 |  |  |  |  |  |  |  |
java is supposed to be secure?
Please support our Java advertiser: Programming Forums - DaniWeb Sister Site
 |
i hear that java is supposed to be very secure and it has all these security features yadda yadda yadda, but my question is: if you can decompile the program modify its content and recompile it, then how can java be secure?!?
I am asking this because I need to write a program and have a password saved (updated via an automatic web-update every week or so), but is there any way I can make sure that this password is safe? (I am going to ignore all type of password crackers) I just want to focus on java here.
I am asking this because I need to write a program and have a password saved (updated via an automatic web-update every week or so), but is there any way I can make sure that this password is safe? (I am going to ignore all type of password crackers) I just want to focus on java here.
oah yeah and I know about obuscaters, but that doesn't almost nothing to protect your code, just makes it really decently hard to copy
Wouldn't you encrypt the password? How exactly does this program run? Is it an applet or a JFrame that the user has?
For the update you could have a servlet that reads the password from the xml DD. I think it's the servlet context you would have to set onn that though.
For the update you could have a servlet that reads the password from the xml DD. I think it's the servlet context you would have to set onn that though.
what are you trying to achieve?
Is the password entered by the users and the program checks it (with the users getting a new password mailed every week)?
If so the solution is simple: save the password in the form of an MD5 hash and compare the MD5 hash of the password the user enters with the hashed password you stored.
That way the application never knows the password at all (as it will get the hash from the generator, also removing the risk of a man in the middle attack fetching the unencrypted password during transmission).
No language is completely safe from decompilation, and network attacks can catch your passwords being transmitted also independently from the language used.
You can add further safeguards in your Java environment like custom classloaders that use an encrypted table of hash codes (or more likely serial version IDs) of your classes and compare those with the ones calculated from the actual classfiles to check whether there has been tampering, classfile encryption, etc. etc. but of course nothing is ever completely safe from the dedicated cracker.
What you always (in any environment) need to ask yourself is how much effort/money is the worth of your data security and how to best spend it.
Often the conclusion will be that there's no real need to go further than a stern license and removing debugging information from the compiled code.
In a high security environment you'll often find that the best way to work is to not have the end user have access to your software (or at least the secure bits) at all.
You'll be acting like an application service provider, with your customer through some interface contacting the software which is running on your own machines at a secure location you control and getting back only the results.
That way the application (and your firewalls) can prevent anyone from calling the application who is not at a known customer site. Add password security and only people at that site with the required credentials can call the application.
And only people at your site have access to the compiled binaries, so noone can decompile anything who you don't have explicit knowledge of.
Is the password entered by the users and the program checks it (with the users getting a new password mailed every week)?
If so the solution is simple: save the password in the form of an MD5 hash and compare the MD5 hash of the password the user enters with the hashed password you stored.
That way the application never knows the password at all (as it will get the hash from the generator, also removing the risk of a man in the middle attack fetching the unencrypted password during transmission).
No language is completely safe from decompilation, and network attacks can catch your passwords being transmitted also independently from the language used.
You can add further safeguards in your Java environment like custom classloaders that use an encrypted table of hash codes (or more likely serial version IDs) of your classes and compare those with the ones calculated from the actual classfiles to check whether there has been tampering, classfile encryption, etc. etc. but of course nothing is ever completely safe from the dedicated cracker.
What you always (in any environment) need to ask yourself is how much effort/money is the worth of your data security and how to best spend it.
Often the conclusion will be that there's no real need to go further than a stern license and removing debugging information from the compiled code.
In a high security environment you'll often find that the best way to work is to not have the end user have access to your software (or at least the secure bits) at all.
You'll be acting like an application service provider, with your customer through some interface contacting the software which is running on your own machines at a secure location you control and getting back only the results.
That way the application (and your firewalls) can prevent anyone from calling the application who is not at a known customer site. Add password security and only people at that site with the required credentials can call the application.
And only people at your site have access to the compiled binaries, so noone can decompile anything who you don't have explicit knowledge of.
As people are clearly allowed to attack me but I'm not allowed to defend myself, I no longer post to this site.
yes i would encrypt the password, but if you can view my source code, then you can view how it was encrypted, and thus decrypt it, I thought about having 2 passwords, one is the software to make sure it has been updated, the other is the users, but if a program can be decompiled and recompiled then how would i stop some malicious user from creating some methods to save the user passwords before they are sent to the server?
If you use a one-way encryption algorithm like MD5 there's precious little chance of it being decrypted (as the algorithm doesn't support it).
I know someone in China is doing work towards decrypting MD5 but it's so far not a threat (at most their method will give you an idea where to look for the password, some hints towards its composition).
I know someone in China is doing work towards decrypting MD5 but it's so far not a threat (at most their method will give you an idea where to look for the password, some hints towards its composition).
As people are clearly allowed to attack me but I'm not allowed to defend myself, I no longer post to this site.
•
•
•
•
Originally Posted by paradox814
yes i would encrypt the password, but if you can view my source code, then you can view how it was encrypted, and thus decrypt it, I thought about having 2 passwords, one is the software to make sure it has been updated, the other is the users, but if a program can be decompiled and recompiled then how would i stop some malicious user from creating some methods to save the user passwords before they are sent to the server?
And If you r so concerd about security during network their is combination of public private key encryption used during networks and a software cannot be secure more than that even dedicated cracker will be able to crack windows security which is having both software and hardware support you just have software security though :p
|
Similar Threads
- Internet Explorer 7 stupid font (Web Browsers)
- how to align things using system.out.prinln (Java)
- Which language to use? (IT Professionals' Lounge)
Other Threads in the Java Forum
- Previous Thread: help
- Next Thread: new to web srevices
| Thread Tools | Search this Thread |
Latest Java Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
Tag cloud for Java
-xlint 2dgraphics android api apple applet application applications arguments array arrays automation bank bidirectional binary bluetooth chat class classes client code collision component database db development draw eclipse eclipsedevelopment error event exception fractal game givemetehcodez graphics gui homework html ide image input integer integration j2me jarfile java javadesktopapplications javafx javaprojects jmf jni jpanel julia learningresources linux list loop map method methods mobile mysql netbeans newbie number oracle print problem producer program programming project projectideas recursion researchinmotion scanner screen server service set size sms socket sort sorting sql sqlserver state string swing swt tcp test text-file threads time tree web windows
