Whats the best way to secure data passed between classes.
I have a JAR that passes data in between classes. The problem I was thinking of is this data is suppose to be secure and if someone where to take apart the jar and add there own extension into the program, would be able to access the data. Is there anyway of preventing this?
> > Not you again. Hopefully you can listen to other
> > people this time instead of continuing to insist
> you
> > are right.
>
> Oh lay off him! At least he wasn't actually rude
fair enough, but after not being able to keep up with a single thread I got an ill taste in my mouth. As far as your current question have you though about simply encrypting it in one class transmitting it and then decrypting it on the other end ? I guess it depends on what sort of access a person has - do they have access to the jar as well as the class files ?If you can give a sample scenario (Please use Alice and Bob ;-P )
> > > Not you again. Hopefully you can listen to
> other
> > > people this time instead of continuing to insist
> > you
> > > are right.
> >
> > Oh lay off him! At least he wasn't actually rude
>
> fair enough, but after not being able to keep up with
> a single thread I got an ill taste in my mouth. As
> far as your current question have you though about
> simply encrypting it in one class transmitting it and
> then decrypting it on the other end ? I guess it
> depends on what sort of access a person has - do they
> have access to the jar as well as the class files ?
> If you can give a sample scenario (Please use Alice
> and Bob ;-P )
Hey, but I came back the evidence of other people who did support some of my reasons.
An example....Well there is a class called Encoder which encodes and decodes personal information in a text file, and the Encoder class is inside a jar. Now for the encoder to work, the class that is retreiving or sending the information to the Encoder has a string it, and that string is passed to the to encoder class and compared to another string. If the string passed doesn't equal the string inside the Encoder class, nothing happens, and if does equal, it starts coding, so the string is like a password.
So really I don't want this string to be read because I don't want users breaking to be able to use the Encoder class.
> > > > What nature of data are we talking about here,
> > > > anyway? Why the concern about security?
> > >
> > > Passwords and personal information.
> >
> > Encrypt it and sign the jars
>
> Sign the jars?
http://java.sun.com/docs/books/tutorial/deployment/jar/
> > What nature of data are we talking about here,
> > anyway? Why the concern about security?
>
> Passwords and personal information.
If you don't want the end user to see something, don't deliver it to his computer.
Why would you be storing passwords and "personal information" in a jar file to be distributed anyway?
> > > What nature of data are we talking about here,
> > > anyway? Why the concern about security?
> >
> > Passwords and personal information.
>
> If you don't want the end user to see something,
> don't deliver it to his computer.
>
> Why would you be storing passwords and "personal
> information" in a jar file to be distributed anyway?
Its not MY information. Its the user's information that they enter onto the Jar File on their computer, and I don't want the information getting hacked or someone taking the jar apart and easily extracting the information.
I think the point was you are collecting the information so why aren't you storing on your server or database somewhere behind a password that the user has to enter to get in. At that point if they decide to leave their password on the computer in a text file you have done your due diligance (sp).
> > Why would you be storing passwords and "personal
> > information" in a jar file to be distributed
> anyway?
>
> Its not MY information. Its the user's information
> that they enter onto the Jar File on their computer,
What do you mean "enter onto the jar file"?
I think you're very confused.
What you first said made it sound like you don't want the end-user to be able to read what's in the jar file that you deliver.
Now it sounds like you're saying you want to prevent others from reading information that the user enters and that you save. This is a very different situation, and is not hard to do.
Just encrypt the information before saving it to a file. The user then has to provide the proper password to decrypt it.
> I think the point was you are collecting the
> information so why aren't you storing on your server
> or database somewhere behind a password that the user
> has to enter to get in. At that point if they decide
> to leave their password on the computer in a text
> file you have done your due diligance (sp).
Thats what I am doing. There data MUST be stored in a database on a server. But at the same time, they have the option of storing it on the computer so when they don't have access to the database on a server, they can still get to the files on their computer.
> What do you mean "enter onto the jar file"?
>
> I think you're very confused.
>
> What you first said made it sound like you don't want
> the end-user to be able to read what's in the jar
> file that you deliver.
>
> Now it sounds like you're saying you want to prevent
> others from reading information that the user enters
> and that you save. This is a very different
> situation, and is not hard to do.
>
> Just encrypt the information before saving it to a
> file. The user then has to provide the proper
> password to decrypt it.
Ok, the jar file is a program in which the user enters all there data. Now in the jar file, there is a Encoder class and a few other classes that only I(meaning the program) want to be able to access and use. Otherwise the user information code be decoded and some of the programs functions I don't want used could be used. Right now I have the code set up like this
private void writeToFile(String code, String profile) {
if(code).equals(passCode)){
try {
BufferedWriter out = new BufferedWriter(new FileWriter(string));
out.write(encode.encode(profile));
out.close();
} catch (IOException e) {
}
}//end if
}//end writeToFile
This right now prevents any outside user or program from accessing the methods of my program because unless the code passed through equals the data member passCode, nothing is executed. I then realized that someone could easily get the passCode that is passed through by making their own class witht he same name and a method with the same name, have the program do its work and pass through the code and they got. So thats why I was wondering how to secure strings being passed from class to clase.
Message was edited by:
blackmage
> k, the jar file is a program in which the user enters
> all there data. Now in the jar file, there is a
> Encoder class and a few other classes that only
> I(meaning the program) want to be able to access and
> use.
Not possible.
Whatever means the program uses to decode it, somebody else can use. You have to have encrypt the data with a user-supplied key so that only that user can decrypt it.
> Otherwise the user information code be decoded
> and some of the programs functions I don't want used
> could be used. Right now I have the code set up like
> this
Okay, now it sounds again like you're trying to protect the code that you deliver, rather than the data the user supplies.
I can see this thread is going to go down the same rabbit hole to hell as the iPhone thread.
