Originally posted by scott irwin:
What I need is a trusted computing platform for java.
Originally posted by scott irwin:
Obfuscating the code to hide a symmetric key or keystore password will slow down the determined attacker. It's still too easy to find the code working with the java security packages as those names remain unchanged. Then watch the byte[] or Strings in those classes.
Originally posted by scott irwin:
I guess my root question is: How do you secure encryption keys for the security of the application itself? Given today's environment, the only way I can see is to use JavaCard technology and let it perform all of the encryption/decryption/signing functions.
Originally posted by scott irwin:
Let's say I'm Visa (and I'm not) and I want to maintain a balance on a consumer's device. The code that manipulates the balance must be secure as well as the balance file. The application I (or Visa) distributes needs to send/receive encrypted/signed messages to it's back-end system.
Originally posted by scott irwin:
Like I said, I'm not Visa and my project is not a credit/debit card, but I work in a group that's looking out > 18 months. I'm interested in leveraging the computing power in everybody's hand vs. routing information back to huge systems (edge computing.)
This led me to the whole trusted computing platform work that is being worked on by various companies and organizations. In taking my prototype to the next level, I needed to address security. I wanted to continue using Java but realized that the Java security model is there solely to protect the consumer from bad code and not bad consumers from my code.
Don't get me started about those stupid light bulbs. |