Travis Thomas

+ Follow
since Mar 31, 2011
Merit badge: grant badges
For More
Cows and Likes
Total received
In last 30 days
Total given
Total received
Received in last 30 days
Total given
Given in last 30 days
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Travis Thomas

Peter Johnson wrote:Did you include the MySQL JDBC driver as one of the JAR files in your Build Path?

This was the error. It would launch from Eclipse fine, but not externally or from the jar. Once I added the MySQL JDBC JAR to to Eclipse build path, it included it in the JAR. Thanks.
I am having trouble getting Eclipse to generate an executable jar that actually works. Here is the error I am getting:

When I create the jar, I have specified all three options: Extract required libraries into the jar, Package the required libraries into the jar, and Copy the required libraries into a nearby folder. In no case does Eclipse package the JDBC classes. It includes classes that I didn't know I used--some from org.eclipse, org.hamcrest and JUnit (even though I don't particularly want to include my test class, I can't figure out how to remove it from the jar without removing it from my project).

I've also tried creating the jar directly from the command line, but I get mainClassNotFound errors.


Thanks for the help. I have implemented AES/CBC encryption, storing the IV and initializing the decryption-time Cipher with it. Here are my code snippets for any comments and anyone else's future reference:

and finally, my init() method:

12 years ago
Hm. I've run into a secondary bug--when I decrypt the data and re-save it, I get an exception stating the data is too long for the SQL column. Tracking it down...

Edit: resolved. Original issue remains.
12 years ago
Here is the code I am using to initialize the Cipher. I'm unsure which mode of encryption is the default.

Here are 3 encrypted... 32 bytes, 16 of which are the same each timeHex values. Original Strings are 16 characters long:
12 years ago
This isn't a problem per se but I find the behavior odd and I would like to understand it.

I'm using the standard Java Cipher class to encrypt sensitive information. I've got it functional--it encrypts the user input, and when requested, successfully decrypts it, yielding the desired datum. However, if I look at the encrypted result of each of the inputs, there is a consistent tail on the data. That is, this string: "Lxõò±"àÐêð" is present at the end of every encrypted value. Since I'm using one key for all the encryptions, I assume that some other piece of information is being encrypted separately and the encrypted results pasted together. Any ideas what this extra information is?

12 years ago
I'm a newb so forgive the lack of clarity. I don't have a particular threat model in mind, as I'm just learning how to think about these issues. This code is a learning project, not intended for production.

The reason for encrypting the data in the database is to protect the data at rest. Encrypting that data (assuming the keys are managed properly) means that, in the (inevitable) case of a data breach, PCI/HIPAA/etc. would not require notifying those whose data has been compromised. Some effort up-front can prevent a huge expense down the line. I'm sure Sony would attest to that.

Your point that, if an attacker has access to memory, the data is already lost, is well taken. I had come to that conclusion because JTextComponents return their text as unprotected Strings. The plaintext is already there. I'm not trying to rewrite Swing.

There are ways of authorizing access to segments of memory, aren't there? Perhaps an object could be created within protected memory, accept input, and encipher it before it has the opportunity to leave the memory? Or would the entire JVM be within protected memory if any of it is? I don't really know how that works.

Thanks for your response.
12 years ago
I am writing an application that lets the user input sensitive information. When the user clicks "Save," I would like to be able to take that information and encrypt it for storage in a MySQL database. However, I am wary of using a String to store that information, even temporarily, because a memory dump would be able to find that String even if I reassign the variable to null. I also have the issue of what to do when I decrypt the information to display on the screen. Ideally, I will treat the data as the encrypted array of bytes until the last possible moment of displaying it, and holding that information in a secured place in memory.

I see that in .NET there is a SecureString for such tasks, but I can't find an equivalent in Java. Anyone have an idea?

One thought I've had is to use a StringBuffer and to zero it out after using it. Would that nuke the memory space that held the sensitive data?

12 years ago
I'm using some code grabbed off the Interwebs that should work, but I'm getting an exception... got the .der files from my boss, so I assume they're valid, but perhaps not. Spacing and returns are odd here but normal on my machine.

C:\Users\Trevor Basden\Desktop\ImportKey>java ImportKey AKMClientPrivKey.der AKM
ClientSignedCert.der password
Using keystore-file : C:\Users\Trevor Basden\Desktop\ImportKey\keyst2
OException : algid parse error, not a sequence
at Source)
at Source)
at ImportKey.main(
Caused by: IOException : algid parse error, n
ot a sequence
at Source)
at Source)
at<init>(Unknown Source)
at Source)
at Source)
... 3 more
13 years ago