• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How To Encrypt JavaBean

 
Isaac Hewitt
Ranch Hand
Posts: 191
Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My mail program stores data in a JavaBean which includes email contacts, host name etc. The JavaBean is serialized and written to a file. I want to be able to keep the data more private. Which is the best method to encrypt the data file without the user having to input a password each time the program starts up.




 
James Sabre
Ranch Hand
Posts: 781
Java Netbeans IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Isaac Hewitt wrote: Which is the best method to encrypt the data file without the user having to input a password each time the program starts up.


If you don't use some form of password protection for a key store and you don't use Password Based Encryption (PBE) then the encryption key has to be stored somewhere in your program or in a file on disk. If you store it in your code you might be able to obfuscate the key but you can't make it impossible to find after decompiling the application.
 
Lester Burnham
Rancher
Posts: 1337
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
+1 on what James said. Assuming you somehow address the password problem, have a look at javax.crypto.CipherOutputStream
and javax.crypto.CipherInputStream, which solve the technical issue of encrypted I/O. A Cipher of "AES-128" should work fine.
 
Isaac Hewitt
Ranch Hand
Posts: 191
Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If the key is in the program and I use Lauch4j to turn the jar file into a Windows executable, I believe that should do the trick at keeping prying eyes at bay.
 
James Sabre
Ranch Hand
Posts: 781
Java Netbeans IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Isaac Hewitt wrote: I believe that should do the trick at keeping prying eyes at bay.


I believe that the moon is made of green cheese and hamburgers and Elvis lives there and bathes every day in the Sea of Tranquillity.
 
Isaac Hewitt
Ranch Hand
Posts: 191
Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your very insightful post Lester Burnham.
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As @Lester said, AES-128 is a strong cipher and easy to use.

What is not easy to use is to protect the key used to encipher the data before you serialize it. This may be a serious challenge to your design. If you store the key as a string in the class/source, then someone can decompile the .class file and get the sting constant. Once they get the constant key, they can trivially decipher the data from the disk.

Depending on your threat model, you may be tempted to encode the key with something, but that is always essentially SBO, security by obscurity. And again, a decompile will show exectly what you are doing, and be obvious to the attacker.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic