• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to hide key in client?

 
Jerry Crothers
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am using a DES decryption method in my Swing client. How do I make the key ("secret123") hidden?
I am planning to obfuscate the source code, but decompiling it would show the string?

Jerry.

private static String decrypt(String str) {
Cipher dcipher;
SecretKey key = new SecretKeySpec("secret123".getBytes(),"DES");
try {
dcipher = Cipher.getInstance("DES");
dcipher.init(Cipher.DECRYPT_MODE, key);

// Decode base64 to get bytes
byte[] dec = new sun.misc.BASE64Decoder().decodeBuffer(str);

// Decrypt
byte[] utf8 = dcipher.doFinal(dec);

// Decode using utf-8
return new String(utf8, "UTF8");

} catch (javax.crypto.NoSuchPaddingException e) {
} catch (java.security.NoSuchAlgorithmException e) {
} catch (java.security.InvalidKeyException e) {
} catch (javax.crypto.BadPaddingException e) {
} catch (IllegalBlockSizeException e) {
} catch (UnsupportedEncodingException e) {
} catch (IOException e) {
}
return null;
}
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can make it harder to uncover the key from the source, but if the JVM ultimately uses the key, then a sufficiently detemined hacker can recover it as well.

But let's take a step back. What is the point of encryption if the client is allowed to see the clear text anyway? (That's my roundabout way of saying: can you say a bit more about the context - maybe there's a different way of designing the system that doesn't put the key in danger).
 
Jerry Crothers
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am usinng http to talk to java servlets from a swing app. The data is encrypted/decrypted at both ends and also sent zipped. The data is not real sensitive so if it is hacked it won't be a major problem.
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Have you considered using an HTTPS connection, and sending the data in cleartext over that? The end result (data is encrypted in transport) is about the same, and the class libraries do more of the work for you.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic