We are two IT students from swiss univeristy. We're working on a Semester-Project with the Topic: "Secured Application"
The goal is to collect information about encryption-technologies an then working out a concept to build a secure Application. At the end we have to present a Prototype witch implements the technology we have chosen to fit with the short development phase. And off course the best thing would be if we could do it with JAVA (our native language)
Because we can't have a look at all possible security aspects, like key-loggers (hw or sw) or crt-monitor scanners, witch makes one possible to see the secret information of our Program.
The main aspect is that we have to ensure that every relevant information on harddisk AND memory is stored in an encrypted form.
The Harddisk part: We haven't much information about this topic yet, but it should be quiet easy to realize. We generate a key from a User-Password and store the information encrypted with this key. The Password entered will off course be placed somewhere in the memory an that leads us to the real Problem (Memory Part)
Memory Part: The intention of our Project-Boss is to avoid that a trojan which dump local memory gets to any valuable information.
First, we searched for a solution witch encrypts the whole application, but this seemed impossible to us. (Or is there any possibility to encrypt the whole JVM? Or do that with C/C++ ??)
The other idea is to just encrypt the relevant variables, but this is also a very challenging problem. The issues we have to deal with:
- Information input from user is visible in the memory before it is encrypted or when it has to be displayed in an unencrypted form (ex. textfield) - The key itself has to be stored in the memory as well (we don't have any security-hw like smartcards), what makes it ridiculous anyway.
Because of this facts we don't think that Memory-encryption is actually possible. But another idea came into our minds. If we cant encrypt it, why not just store the information in a form that makes no sense to human/program. The idea is to store the secret information (int's, float's, String's) bitwise in special Hashtables. So that the single bits don't make sense to the one which reads it (because the bits are not in an order)) This idea (a friend called it "securing by obscuring") is rather odd, but it seams to us that it is a good way to hide the information from them who don't know how the algorithm works (hopefully erveryone). At least it dosen't make sense to someone who only has a memory dump. (and that is a criteria). What do you think about that? Any sugesstions for a better solution?
Still we've got the problem with entering and displaying of information. The information which is displayed by Textfields/Labels is not secure because they have to be stored in a unencrypted form. So why not replace them with pictures (generated or not, we don't know yet), but what about the user input??? This Problem would still exist!
Any ideas/hints/tricks are welcome! Please also post hyperlinks if you think they meight be useful.
Our post is serious and it is not our intention that you're going to search infos for us. I'd appreciate that the discussion is going on especially for the "Encrypted Memory"-Topic" Thanks anyway for reading our post
so long peter [ December 05, 2005: Message edited by: Peter Franz ]
I just found some infos about SecureString-Class in .NET 2.0 Framework which sounds great. Is there anything like that in Java. If we no longer get any infos, perhaps we have to do it with f... Microsoft