Java Security, Encryption, and JAR files
Posted on 2004-10-08
I'm sure many of you have seen my previous questions about RegCodeX. RegCodeX creates an installer program to install a file (if a name/password combination are correctly supplied). Now I'm almost ready to release the app and it's time to tighten up security. Quick summary of the program's actions:
RegCodeX gets various input from the user and creates a bunch of source files which it compiles. It also encrypts a file selected by the user. The key used to encrypt the data and the encrypted data itself are stuffed into a JAR along with the class files and the manifest for the installer program. When the installer program is run it takes out anything it needs from the JAR (encryption file, key file, etc.) and decrypts the file. Note that the encrypting input/output and encrypting/decrypting process is done chunk by chunk so that large files can be processed.
Yes, there are more details but they are, I think, irrelevant to security. I'm looking for any and all ways to increase security for the program, from securing it against a complete computer newbie, to a top notch Java programmer (or other programmer, C++, etc. for that matter). And yes, the key and data MUST be sent with the file and can not be located on a server. I also understand that total security is impossible. I'm looking to make the app as secure as possible (remember, against various people, not just one specific category... so some low-level security stuff would be good also). One specific thing I'd like to do is that I'd like to hide the files that are extracted from the JAR from the user. I know I can put a period in front of them for UNIX systems, but that might make Windows mad, plus they would still be visible to Windows users.... Beyond simply answering this question, I'd like additional security suggestions for a full-grade (unless there are none, which I hope is not the case!). Final comment, please take into account that people will have access to decompilers so any way to guard against that would be useful as well. Thanks in advance and thanks for taking the time to read all this. ;)