Solved

Java security

Posted on 2004-08-05
8
163 Views
Last Modified: 2010-03-31
Hi,

I am writing a des3 application.

Class1 generates a key and then writes the key to a file.

Class2 reads the file and generates the SecretKEy object by reading the file. IT then holds a referemce to this SecretKey.

Class3 & Class4 hold a reference to class2 to obtain the SecretKey for encryption and decryption.  This is because performance will not suffer in reading the file  and generating the key each time it needs to be used.

My main concern is that Class2 exposes its SecretKey then it poses a security risk as anyone can then reference this class in there code to obtain the key and decrypt data.

Is there anyway in Java security I can use which prevents this from happening, I only want Class3 & Class4 to see class2 no other code should be able to reference class2 without it going belly up.

I really hope this makes sense.

Many Thanks, this is urgent.
0
Comment
Question by:inzaghi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 35

Accepted Solution

by:
girionis earned 150 total points
ID: 11728414
There might be a way to find out the calling class. Take a look here: http://www.javaspecialists.co.za/archive/Issue087.html
0
 

Author Comment

by:inzaghi
ID: 11728700
This class it mentions is not part of the supported API, can we use the Secuirty Manager and policy files?? I don't know how to do this
0
 
LVL 35

Expert Comment

by:girionis
ID: 11729022
Yes you can use the Security Manager regardless of the API used. But it seems to me that the security manager hasn't got anything to do with finding the calling class. You simply need to have two if statements that check who is the caller. If it is one of the classes in the stack then return the key, otherwise return a warning message or nothing.
0
What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

 
LVL 15

Assisted Solution

by:Javatm
Javatm earned 125 total points
ID: 11731048
> My main concern is that Class2 exposes its SecretKey then it poses a security risk as anyone can then reference
> this class in there code to obtain the key and decrypt data.

That is if they know how to use it but then again if there would be someone that would be 1 / 5000 or a one
million if not. Its actually amuzing if someone can hack it since its Java security that we are talking here.

You dont actually have to worry about the software because all of the user will just use it, instead of
wasting their time to find a way to debug your big security software.

Unless they try to decompile your classes, if thats the case then better use this documentation to help you :
http://www.javaworld.com/javaworld/javatips/jw-javatip22.html

Hope that helps . . .
Javatm
0
 
LVL 1

Assisted Solution

by:wolfc
wolfc earned 125 total points
ID: 11734706
> http://www.javaworld.com/javaworld/javatips/jw-javatip22.html

Mocha is old, Crema is tied up in legal issues and Jasmine defeats Crema. Software can allways be decompiled.

IMHO there is no way to do this without some external key (usb key, user known password etc).
If there is please let us know.
0
 
LVL 12

Assisted Solution

by:Giant2
Giant2 earned 100 total points
ID: 11734862
Normally generate public private key is done in a hight security zone.
So that the private key cannot be seen. This is done using a non internet connected PC, etc.
0
 
LVL 12

Expert Comment

by:Giant2
ID: 11870769
Thanks.
0
 
LVL 35

Expert Comment

by:girionis
ID: 11870858
:)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Java Flight Recorder and Java Mission Control together create a complete tool chain to continuously collect low level and detailed runtime information enabling after-the-fact incident analysis. Java Flight Recorder is a profiling and event collectio…
Java functions are among the best things for programmers to work with as Java sites can be very easy to read and prepare. Java especially simplifies many processes in the coding industry as it helps integrate many forms of technology and different d…
Viewers learn about the scanner class in this video and are introduced to receiving user input for their programs. Additionally, objects, conditional statements, and loops are used to help reinforce the concepts. Introduce Scanner class: Importing…
Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question