• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

generating secure tokens

 
Ranch Hand
Posts: 126
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I need to generate tokens that will be used to identify users between two systems. Ideally I'd like the tokens to be strings of a fixed length, containing only ASCII characters. Because the tokens will be used to uniquely identify users, each token generate must be unique (or the possibility of collisions should be very small).

I've had a look in the Java libraries and found the following classes which may be useful:

SecureRandom
KeyGeneratory

Can either of these classes be used to generate keys that fit my requirements defined above? If so, then a pointer to some relevant source code examples would be very much appreciated.

Thanks in advance,
Dan
 
Ranch Hand
Posts: 89
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can look at this.It might be helpful.It is a sample code on Sun's site explaining cryptography using AES.
As far as ASCII is concerned, I think you can try encoding the key in Base64 format while storing it.You can use the encodeBuffer method of the sun.misc.BASE64Encoder class and the decodeBuffer method of the sun.misc.BASE64Decoder class.
[ April 09, 2008: Message edited by: K Aditi ]
 
Ranch Hand
Posts: 1282
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
SecureRandom and KeyGeneratory are likely stronger than what you need, based on your description. As always all caveats apply. I patched together this in a few minutes to suggest some areas of investigation. Base64 encoding will not generate randomnity, you could however used it to convert some random source to characters that will go down the wire effectively.

A lot of this depends on the climate in which this will be used. If it is people who will read something in the address bar and become interested then this is not to be considered secure. If the machines are already known it may be better to just put some human readable identifiers as calling random anything sorta does not make sense if MachineOne, MachineTwo and so on will suffice and such could be hardcoded or shipped out as html hidden input tags.

Asking for secure tokens in a security forum suggests you may need something that actually generates secure transactions. Try reading about PKI as that may be what you actually need.


[ April 11, 2008: Message edited by: Nicholas Jordan ]
 
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Dan Murphy:

I need to generate tokens that will be used to identify users between two systems. Ideally I'd like the tokens to be strings of a fixed length, containing only ASCII characters. Because the tokens will be used to uniquely identify users, each token generate must be unique (or the possibility of collisions should be very small).



Converting the binary output to ASCII is trivial, use UUEncode, MIME, HEX, etc.

How do you plan to exchange the tokens? The only hard part of stong crypto is key management. All the rest is just using the algorithms.

You could hire an ex-Secret Service agent, have him carry the secret in a briefcase handcuffed to his wrist, etc. like the old spy movies. It gets kinda expensive.

RSA was invented to help manage keys, and it works. But its probably overkill for you application. Kinda hard to tell from the OP.
 
Nicholas Jordan
Ranch Hand
Posts: 1282
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Dan, give extra attention to what Pat says. He is not only formally trained but as well has field experience, it is difficult to provide exact advice until we know more about what your operational environment is. I suggest you include human factors in your approach. What you describe sounds like you just want to have a record of what machine the request came from.

Key management is such a pain that it is even difficult to talk about it unless you have someone with 5+ years operational skill building. In general small shops use the trust model, everyone has a reasonably clear idea what is going on and actual funds are kept in a secure institution that has the expertise to do real controls.

Check out The Java Authentication and Authorization Service (JAAS) - that may do everything you need.
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Spy films also enjoyed something of a revival in the late 1990s, although these were often action films with espionage elements, or comedies like Austin Powers. Today, spy films have trended away from fantasy elements in favor of realism. This trend can be seen in Syriana, the Bourne film series and the more recent James Bond films Casino .
 
reply
    Bookmark Topic Watch Topic
  • New Topic