dummies guide to java encryption

[Andy Fish]

Hi,

In my java app I want to include a licence key (see previous post for
detailed information on the futility of this approach and I need to stop
someone tampering with the key so I need to use some combination of message
hash and encryption. ideally the encryption should be asymmetric so that the
encryption key which goes out with the program (to decrypt the licence key )
is not the same as the one that is used to generate the licence key in the
first place.

so I'm looking for some APIs like

String encrypt (String plaintext, String password)
String decrypt (String cyphertext, String password)
String computeHash(String plaintext, [String password])

Obviously I'm not expecting it to be quite this easy but reading the JCE
documentation it's far from obvious to me how to go about this. I see that
there is a DSA algorithm called SHA1withRSA that sounds like it should do
both in one step, but I can't figure out how to use it.

The only JCE tutorial I've seen uses this:

KeyGenerator kg = KeyGenerator.getInstance(...);
Key key = kg.generateKey();

but I need to save the key and use it later. I can't see any mechanism for
generating a key from a passphrase or deserialising an existing key from a
string or byte array.

Can anyone point me at a simple tutorial or example of doing things like
encryption and message hashing using JCE?

As a subsidiary question, I ran some sample code to list all the provider
information and there were 5 separate providers (SUN, SunJSSE, SunRsaSign,
SunJCE, and SunJGSS). can I safely assume these will all be present on any
installation of Sun's java 1.4? - the documentation only mentioned SunJCE.

Andy

 

[Matt Humphrey]

Hi,

In my java app I want to include a licence key (see previous post for
detailed information on the futility of this approach and I need to stop
someone tampering with the key so I need to use some combination of message
hash and encryption. ideally the encryption should be asymmetric so that the
encryption key which goes out with the program (to decrypt the licence key )
is not the same as the one that is used to generate the licence key in the
first place.

so I'm looking for some APIs like

String encrypt (String plaintext, String password)
String decrypt (String cyphertext, String password)
String computeHash(String plaintext, [String password])

I found Java Cryptography by Knudson to be good.

Cheers,
Matt Humphrey (e-mail address removed) http://www.iviz.com/

 

[Roedy Green]

Can anyone point me at a simple tutorial or example of doing things like
encryption and message hashing using JCE?

Encryption is based on the idea the Bad Guys don't have the key. In
the case of licensing, they do. Otherwise the program could not run.

See my http://mindprod.com/products.html#WRAPPER
which does digital signing, encryption and armouring.

You could for example digitally sign your license file that contains
the capabilities. You can verify in your program that the licence file
could only have been created by you, the holder of the corresponding
private key. However, the hacker can simply remove the code that does
that check. Most licensing schemes use a simplified variant of this,
e.g. doing a checksum of the licence or treat the licence as a big
binary number and do a modulo some prime. This only stops casual
cheats who are not prepared to hack the code.

You could for example encrypt the licence file. If the program
contains the key to decrypt it, so has the hacker.

Your best defence is to require frequent updates. Then you can keep
changing the security schemes to keep the hackers on their toes and
eventually wear them out.

see http://mindprod.com/jgloss/obfuscator.html