Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

security on PDA

 
Manas Ahlaad
Ranch Hand
Posts: 165
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
palm device (PDA) stores data in record store as flat data.If i want to provide login, i should store data in record store of PDA which is not secure.
How can I provide security on PDA, do I have to write an encryption algorithm ?? how ??
TIA
 
Michael Yuan
author
Ranch Hand
Posts: 1427
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Use the Bouncy Castle Cryptography lightweight security libraries. Many MIDP books on the market talks about how to use it.
http://www.bouncycastle.org/
 
Manas Ahlaad
Ranch Hand
Posts: 165
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hey Yuan,
thanks. i did not know u will answer this , i asked the same question as reply to your posting
i shall gothrough the site u gave
thanks
manas
 
Mark Herschberg
Sheriff
Posts: 6037
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Certicom also has J2ME solutions, although they are commercial, and not open source, like Bouncy Castle.
--Mark
 
Michael Yuan
author
Ranch Hand
Posts: 1427
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Mark Herschberg:
Certicom also has J2ME solutions, although they are commercial, and not open source, like Bouncy Castle.
--Mark

Mark, I do not see their J2ME solution on their web page. All I could find is a standalone Palm OS application that encrypts everything on your Palm. Could you give us a link? Also, it would be great if they can offer a free evaluation dowload so that we could compare their performance with bouncycastle. Encryption is very computational intensive on Palm devices ...
manas, you are welcome. I enjoyed this forum very much. But I do not always have time to go through old posts (they really need a Java based forum software that would allow people track old posts and alert changes in an easy way ...) So, post a new thread to attract attention when you need to!
 
Manas Ahlaad
Ranch Hand
Posts: 165
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
sure Yuan dear !
 
Mark Herschberg
Sheriff
Posts: 6037
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Mike, I don't have a specific link. We used their product at my last company. They did some custom work to port one of their products (I forget which one, this was 12-15 months ago) to J2ME. It wasn't too hard for them to do. They were then going to put out a more commercial version. I don't know where it stood. Interested parties should be able to conact them and get more info.
We were also looking into some RSA products for J2ME around the time I left.
Baltimore also had a Palm solution they demoed at JavaOne 2 years ago (3 conferences ago).
--Mark
 
Manas Ahlaad
Ranch Hand
Posts: 165
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Mark,
certicom talks about providing security while accessing corporate intranet.
my problem is not that complex. I just need local login to be secured(take an instance , my application on PDA has got login page whose login information is stored on PDA's record store .Suppose if somebody stole my PDA ) then, he has access to know the login details from recordstore since its flat and non secure and transperent so that anyone can access) . my problem is what to do to provide security to login data so that noone can access them
hope I put it clearly
 
Michael Yuan
author
Ranch Hand
Posts: 1427
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by manas ahlaad:

my problem is not that complex. I just need local login to be secured(take an instance , my application on PDA has got login page whose login information is stored on PDA's record store .Suppose if somebody stole my PDA ) then, he has access to know the login details from recordstore since its flat and non secure and transperent so that anyone can access) . my problem is what to do to provide security to login data so that noone can access them

What you really need is a Unix-like passwd scheme: you can use a one-way encryption algorithm to encrypt your passwd and store the encrpted passwd on your device. Everytime you need to sign in, you provide the clear text passwd and the PDA encrypts it and compares the result with the one stored on the device.
Since the encryption is one-way, it is very hard to get your original passwd by just knowing the encrypted one on your device. So, even if your device is lost, if the cracker do not have the original passwd, he still cannot break in. One such algorithm is DES and bouncycastle has an implementation for it.
However, without a complete solution that secures everything on the device, the approach discussed above cannot be very secure: the cracker can always download your Java application, bypass the passwd verification part and upload it again and read your data ...
 
Manas Ahlaad
Ranch Hand
Posts: 165
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yuan,
you might have worked on applications with PDA
how did you achieve security of data? in this way or u adopted any database for it?
anyway , thanks for your valuable replies which made this site look live
manas
 
Mark Herschberg
Sheriff
Posts: 6037
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Certicom provides a number of things, including primatives which can be applied to your issue.
Of course, Michael pointed out the fundamental limitations of any solution you can implament.
--Mark
 
Michael Yuan
author
Ranch Hand
Posts: 1427
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by manas ahlaad:
yuan,
you might have worked on applications with PDA
how did you achieve security of data? in this way or u adopted any database for it?

Sorry, I do not have the experience you are looking for. But I agree with Mark -- the total solution products offered by Certicom is the kind of thing you need. I hope that is an opensource implementation.
anyway, good luck
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic