my dog learned polymorphism*
The moose likes Security and the fly likes How to hide key in client? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "How to hide key in client?" Watch "How to hide key in client?" New topic
Author

How to hide key in client?

Jerry Crothers
Ranch Hand

Joined: Mar 06, 2001
Posts: 34
I am using a DES decryption method in my Swing client. How do I make the key ("secret123") hidden?
I am planning to obfuscate the source code, but decompiling it would show the string?

Jerry.

private static String decrypt(String str) {
Cipher dcipher;
SecretKey key = new SecretKeySpec("secret123".getBytes(),"DES");
try {
dcipher = Cipher.getInstance("DES");
dcipher.init(Cipher.DECRYPT_MODE, key);

// Decode base64 to get bytes
byte[] dec = new sun.misc.BASE64Decoder().decodeBuffer(str);

// Decrypt
byte[] utf8 = dcipher.doFinal(dec);

// Decode using utf-8
return new String(utf8, "UTF8");

} catch (javax.crypto.NoSuchPaddingException e) {
} catch (java.security.NoSuchAlgorithmException e) {
} catch (java.security.InvalidKeyException e) {
} catch (javax.crypto.BadPaddingException e) {
} catch (IllegalBlockSizeException e) {
} catch (UnsupportedEncodingException e) {
} catch (IOException e) {
}
return null;
}
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41106
    
  45
You can make it harder to uncover the key from the source, but if the JVM ultimately uses the key, then a sufficiently detemined hacker can recover it as well.

But let's take a step back. What is the point of encryption if the client is allowed to see the clear text anyway? (That's my roundabout way of saying: can you say a bit more about the context - maybe there's a different way of designing the system that doesn't put the key in danger).


Ping & DNS - my free Android networking tools app
Jerry Crothers
Ranch Hand

Joined: Mar 06, 2001
Posts: 34
I am usinng http to talk to java servlets from a swing app. The data is encrypted/decrypted at both ends and also sent zipped. The data is not real sensitive so if it is hacked it won't be a major problem.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41106
    
  45
Have you considered using an HTTPS connection, and sending the data in cleartext over that? The end result (data is encrypted in transport) is about the same, and the class libraries do more of the work for you.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: How to hide key in client?
 
Similar Threads
Problem Urgent: Crypto using jsp - javabean
Need help in password Encryption and Decryption
Encryption in JSP
Encryption: Runtime Exception when run as JavaBean
InvalidKeyException