Solved

Java security

Posted on 2004-08-05
8
162 Views
Last Modified: 2010-03-31
Hi,

I am writing a des3 application.

Class1 generates a key and then writes the key to a file.

Class2 reads the file and generates the SecretKEy object by reading the file. IT then holds a referemce to this SecretKey.

Class3 & Class4 hold a reference to class2 to obtain the SecretKey for encryption and decryption.  This is because performance will not suffer in reading the file  and generating the key each time it needs to be used.

My main concern is that Class2 exposes its SecretKey then it poses a security risk as anyone can then reference this class in there code to obtain the key and decrypt data.

Is there anyway in Java security I can use which prevents this from happening, I only want Class3 & Class4 to see class2 no other code should be able to reference class2 without it going belly up.

I really hope this makes sense.

Many Thanks, this is urgent.
0
Comment
Question by:inzaghi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 35

Accepted Solution

by:
girionis earned 150 total points
ID: 11728414
There might be a way to find out the calling class. Take a look here: http://www.javaspecialists.co.za/archive/Issue087.html
0
 

Author Comment

by:inzaghi
ID: 11728700
This class it mentions is not part of the supported API, can we use the Secuirty Manager and policy files?? I don't know how to do this
0
 
LVL 35

Expert Comment

by:girionis
ID: 11729022
Yes you can use the Security Manager regardless of the API used. But it seems to me that the security manager hasn't got anything to do with finding the calling class. You simply need to have two if statements that check who is the caller. If it is one of the classes in the stack then return the key, otherwise return a warning message or nothing.
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 
LVL 15

Assisted Solution

by:Javatm
Javatm earned 125 total points
ID: 11731048
> My main concern is that Class2 exposes its SecretKey then it poses a security risk as anyone can then reference
> this class in there code to obtain the key and decrypt data.

That is if they know how to use it but then again if there would be someone that would be 1 / 5000 or a one
million if not. Its actually amuzing if someone can hack it since its Java security that we are talking here.

You dont actually have to worry about the software because all of the user will just use it, instead of
wasting their time to find a way to debug your big security software.

Unless they try to decompile your classes, if thats the case then better use this documentation to help you :
http://www.javaworld.com/javaworld/javatips/jw-javatip22.html

Hope that helps . . .
Javatm
0
 
LVL 1

Assisted Solution

by:wolfc
wolfc earned 125 total points
ID: 11734706
> http://www.javaworld.com/javaworld/javatips/jw-javatip22.html

Mocha is old, Crema is tied up in legal issues and Jasmine defeats Crema. Software can allways be decompiled.

IMHO there is no way to do this without some external key (usb key, user known password etc).
If there is please let us know.
0
 
LVL 12

Assisted Solution

by:Giant2
Giant2 earned 100 total points
ID: 11734862
Normally generate public private key is done in a hight security zone.
So that the private key cannot be seen. This is done using a non internet connected PC, etc.
0
 
LVL 12

Expert Comment

by:Giant2
ID: 11870769
Thanks.
0
 
LVL 35

Expert Comment

by:girionis
ID: 11870858
:)
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Weekend adv creator 3 64
xampp tool 12 60
Cisco ASA: Java web start no go, asdm launcher no go 3 58
What browser will run Java? 7 127
Java Flight Recorder and Java Mission Control together create a complete tool chain to continuously collect low level and detailed runtime information enabling after-the-fact incident analysis. Java Flight Recorder is a profiling and event collectio…
Introduction This article is the last of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers our test design approach and then goes through a simple test case example, how …
Viewers learn how to read error messages and identify possible mistakes that could cause hours of frustration. Coding is as much about debugging your code as it is about writing it. Define Error Message: Line Numbers: Type of Error: Break Down…
This tutorial will introduce the viewer to VisualVM for the Java platform application. This video explains an example program and covers the Overview, Monitor, and Heap Dump tabs.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question