What to do with the key store file. Cryptography.

So lets say I implement an example like this for a real life project.  What do I do with the key store file so nobody finds it?  Couldn't they just open it or copy it and have the key?

http://javaalmanac.com/egs/javax.crypto/DesString.html
turtletimerAsked:
Who is Participating?
 
OBCTConnect With a Mentor Commented:
>So if I'm sending just like that then it's pretty unsecure, right?

Absolutly.

Just keep in mind that no matter how secure any system is made, it can always be broken. All you can do is slow down the process.

Seeing as you don't have much cryptography experience, I'd say the best way to tackle this would be using an SSL connection between the client and server.
It will save you many hours of stress, liters of coffee and delay you going bald.

SSL is public key cryptography thats ready to go without you needing to worry about encryption and decryption.
Public key cryptography is more secure in this situation because having to share a secret key would make it more vulnerable.

Going back to the keystore...
You will need a seperate keystore for the server containing its public key and a truststore for the client also containing the server's public key.
The truststore could be distributed in the clients jar file.

Have a look at the following examples, it should be enough to get you started.

http://javaalmanac.com/egs/javax.net.ssl/Server.html
http://javaalmanac.com/egs/javax.net.ssl/Client.html

One more thing, if you want to learn more about Cryptography, there is a brilliant book written by Jonathan Knudsen called 'Java Cryptography'. I recommend this book to anyone wanting to learn about the subject.
http://ftp.cdut.edu.cn/pub3/uncate_doc/OReilly%20-%20Java%20Cryptography.pdf
0
 
OBCTCommented:
It really depends on how secure the key needs to be.
For something that needs to be very secure, you could put the key on a smart card and require a pin number to access the data.
Or if this is only to encrypt your emails from other people at your household, you may only need to burn the key to a cd and hide it under your bed :-p

It all comes down to what the key is going to be used to encrypt/decrypt.
0
 
turtletimerAuthor Commented:
It is going to be for a client/server game.  The client would have to login to my server app in order to play my multiplayer game.  I wanted to encrypt the login details before I sent them over the socket.  If I understand right the client and the server has the key store file.  What do I do with the keystore file on the client side?  

Or is there a better way to do this whole thing?
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
OBCTCommented:
Sorry if I have mis-understood but do you want to use public key cryptography (where both the client and server have their own key pair) or secret key cryptography (where both the client and server would share the secret key)?
0
 
turtletimerAuthor Commented:
Which ever is more secure.  That's what I am asking.  What is the best way to remotley authenticate a user on my game server.  I don't have any cryptography experience.  I was under the impression that both the server and client would have an identical key file.  But, I am worried because on the client app won't this key file just be sitting there saying "Hey look at me I the key".  On the client app there will be a login screen

UserName: blah
Passwor: blah

Then I'm am going to send this to the socket on the server as : 10 blah blah

10 a byte so the server knows what the client wants to do.

So if I'm sending just like that then it's pretty unsecure, right?  So, what's the industry standard way of doing this.
0
 
aozarovConnect With a Mentor Commented:
I agree with OBCT that SSL is probably a good fit to your needs though if you are looking for a pure
secure channel without the need to authenticate the two sides then you set SSL to use one of the anon cipher suite.
Doing so will enable you to have a secure channel without the need of having trust stores and distributing certificates.
This is an example of how to set your SSL socket with anon cipher:

String CIPHER_SUITE = new String[]{ "SSL_DH_anon_WITH_RC4_128_MD5" };

// server
SSLServerSocket listen = (SSLServerSocket)SSLServerSocketFactory.getDefault().createServerSocket(port);
listen.setEnabledCipherSuites(CIPHER_SUITE);
...
SSLSocket socket = (SSLSocket) listen.accept();
socket.setEnabledCipherSuites(CIPHER_SUITE);


// client
SSLSocket socket = (SSLSocket)SSLSocketFactory.getDefault().createSocket(
InetAddress.getByName(host),port);
socket.setEnabledCipherSuites(CIPHER_SUITE);

or for more generic code:
SLServerSocket server
       = (SSLServerSocket) factory.createServerSocket(port);
     
      String[] supported = server.getSupportedCipherSuites();
      String[] anonCipherSuitesSupported = new String[supported.length];      
      int numAnonCipherSuitesSupported = 0;
      for (int i = 0; i < supported.length; i++) {
        if (supported[i].indexOf("_anon_") > 0) {
          anonCipherSuitesSupported[numAnonCipherSuitesSupported++] = supported[i];
        }
      }  
     
      String[] oldEnabled = server.getEnabledCipherSuites();
      String[] newEnabled = new String[oldEnabled.length
       + numAnonCipherSuitesSupported];
      System.arraycopy(oldEnabled, 0, newEnabled, 0, oldEnabled.length);
      System.arraycopy(anonCipherSuitesSupported, 0, newEnabled,
       oldEnabled.length, numAnonCipherSuitesSupported);
     
      server.setEnabledCipherSuites(newEnabled);    
0
 
OBCTCommented:
:-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.