comment

by:girionis
Comment Utility
Yes you can use the Security Manager regardless of the API used. But it seems to me that the security manager hasn't got anything to do with finding the calling class. You simply need to have two if statements that check who is the caller. If it is one of the classes in the stack then return the key, otherwise return a warning message or nothing.
0
 
LVL 15

Assisted Solution

by:Javatm
Javatm earned 125 total points
Comment Utility
> My main concern is that Class2 exposes its SecretKey then it poses a security risk as anyone can then reference
> this class in there code to obtain the key and decrypt data.

That is if they know how to use it but then again if there would be someone that would be 1 / 5000 or a one
million if not. Its actually amuzing if someone can hack it since its Java security that we are talking here.

You dont actually have to worry about the software because all of the user will just use it, instead of
wasting their time to find a way to debug your big security software.

Unless they try to decompile your classes, if thats the case then better use this documentation to help you :
http://www.javaworld.com/javaworld/javatips/jw-javatip22.html

Hope that helps . . .
Javatm
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 1

Assisted Solution

by:wolfc
wolfc earned 125 total points
Comment Utility
> http://www.javaworld.com/javaworld/javatips/jw-javatip22.html

Mocha is old, Crema is tied up in legal issues and Jasmine defeats Crema. Software can allways be decompiled.

IMHO there is no way to do this without some external key (usb key, user known password etc).
If there is please let us know.
0
 
LVL 12

Assisted Solution

by:Giant2
Giant2 earned 100 total points
Comment Utility
Normally generate public private key is done in a hight security zone.
So that the private key cannot be seen. This is done using a non internet connected PC, etc.
0
 
LVL 12

Expert Comment

by:Giant2
Comment Utility
Thanks.
0
 
LVL 35

Expert Comment

by:girionis
Comment Utility
:)
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Introduction Java can be integrated with native programs using an interface called JNI(Java Native Interface). Native programs are programs which can directly run on the processor. JNI is simply a naming and calling convention so that the JVM (Java…
Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
The viewer will learn how to implement Singleton Design Pattern in Java.
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now