How to secure an applet's source code ? ?

I'm sure this has been done before but I cant find it in the applet archives, basically I want users to be able to download my applet and use it but not be able to view the code, at least not in a way that will make any sense to them. I am aware of obfuscation and it is an option. If I could, I would prefer some means of encryption that would encrypt the class file and decrypt it at the very last moment preventing anyone from snooping through the class file. Anyone know of:
a. how to do this or
b. A tool / API that does this
Thanks
Dermot

Hi Dermot,
Well, since you're working with Applets, the !@#$% sandbox is going to give you some fits with encryption. The reason is, you will have to define a ClassLoader that either reads encrypted bytes or perhaps a SealedObject. Of course when you attempt to define a ClassLoader in an Applet, you're going to get a SecurityException.
Here is some sample code if you want to pursue the class encryption path:

import java.io.*;
import javax.crypto.*;
import javax.crypto.spec.*;
import java.security.*;
import java.lang.reflect.*;
public final class EncryptedClass {
    private Cipher encrypt;
    private Cipher decrypt;
    private static final String DEFAULT_KEY = "ENCRYPT_KEY_PAD_TO_24_BYTES";
    public EncryptedClass() throws GeneralSecurityException {
        this(DEFAULT_KEY);
    }
    public EncryptedClass(String key) throws GeneralSecurityException {
        byte[] encryptKey = key.getBytes();
        DESedeKeySpec spec = new DESedeKeySpec(encryptKey);
        SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DESede");
        SecretKey theKey = keyFactory.generateSecret(spec);
        encrypt = Cipher.getInstance("DESede/ECB/PKCS5Padding");
        decrypt = Cipher.getInstance("DESede/ECB/PKCS5Padding");
        encrypt.init(Cipher.ENCRYPT_MODE, theKey);
        decrypt.init(Cipher.DECRYPT_MODE, theKey);
    }
    public SealedObject sealClassBytes(String className)
                            throws IOException, IllegalBlockSizeException {
        return new SealedObject(new ClassBytes(className), encrypt);
    }
    public byte[] unsealClassBytes(SealedObject sealed) throws IOException,
                                                    ClassNotFoundException,
                                                  GeneralSecurityException {
        return ((ClassBytes) sealed.getObject(decrypt)).getClassBytes();
    }
}
final class EncryptedClassLoader extends ClassLoader {
    public EncryptedClassLoader() {
        super();
    }
    public Class getEncryptedClass(byte[] classBytes, String name) {
        return defineClass(name, classBytes,0, classBytes.length);
    }
}
final class ClassBytes implements Serializable {
    private byte[] classBytes;
    public ClassBytes(String className) throws IOException {
        FileInputStream fis = new FileInputStream(new File(className));
        classBytes = new byte[(int) fis.getChannel().size()];
        fis.read(classBytes);
    }
    public byte[] getClassBytes() {
        return classBytes;
    }
}

This code uses the triple DES algorithm but you can change it to whatever. Note that the salt (key) has to be 24 bytes. I also use a SealedObject for convenience. This will transport easily across the network. Of course you'll have to send the salt in order to decrypt the class or use the default.
This is just a framework and a lot more work will have to be done for a production version and you will still have to deal with sandbox.
Hope this is somewhat helpful,
Michael Morris
[ February 04, 2003: Message edited by: Michael Morris ]

Thanks for the code Michael, looks like a good starting point. I think I'll have to do some serious digging on ClassLoader and how it works in relation to Applets, any ideas or inspiration (be it divine or otherwise) will of course be shared with fellow ranchers. I can�t help but think that people would be really interested in a solution to this problem.