File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes How to hide key in client? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "How to hide key in client?" Watch "How to hide key in client?" New topic
Author

How to hide key in client?

Jerry Crothers
Ranch Hand

Joined: Mar 06, 2001
Posts: 34
I am using a DES decryption method in my Swing client. How do I make the key ("secret123") hidden?
I am planning to obfuscate the source code, but decompiling it would show the string?

Jerry.

private static String decrypt(String str) {
Cipher dcipher;
SecretKey key = new SecretKeySpec("secret123".getBytes(),"DES");
try {
dcipher = Cipher.getInstance("DES");
dcipher.init(Cipher.DECRYPT_MODE, key);

// Decode base64 to get bytes
byte[] dec = new sun.misc.BASE64Decoder().decodeBuffer(str);

// Decrypt
byte[] utf8 = dcipher.doFinal(dec);

// Decode using utf-8
return new String(utf8, "UTF8");

} catch (javax.crypto.NoSuchPaddingException e) {
} catch (java.security.NoSuchAlgorithmException e) {
} catch (java.security.InvalidKeyException e) {
} catch (javax.crypto.BadPaddingException e) {
} catch (IllegalBlockSizeException e) {
} catch (UnsupportedEncodingException e) {
} catch (IOException e) {
}
return null;
}
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42913
    
  68
You can make it harder to uncover the key from the source, but if the JVM ultimately uses the key, then a sufficiently detemined hacker can recover it as well.

But let's take a step back. What is the point of encryption if the client is allowed to see the clear text anyway? (That's my roundabout way of saying: can you say a bit more about the context - maybe there's a different way of designing the system that doesn't put the key in danger).
Jerry Crothers
Ranch Hand

Joined: Mar 06, 2001
Posts: 34
I am usinng http to talk to java servlets from a swing app. The data is encrypted/decrypted at both ends and also sent zipped. The data is not real sensitive so if it is hacked it won't be a major problem.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42913
    
  68
Have you considered using an HTTPS connection, and sending the data in cleartext over that? The end result (data is encrypted in transport) is about the same, and the class libraries do more of the work for you.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to hide key in client?