Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Java security

Posted on 2004-08-05
8
Medium Priority
?
165 Views
Last Modified: 2010-03-31
Hi,

I am writing a des3 application.

Class1 generates a key and then writes the key to a file.

Class2 reads the file and generates the SecretKEy object by reading the file. IT then holds a referemce to this SecretKey.

Class3 & Class4 hold a reference to class2 to obtain the SecretKey for encryption and decryption.  This is because performance will not suffer in reading the file  and generating the key each time it needs to be used.

My main concern is that Class2 exposes its SecretKey then it poses a security risk as anyone can then reference this class in there code to obtain the key and decrypt data.

Is there anyway in Java security I can use which prevents this from happening, I only want Class3 & Class4 to see class2 no other code should be able to reference class2 without it going belly up.

I really hope this makes sense.

Many Thanks, this is urgent.
0
Comment
Question by:inzaghi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 35

Accepted Solution

by:
girionis earned 600 total points
ID: 11728414
There might be a way to find out the calling class. Take a look here: http://www.javaspecialists.co.za/archive/Issue087.html
0
 

Author Comment

by:inzaghi
ID: 11728700
This class it mentions is not part of the supported API, can we use the Secuirty Manager and policy files?? I don't know how to do this
0
 
LVL 35

Expert Comment

by:girionis
ID: 11729022
Yes you can use the Security Manager regardless of the API used. But it seems to me that the security manager hasn't got anything to do with finding the calling class. You simply need to have two if statements that check who is the caller. If it is one of the classes in the stack then return the key, otherwise return a warning message or nothing.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 15

Assisted Solution

by:Javatm
Javatm earned 500 total points
ID: 11731048
> My main concern is that Class2 exposes its SecretKey then it poses a security risk as anyone can then reference
> this class in there code to obtain the key and decrypt data.

That is if they know how to use it but then again if there would be someone that would be 1 / 5000 or a one
million if not. Its actually amuzing if someone can hack it since its Java security that we are talking here.

You dont actually have to worry about the software because all of the user will just use it, instead of
wasting their time to find a way to debug your big security software.

Unless they try to decompile your classes, if thats the case then better use this documentation to help you :
http://www.javaworld.com/javaworld/javatips/jw-javatip22.html

Hope that helps . . .
Javatm
0
 
LVL 1

Assisted Solution

by:wolfc
wolfc earned 500 total points
ID: 11734706
> http://www.javaworld.com/javaworld/javatips/jw-javatip22.html

Mocha is old, Crema is tied up in legal issues and Jasmine defeats Crema. Software can allways be decompiled.

IMHO there is no way to do this without some external key (usb key, user known password etc).
If there is please let us know.
0
 
LVL 12

Assisted Solution

by:Giant2
Giant2 earned 400 total points
ID: 11734862
Normally generate public private key is done in a hight security zone.
So that the private key cannot be seen. This is done using a non internet connected PC, etc.
0
 
LVL 12

Expert Comment

by:Giant2
ID: 11870769
Thanks.
0
 
LVL 35

Expert Comment

by:girionis
ID: 11870858
:)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Java contains several comparison operators (e.g., <, <=, >, >=, ==, !=) that allow you to compare primitive values. However, these operators cannot be used to compare the contents of objects. Interface Comparable is used to allow objects of a cl…
Introduction This article is the first of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article explains our test automation goals. Then rationale is given for the tools we use to a…
This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question