• Post Reply Bookmark Topic Watch Topic
  • New Topic

Encrypting a serialized object

 
seema mani
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have serialized a Vector object and stored it in a file. Now if the file is opened, the contents of the Vector are visible. Also anyone can deserialize the object. I want to encrypt the file so that the contents of the file are not visible and also the file cannot be deserialized by anyone but me. How do I achieve this without using the cryptography package because my product is to work on jdk1.2 without any additional packages.
Please advise.
Thank You
Seema
[ April 08, 2002: Message edited by: seema mani ]
 
Zakaria Haque
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
To keep it simple, you can write custom FilterInputStream and FilterOutputStream that uses a simple and custom encoding.
Here is some untested code to show you the idea
public class EncryptedOutputStreamn extends FilterOutputStream{
private static final byte MASK = 0xF;
public EncryptedOutputStream(OutputStream out) {
super(out);
}
public void write(int data) throws Exception {
out.write(data^MASK)
}
}
public class EncryptedInputStream extends FilterInputStream{
private static final byte MASK = 0xF;
public EncryptedInputStream(InputStream in) {
super(out);
}
public int read() throws Exception {
return in.read()^MASK;
}
}
you can simply chain this filter stream with your ObjectInputStream and ObjectOutputStream inctances.
[ April 10, 2002: Message edited by: Zakaria Haque ]
 
Peter den Haan
author
Ranch Hand
Posts: 3252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually you can do this in a fairly secure way by using java.security.SecureRandom (which internally uses SHA1 to generate random numbers). This class is available from JDK 1.1 onwards.
It would work broadly as outlined by ZH above, with one change: instead of exlusive-or-ing with a fixed mask, you exclusive-or with random numbers generated by SecureRandom. If you make sure that the SecureRandom is seeded with exactly the same number prior to deserialization as was used for serialization, it will generate the same random numbers:The seed is your secret key.
This is strong cryptography and reasonably secure. Its main vulnerability, apart from the secret key of course, is a known-plaintext attack: if an attacker obtains both an encrypted serialized file and its unencrypted counterpart, he can construct a new, valid, serialized file with arbitrary contents. Keep in mind that part of the plaintext is always known because a serialized file has a fixed, well-known structure. Any knowledgeable attacker will for instance be able to change the serialized class' name even if he has access to nothing more than an encrypted file. You can prevent this by regularly re-seeding the random number generator with the decrypted contents (e.g. decrypt/encrypt 32 bytes, re-seed the SecureRandom with these 32 bytes of plaintext, crypt next 32 bytes,...).
Should you need top flight security, then there is no way around a security add-on: either the Sun JCE, or a lightweight API from open source outfits like Cryptix or The Legion of the Bouncy Castle. Or a commercial product of course.
- Peter
[ April 10, 2002: Message edited by: Peter den Haan ]
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!