Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

What to do with the key store file.  Cryptography.

Posted on 2005-04-12
7
Medium Priority
?
253 Views
Last Modified: 2010-03-31
So lets say I implement an example like this for a real life project.  What do I do with the key store file so nobody finds it?  Couldn't they just open it or copy it and have the key?

http://javaalmanac.com/egs/javax.crypto/DesString.html
0
Comment
Question by:turtletimer
  • 4
  • 2
7 Comments
 
LVL 9

Expert Comment

by:OBCT
ID: 13763781
It really depends on how secure the key needs to be.
For something that needs to be very secure, you could put the key on a smart card and require a pin number to access the data.
Or if this is only to encrypt your emails from other people at your household, you may only need to burn the key to a cd and hide it under your bed :-p

It all comes down to what the key is going to be used to encrypt/decrypt.
0
 

Author Comment

by:turtletimer
ID: 13765311
It is going to be for a client/server game.  The client would have to login to my server app in order to play my multiplayer game.  I wanted to encrypt the login details before I sent them over the socket.  If I understand right the client and the server has the key store file.  What do I do with the keystore file on the client side?  

Or is there a better way to do this whole thing?
0
 
LVL 9

Expert Comment

by:OBCT
ID: 13765359
Sorry if I have mis-understood but do you want to use public key cryptography (where both the client and server have their own key pair) or secret key cryptography (where both the client and server would share the secret key)?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:turtletimer
ID: 13765680
Which ever is more secure.  That's what I am asking.  What is the best way to remotley authenticate a user on my game server.  I don't have any cryptography experience.  I was under the impression that both the server and client would have an identical key file.  But, I am worried because on the client app won't this key file just be sitting there saying "Hey look at me I the key".  On the client app there will be a login screen

UserName: blah
Passwor: blah

Then I'm am going to send this to the socket on the server as : 10 blah blah

10 a byte so the server knows what the client wants to do.

So if I'm sending just like that then it's pretty unsecure, right?  So, what's the industry standard way of doing this.
0
 
LVL 9

Accepted Solution

by:
OBCT earned 600 total points
ID: 13765916
>So if I'm sending just like that then it's pretty unsecure, right?

Absolutly.

Just keep in mind that no matter how secure any system is made, it can always be broken. All you can do is slow down the process.

Seeing as you don't have much cryptography experience, I'd say the best way to tackle this would be using an SSL connection between the client and server.
It will save you many hours of stress, liters of coffee and delay you going bald.

SSL is public key cryptography thats ready to go without you needing to worry about encryption and decryption.
Public key cryptography is more secure in this situation because having to share a secret key would make it more vulnerable.

Going back to the keystore...
You will need a seperate keystore for the server containing its public key and a truststore for the client also containing the server's public key.
The truststore could be distributed in the clients jar file.

Have a look at the following examples, it should be enough to get you started.

http://javaalmanac.com/egs/javax.net.ssl/Server.html
http://javaalmanac.com/egs/javax.net.ssl/Client.html

One more thing, if you want to learn more about Cryptography, there is a brilliant book written by Jonathan Knudsen called 'Java Cryptography'. I recommend this book to anyone wanting to learn about the subject.
http://ftp.cdut.edu.cn/pub3/uncate_doc/OReilly%20-%20Java%20Cryptography.pdf
0
 
LVL 15

Assisted Solution

by:aozarov
aozarov earned 400 total points
ID: 13768794
I agree with OBCT that SSL is probably a good fit to your needs though if you are looking for a pure
secure channel without the need to authenticate the two sides then you set SSL to use one of the anon cipher suite.
Doing so will enable you to have a secure channel without the need of having trust stores and distributing certificates.
This is an example of how to set your SSL socket with anon cipher:

String CIPHER_SUITE = new String[]{ "SSL_DH_anon_WITH_RC4_128_MD5" };

// server
SSLServerSocket listen = (SSLServerSocket)SSLServerSocketFactory.getDefault().createServerSocket(port);
listen.setEnabledCipherSuites(CIPHER_SUITE);
...
SSLSocket socket = (SSLSocket) listen.accept();
socket.setEnabledCipherSuites(CIPHER_SUITE);


// client
SSLSocket socket = (SSLSocket)SSLSocketFactory.getDefault().createSocket(
InetAddress.getByName(host),port);
socket.setEnabledCipherSuites(CIPHER_SUITE);

or for more generic code:
SLServerSocket server
       = (SSLServerSocket) factory.createServerSocket(port);
     
      String[] supported = server.getSupportedCipherSuites();
      String[] anonCipherSuitesSupported = new String[supported.length];      
      int numAnonCipherSuitesSupported = 0;
      for (int i = 0; i < supported.length; i++) {
        if (supported[i].indexOf("_anon_") > 0) {
          anonCipherSuitesSupported[numAnonCipherSuitesSupported++] = supported[i];
        }
      }  
     
      String[] oldEnabled = server.getEnabledCipherSuites();
      String[] newEnabled = new String[oldEnabled.length
       + numAnonCipherSuitesSupported];
      System.arraycopy(oldEnabled, 0, newEnabled, 0, oldEnabled.length);
      System.arraycopy(anonCipherSuitesSupported, 0, newEnabled,
       oldEnabled.length, numAnonCipherSuitesSupported);
     
      server.setEnabledCipherSuites(newEnabled);    
0
 
LVL 9

Expert Comment

by:OBCT
ID: 13773635
:-)
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
In this post we will learn how to make Android Gesture Tutorial and give different functionality whenever a user Touch or Scroll android screen.
Video by: Michael
Viewers learn about how to reduce the potential repetitiveness of coding in main by developing methods to perform specific tasks for their program. Additionally, objects are introduced for the purpose of learning how to call methods in Java. Define …
Viewers will learn about if statements in Java and their use The if statement: The condition required to create an if statement: Variations of if statements: An example using if statements:
Suggested Courses
Course of the Month21 days, 1 hour left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question