Solved

Java Security, Encryption, and JAR files

Posted on 2004-10-08
29
842 Views
Last Modified: 2013-11-23
I'm sure many of you have seen my previous questions about RegCodeX. RegCodeX creates an installer program to install a file (if a name/password combination are correctly supplied). Now I'm almost ready to release the app and it's time to tighten up security. Quick summary of the program's actions:

RegCodeX gets various input from the user and creates a bunch of source files which it compiles. It also encrypts a file selected by the user. The key used to encrypt the data and the encrypted data itself are stuffed into a JAR along with the class files and the manifest for the installer program. When the installer program is run it takes out anything it needs from the JAR (encryption file, key file, etc.) and decrypts the file. Note that the encrypting input/output and encrypting/decrypting process is done chunk by chunk so that large files can be processed.

Yes, there are more details but they are, I think, irrelevant to security. I'm looking for any and all ways to increase security for the program, from securing it against a complete computer newbie, to a top notch Java programmer (or other programmer, C++, etc. for that matter). And yes, the key and data MUST be sent with the file and can not be located on a server. I also understand that total security is impossible. I'm looking to make the app as secure as possible (remember, against various people, not just one specific category... so some low-level security stuff would be good also). One specific thing I'd like to do is that I'd like to hide the files that are extracted from the JAR from the user. I know I can put a period in front of them for UNIX systems, but that might make Windows mad, plus they would still be visible to Windows users.... Beyond simply answering this question, I'd like additional security suggestions for a full-grade (unless there are none, which I hope is not the case!). Final comment, please take into account that people will have access to decompilers so any way to guard against that would be useful as well. Thanks in advance and thanks for taking the time to read all this. ;)
0
Comment
Question by:CI-Ia0s
  • 13
  • 10
  • 6
29 Comments
 
LVL 3

Author Comment

by:CI-Ia0s
ID: 12262963
P.S. There's a reason the point value is 500! Please be thorough and give at least a short explanation of the method of security when posting links!
0
 
LVL 9

Assisted Solution

by:DrWarezz
DrWarezz earned 50 total points
ID: 12263370
Well, it seems very secure to me already.
To increase security though, and prevent the use of decompilers, simply encode all of your java files, so that the .class files cannot be decoded properly.

If you'd like info on this, just say. :)

Other than that, I personally cannot think of anything else  --  Let's wait for some more opinions though. :)

Best of luck,[r.D]
0
 
LVL 9

Expert Comment

by:DrWarezz
ID: 12263382
*By 'decoded' I mean 'decompiled'  :)
0
 
LVL 3

Author Comment

by:CI-Ia0s
ID: 12263410
Information on encoding class files would be nice. Please, explain/link in detail. ;)

P.S. Any idea on how to make files invisible?
0
 
LVL 9

Expert Comment

by:DrWarezz
ID: 12263436
0
 
LVL 9

Expert Comment

by:DrWarezz
ID: 12263448
>"P.S. Any idea on how to make files invisible?"
Not easily. The only way I know is a program called "File-Buddy": http://www.esm.psu.edu/HTMLs/Faculty/Gray/software/utilities/File-Buddy-5.3.3-PPC.sit
that will allow you to change attributes such as visibility.
You can also paste blank space into the icon by using a graphics program. Just copy blank space, paste it into the icon via the get info window (select the icon in the get info window and hit paste).

:)
[r.D]
0
 
LVL 9

Expert Comment

by:DrWarezz
ID: 12263454
Woops -- very sorry, ignore that post.. That program is for Macs only :(
Give me a few minutes to see what I can find...
[r.D]
0
 
LVL 9

Expert Comment

by:DrWarezz
ID: 12263473
Hmm.. I can't find anything to make a Windows file invisible. :o\

What exactly do you want to make the file invisible for? Perhaps we can concolude an alternative? :)

[r.D]
0
 
LVL 3

Author Comment

by:CI-Ia0s
ID: 12263550
The files are extracted from the JAR into the folder with the app. If the user happens to get bored watching the decryption bar moving along he/she would go to the folder and see the files sitting there. I've considered a subdirectory, but in that case the user can still get in there. :(

I can't place the files into a specific folder on the user's machine as I don't know what will be on the user's machine. Thus, I'd want to have the files invisible, if possible...

P.S. The link you gave me only has one working link to a program I'd need and that program costs $200! (and while maybe not that significant, I'm not quite ready to shell that much out yet). Do you know of any others?
0
 
LVL 1

Accepted Solution

by:
MathewSchlabaugh earned 450 total points
ID: 12264361
I will start to answer your question by telling you to put on you hacker/cracker hat. Best way to ensure security is to try to break it yourself. What follows is a method of security that would upon implementation thwart efforts of newbies and irritates the greatest crackers anywhere! Since, absolute security IS not possible the best thing that can be accomplished is to make it EXTREMELY irritating to mess with the code. But before I outline some concepts for code security I will mention the following:

First Laws Of Programming:
      - Murphy's Law: If it can go wrong it will!!! (Program Against Failure!)
      - Added Security Features - Every new feature introduces new program failures.


"Hard Cracks" Outline

I. Decompiler Security
      A. Obfuscators
            1. Java byte code obfuscators and decompilers:
                  a. http://sourceforge.net/projects/javaguard
                  b. http://sourceforge.net/projects/proguard
                  c. http://sourceforge.net/projects/jode
                  d. http://sourceforge.net/projects/jest
                  e. Other commercial obfuscators are available search the web
                     - http://google.com
      B. Exceptions
            1. Do not allow any of your code to 'throw unchecked exceptions'
               and add a method to handle all unforeseen exceptions!
                        a. This is a common vulnerability in operating systems used by
                           assembly programmers to gain ring0 access and insert
                           authenticated code to do just about anything they want!
                        b. Always Have Generic Exception Handler:

                              try
                              { // Anything! }
                              catch( java.lang.Exception exception )
                              {
                                    System.out.println( "Unchecked Exception!!!\n" );
                                    exception.printStackTrace();
                              }
II. Compressed Files
      A. Jars are simply compressed files!
            1. Winzip - http://www.winzip.com
            2. WinRAR - http://www.rarlab.com
      B. Create a corrupt .jar file containing classes and keys inside of your main executable .jar
            1. Corrupt the CRC by removing raw bytes throughout the .jar file.
               Replace the code only after the main program
               (Class Loader) has authenticated the user.
      C. Class Loaders - Create a classloader which will authenticate the jar file.
      D. Jar Signing
            - http://java.sun.com/docs/books/tutorial/jar/sign/signing.html
            - http://www-106.ibm.com/developerworks/library/j-jar

III. Hiding Extacted Files
      A. Detect the OS and use file utilities
         (Completely hiding is impossible!
         Except if you use forensics techniques or memory mapping!)
      - Use java file utilities to change the Windows file attributes "+h" "+s"
        (Hidden File, System File)
      - Unix/Mac . in front of file

V. Program & Data Deletion
      A. No cure!!! Definition: idiot - User that deletes the files he needs!

***Last Note Trust:

If you don't trust your users, don't give them your software. Go for an server model and host the software yourself letting the customers access it as a remote service only.
0
 
LVL 3

Author Comment

by:CI-Ia0s
ID: 12264666
Alright, that's looking pretty good, just a few clarifications and I'll start dishing out some points. ;)

I have two requests:
First, could you please elaborate on II. B-D?
Second, could you post some example code about to detect which OS the user is using and how to set the hidden property for windows files?
Thanks!
0
 
LVL 3

Author Comment

by:CI-Ia0s
ID: 12266503
Ok. I've been toying with JARs and I've got II.B down pretty good I think. As for the others... I don't know what a class loader is and I'm confused by JAR signing. I also have no idea how to set windows file properties or detect an OS. Anyone?
0
 
LVL 1

Expert Comment

by:MathewSchlabaugh
ID: 12267876
Sure, I will post some example code for you in a little bit if you can be patient...I will help ya...by the way I am not a member just making comments...LOL
0
 
LVL 3

Author Comment

by:CI-Ia0s
ID: 12267918
That's how the system works... You don't have to be anyone special to post comments and help others. ;) Anyway, thanks for all the help so far. I'll be awaiting the sample code (There's no rush, so don't worry.)

P.S. I finished adding in the corrupted JAR system and it works like a charm. :D
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 3

Author Comment

by:CI-Ia0s
ID: 12267976
P.P.S. You seem to be pretty knowledgeable about Java and security. You could be on your way to becoming an expert here. ;)
0
 
LVL 1

Expert Comment

by:MathewSchlabaugh
ID: 12268259
// OperatingSystemDetector.java - A class to detect your OS
// If their OS is not found print a nasty gram saying "Get a real OS!"
// Ha Ha!!!

import java.io.File;

public class OperatingSystemDetector
{
      public int WINDOWS = 1;
      public int UNIX_LINUX = 2;
      public int MACINTOSH = 3;
      
      public OperatingSystemDetector()
      {/* Default Constructor */}

      public int getOperatingSystemType()
      {
            String OperatingSystemDetector =
            "OperatingSystemDetector";
            File file = new File( OperatingSystemDetector );
            if( file.separator.equals( "\\" ) )
            {return WINDOWS;}
            if( file.separator.equals( "/" ) )
            {return UNIX_LINUX;}
            if( file.separator.equals( ":" ) )
            {return MACINTOSH;}
            else
            {return -1;}
      }
}
0
 
LVL 1

Expert Comment

by:MathewSchlabaugh
ID: 12268268
// TestOperatingSystemDetector.java -
// Just a test of the emergency brodcast system!!! LOL

public class TestOperatingSystemDetector
{
      public TestOperatingSystemDetector()
      {}

      public static void main( String args[] )
      {
            OperatingSystemDetector OSD =
            new OperatingSystemDetector();
            if( OSD.getOperatingSystemType() ==
            OSD.WINDOWS )
            {System.out.println(
            "Yep, you got a Windows Machine!!!" );}
            if( OSD.getOperatingSystemType() ==
            OSD.UNIX_LINUX )
            {System.out.println( "UNIX/LINUX box!!!" );}
            if( OSD.getOperatingSystemType() ==
            OSD.MACINTOSH )
            {System.out.println( "I think you got a Mac!!!" );}
      }
}
0
 
LVL 1

Expert Comment

by:MathewSchlabaugh
ID: 12268274
Well I am not exactly sure how this works on a Mac but because OS X is based on a unix model I assume it works like linux but if not I have been told the file separator on Macs is ':'.
0
 
LVL 3

Author Comment

by:CI-Ia0s
ID: 12268371
I'll try it and tell you how it goes. How about setting windows file properties to hidden?

P.S. I'm on a Mac and the Mac file separator is ":" ;)
0
 
LVL 1

Expert Comment

by:MathewSchlabaugh
ID: 12268539
// Setting the file properties for Windows files... :-)
// Please note the exec command is system dependent

public class TestWindowsAttributes
{
      public TestWindowsAttributes()
      {}

      public static void main( String args[] )
      {
            // Just an example you will have to gather
            // your individual file names and path strings
            // Remember on Windows separator is '\\' not '\'
            String fileName =
            "C:\\Docume~1\\Admini~1\\Desktop\\Document.txt";
            String executionString = "attrib " + fileName + " +H +S";
            try
            {Runtime.getRuntime().exec( executionString );}
            catch( java.io.IOException IOEx )
            {
                  System.out.println( "IO Exception!!!\n" );
                  IOEx.printStackTrace();
            }
            catch( java.lang.Exception Ex )
            {
                  System.out.println( "Unchecked Exception!!!\n" );
                  Ex.printStackTrace();
            }            
      }
}
0
 
LVL 1

Expert Comment

by:MathewSchlabaugh
ID: 12268562
// Setting the file properties for Unix/Linux files... :-)
// Please note the exec command is system dependent

public class TestWindowsAttributes
{
      public TestWindowsAttributes()
      {}

      public static void main( String args[] )
      {
            // Just an example you will have to gather
            // your individual file names and path strings
            String fileName = "/home/xenohacker/Desktop/Document.txt";
            String fileName2 = "/home/xenohacker/Desktop/.Document.txt";
            String executionString = "mv " + fileName + " " + fileName2;
            try
            {Runtime.getRuntime().exec( executionString );}
            catch( java.io.IOException IOEx )
            {
                  System.out.println( "IO Exception!!!\n" );
                  IOEx.printStackTrace();
            }
            catch( java.lang.Exception Ex )
            {
                  System.out.println( "Unchecked Exception!!!\n" );
                  Ex.printStackTrace();
            }
      }
}
0
 
LVL 1

Expert Comment

by:MathewSchlabaugh
ID: 12268646
Get ready for a monster soon Jar signing is a little more complicated...LOL!!!
0
 
LVL 3

Author Comment

by:CI-Ia0s
ID: 12268656
I can actually set the UNIX/LINUX invisibility when I create the files (will Windows explode if file names start with a dot?). The technique for hiding Windows files is useful though... I'll have to work on implementing that. That only leaves JAR signing and class loaders. After that the points are yours (in 20 for DrWarezz). :)
0
 
LVL 3

Author Comment

by:CI-Ia0s
ID: 12268969
Lol. Tomorrow, I'm tired (11 PM here!!!). :P I still have to implement Windows file hiding...
0
 
LVL 1

Expert Comment

by:MathewSchlabaugh
ID: 12283873
Sorry, CI-Ia0s I will get you your Jar signer...between school, work, and my GF I have been busy...plus a inside the program Jar signer is actually kinda a hack method in an of itself and is fround upon in the industry but...I will make it for ya...if you get the code before hand that is cool but I will have it for sure this weekend that is when I get most of my free time...LOL...until we speak again...
0
 
LVL 3

Author Comment

by:CI-Ia0s
ID: 12293411
Sounds good... Though from what you've been saying it sounds like you'll have to write me a full-fledged program (not your responsibility, you know :P ). Just a guide on how to use Jar signing would be good (The Sun guide is a bit hard to follow :\ ). Also I've noticed that I'll need to hide another key... Where does this one go?
0
 
LVL 1

Expert Comment

by:MathewSchlabaugh
ID: 12328762
I have checked all my books on Java and security. Everything I have on the entire subject refers to the JAR signer tool provided by Sun Microsystems. It is not meant to be done programmatically. If you think I am kidding these are the books I own and have read...I have found nothing for this really...

Java Security, 2nd Edition - http://www.oreilly.com/catalog/javasec2/

Java Cryptography Extensions - http://www.elsevier.com/wps/find/bookdescription.cws_home/702153/description

Decompiling Java - http://www.apress.com/book/bookDisplay.html?bID=240

Hacking Exposed Computer Forensics - http://shop.osborne.com/cgi-bin/osborne/0072256753.html

So my searches finally brought me to the web. The only code or tutorials on the entire web that could address the issue of JAR signing inside a program would be here:

http://www.onjava.com/pub/a/onjava/2001/04/12/signing_jar.html?page=1

"The jarsigner tool provides a way for developers to sign their JAR files with a given private key, so that others may verify the classes provided inside the archive. Unfortunately, neither this tool, nor the underlying sun.tools.jar.Main, is appropriate for embedding in other applications; in order to allow programmatic JAR signing"

However this little tutorial leaves out the SignatureFile class. So rather than write my own. I will just give you that URL and hope you can use it.

The appropriate alternative is to run the command to sign the jar file using the Runtime.getRuntime().exec(). This command will actually fork and run the JAR signer provided by Sun inside your program.

By the way the corrupted Jar is as easy as it sounds open the file remove bytes and write the file back out to disk without the bytes their the file is completely corrupt and will throw a CRC error in most all archiving utilities an is just about unopenable by anything. Be sure to mark the exact places the bytes were removed or you may get yourself into trouble.

REMEMBER: Murphy's Law program as if it is going to break and think of that.

***Why this system is effective - It is extremely irritating thing to reconstruct a file from raw bytes wouldn't you say? Especially, if the files are obfuscated and there are many of them...LOL

Wish you good luck on your endeavors! If this is a project you are working on have you thought of contracting a programmer to devote a little thought to this subject?

Respectfully, :-)
Mathew Schlabaugh
0
 
LVL 3

Author Comment

by:CI-Ia0s
ID: 12330183
Alright, I think I'm all set (JAR signing seems a bit too difficult to deal with now ;) ). As soon as I can get myself on a PC to test the file hiding I'll hand out the points. (This should hopefully be by monday or tuesday). Thanks for all the help!
0
 
LVL 3

Author Comment

by:CI-Ia0s
ID: 12364417
Thanks to DrWarezz and MathewSchlabaugh!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
matchUp  challenge 9 71
array6 challenfge 6 62
Impossible to extract MSI from new JAVA releases 2 41
Problem to start Neon 20 52
An old method to applying the Singleton pattern in your Java code is to check if a static instance, defined in the same class that needs to be instantiated once and only once, is null and then create a new instance; otherwise, the pre-existing insta…
Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
Viewers learn about the scanner class in this video and are introduced to receiving user input for their programs. Additionally, objects, conditional statements, and loops are used to help reinforce the concepts. Introduce Scanner class: Importing…
This tutorial covers a practical example of lazy loading technique and early loading technique in a Singleton Design Pattern.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now