Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

SSL of J2ME on Palm under KVM

 
Chan py
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I want to get a wireless communication of Palm with a server, but i want to get this data transmission through a secure way, I know I can use SSL in the J2SD, but ahve no idea on J2ME
can anyone teach me where i can find some free software for which i can reach the aim? Besides, i know BouncyCastle does provide one for J2ME, where i can find the sorce code of it?
and are there any other means that have a better performance ?
thanks a lot !!
 
Mark Herschberg
Sheriff
Posts: 6037
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As I've posted before, SSL support will likely be included in MIDP:NG
Bouncy Castle is open source. Look on their website.

--Mark
 
Chan py
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Mark,
I have visited BouncyCastle's site, i have downloaded the package, but I can't find any infomation that teaching how to use the package on th palm, are there any web sites that can help ?
thx !
 
Mark Herschberg
Sheriff
Posts: 6037
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Any documentation would likely be at BouncyCastle's website. Did you check their site for documentation to download? Keep in mind it is an open source progrecj, so support will be minimal. You could also try their email lists.
--Mark
 
Chan py
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just want to ask one more things, does the Encryption and Decryption methods in the BouncyCastle reach the standard of RSA,
how high the sevurity level it reach? if it is not so high, then is it possible to modify the source code, so that i can reach a more security level, like the SSL in the web browser ?

really sorry for giving out so many silly questions.
 
Thomas Paul
mister krabs
Ranch Hand
Posts: 13974
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bouncy Castle's security is very good. I would suggest picking up Jonathan Knudsen's Wireless Java. He has a chapter on using Bouncy Castle.
 
Chan py
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Paul
I have read the book for the chapter talking about BouncyCastle, it has mentioned about the "Message Digest" and "RC4 encryption algorithm" only. I saw that there are many other algorithms appeared in the package downloaded form the bouncycastle.
I am trying to get a secure transaction for stock trading on palm, which algorithm is work better in this aim ?
thanks for any opinion.
 
Thomas Paul
mister krabs
Ranch Hand
Posts: 13974
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Personally I would not run MIDlets requiring that kind of level of security until secure networks become available.
 
Chan py
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul,
Why you are not recommended to use MIDlets? Is it not so secure ? or it is not stable ?
 
Chan py
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Except MIDlets, what other interfaces are better to be used ?
 
Thomas Paul
mister krabs
Ranch Hand
Posts: 13974
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The next generation of MIDlets will have HTTPS support.
 
Mark Herschberg
Sheriff
Posts: 6037
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Chan py:
Just want to ask one more things, does the Encryption and Decryption methods in the BouncyCastle reach the standard of RSA,
how high the sevurity level it reach? if it is not so high, then is it possible to modify the source code, so that i can reach a more security level, like the SSL in the web browser?

Yes, I know most versions contain RSA, I don't know about the J2ME version, but I'm sure they have RSA, or equivalent protocols. Beacuse it is open source, you can modify the source code.
Warning: trying to do you own crypto code, without proper training is dangerous. You may not have covered all security holes.
If this is just a toy application, it's fine, but I wouldn't trust my credit card over an SSL connection I wrote up myself, unless I had significant peer review (and I have a masters degree in cryptography).

--Mark
 
Balaji Loganathan
author and deputy
Bartender
Posts: 3150
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi guys...
I'm sure the latest version of J2ME wireless toolkits support https....why don't we choose that for any sort of secure communications....
Rgds
Balaji
 
Mark Herschberg
Sheriff
Posts: 6037
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Balaji Loganathan:
Hi guys...
I'm sure the latest version of J2ME wireless toolkits support https....why don't we choose that for any sort of secure communications....
Rgds
Balaji

I've heard the MIDP 1.0.2 Early Access release has the kSSL classes. However, they are only in the source code, you'll need to compile the classes yourself.
--Mark
 
Chan py
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What is the Https supports? How it can improve the security level of SSL ? How to use this channel to achieve the aim of secure tading transaction ?
 
Balaji Loganathan
author and deputy
Bartender
Posts: 3150
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Chan py:
What is the Https supports? How it can improve the security level of SSL ? How to use this channel to achieve the aim of secure tading transaction ?

Hi ,
Answers
1 .Bascially https will provide a secured communication/transaction between ur computer or hand held device to the concern server.It uses one of the standard and very hard to break algorithm like RSA data encryption etc...with 1028 bits...Also its provide Server/Client Authentication and Authorisation....
2.How to improve ?? It depends upon the service provider to u meant to like www.verisign.com,www.thawte.com....visit thats site u will know what sort of security they are providing..
3.When it comes latest J2ME toolkit and JDK 1.4 u can implement/use the above said features easily to achieve secure transaction....
Regards
Balaji

 
Chan py
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks all.
I have tried to implement the RSA algorithm on a palm recently, but I found that it cost too much time for generate the key, (almost loop infinity). Is it the real case? Or I use a wrong method to implement?
I implement the RSA engine on the Palm and found that it spends most of the time on the key generation. Can I make such step done one the server rather than the palm? If it so, then in what way i can make it? (I jsut know that I can use object serialization for java, but it seems to be not supported by J2ME)
thx !
 
chanoch wiggers
Author
Ranch Hand
Posts: 245
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You are right, j2me devices dont have all the time in the world and that is how long it takes to generate a key in such a device. If it is true that midp ng has ssl it wont be much use to us since it wont be out for another 18 months or so anyway. Usually small devices require a second chip that does key generation that is made especially for this task since normal MIDP runnign chips are vastly underpowered for the task
 
Mark Herschberg
Sheriff
Posts: 6037
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Chan py:
I have tried to implement the RSA algorithm on a palm recently, but I found that it cost too much time for generate the key, (almost loop infinity). Is it the real case? Or I use a wrong method to implement?

You used the wrong method. Key generation is expensive. Key operations are genrally expensive, too; although often public key operations, like checking signatures, are cheaper than private key operations, like signing something, because hte public key tends to be the smaller number.
I know of 3 SSL implementations. None of them do key generation in Java. They do key generation, and many key operations in either C or assembly. At JavaOne a group reported public key ops of around 5 seconds. I know of implementations faster than that, but I think that informaiton might be covered by one of my NDAs (I'll check on it and report more if I am able to). In short, even 20Mhz palm devices can do public key ops in a reaosnable amount of time, as long as it's not in Java. Take a look at the kSSL source code in the MIDP 1.0.2 early access release.

--Mark

 
chanoch wiggers
Author
Ranch Hand
Posts: 245
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
how do you do JNI in MIDP?
 
Mark Herschberg
Sheriff
Posts: 6037
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by chanoch wiggers:
how do you do JNI in MIDP?

MIDP doesn't support JNI (nor does CLDC). However, the kVM itself does (at least can) support it. Besdies, if you modify the kVM source code, you can do a lot of things. I do know of commercial applications which have done this.
What this means is that Joe Developer won't be able ot make JNI calls. But if you have an app which pretty much absolutely needs it, there are ways, it just requires jumping trhough a few hoops, technical as well as legal.
I would recommend not trying to do it youself, but simply using what's in MIDP 1.0.2 and future releases. It'll probably have what you need (and why). And if it doesn't, let me know, and I'll see if we can include it.

--Mark
 
Chan py
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry for asking a silly question :
if I want to use DES for data encryption, and the encrypt data is in a length of 80 characters, how long does the key I need to use? And can I defined my own key in anyway, or i need to follow some restriction in order to defined the key ?
If i use trple DES, I know it will use 3 keys in succession, then can i defind all the 3 keys, or it need to let for the engine to do?
 
Mark Herschberg
Sheriff
Posts: 6037
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Chan py:
Sorry for asking a silly question :
if I want to use DES for data encryption, and the encrypt data is in a length of 80 characters, how long does the key I need to use? And can I defined my own key in anyway, or i need to follow some restriction in order to defined the key ?
If i use trple DES, I know it will use 3 keys in succession, then can i defind all the 3 keys, or it need to let for the engine to do?

Silly questions are always welcome. :-)
DES uses a 56-bit key. End of story. It's not a variable key length cipher. They key itself is used to set the state of the cipher.
You can define your own key, although there are some known weak keys, which you should avoid.
For 3DES you define all keys. (I don['t know if the weak key values apply here, or if there are known specific 3DES weak keys.)
--Mark
 
David Weitzman
Ranch Hand
Posts: 1365
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Chan py:
Sorry for asking a silly question :
if I want to use DES for data encryption, and the encrypt data is in a length of 80 characters, how long does the key I need to use? And can I defined my own key in anyway, or i need to follow some restriction in order to defined the key ?
If i use trple DES, I know it will use 3 keys in succession, then can i defind all the 3 keys, or it need to let for the engine to do?

If you're encrypting sensitive information, be kind to your users and use a 128 bit key. Some algorithms you might consider: Blowfish (variable length key), Cast-128 (cast but with a 128-bit key), Triple-DES (hey, it does the job). You could use a stream cipher, which might be quicker (although there could be some preprocessing on a per-key basis), but be sure you never encrypt two different messages after re-keying with the same value.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic