File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes I/O and Streams and the fly likes How To Encrypt JavaBean Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » I/O and Streams
Bookmark "How To Encrypt JavaBean" Watch "How To Encrypt JavaBean" New topic
Author

How To Encrypt JavaBean

Isaac Hewitt
Ranch Hand

Joined: Jul 24, 2006
Posts: 191

My mail program stores data in a JavaBean which includes email contacts, host name etc. The JavaBean is serialized and written to a file. I want to be able to keep the data more private. Which is the best method to encrypt the data file without the user having to input a password each time the program starts up.




James Sabre
Ranch Hand

Joined: Sep 07, 2004
Posts: 781

Isaac Hewitt wrote: Which is the best method to encrypt the data file without the user having to input a password each time the program starts up.


If you don't use some form of password protection for a key store and you don't use Password Based Encryption (PBE) then the encryption key has to be stored somewhere in your program or in a file on disk. If you store it in your code you might be able to obfuscate the key but you can't make it impossible to find after decompiling the application.


Retired horse trader.
 Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
+1 on what James said. Assuming you somehow address the password problem, have a look at javax.crypto.CipherOutputStream
and javax.crypto.CipherInputStream, which solve the technical issue of encrypted I/O. A Cipher of "AES-128" should work fine.
Isaac Hewitt
Ranch Hand

Joined: Jul 24, 2006
Posts: 191

If the key is in the program and I use Lauch4j to turn the jar file into a Windows executable, I believe that should do the trick at keeping prying eyes at bay.
James Sabre
Ranch Hand

Joined: Sep 07, 2004
Posts: 781

Isaac Hewitt wrote: I believe that should do the trick at keeping prying eyes at bay.


I believe that the moon is made of green cheese and hamburgers and Elvis lives there and bathes every day in the Sea of Tranquillity.
Isaac Hewitt
Ranch Hand

Joined: Jul 24, 2006
Posts: 191

Thanks for your very insightful post Lester Burnham.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

As @Lester said, AES-128 is a strong cipher and easy to use.

What is not easy to use is to protect the key used to encipher the data before you serialize it. This may be a serious challenge to your design. If you store the key as a string in the class/source, then someone can decompile the .class file and get the sting constant. Once they get the constant key, they can trivially decipher the data from the disk.

Depending on your threat model, you may be tempted to encode the key with something, but that is always essentially SBO, security by obscurity. And again, a decompile will show exectly what you are doing, and be obvious to the attacker.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How To Encrypt JavaBean