Reputation: 11
Verifying file - security issue
I have a file which I'll call A.txt which I use it within java application. This file is shipped together with application, and I want to have a way to verify (within the application) that it is indeed my file, and not one which was for forged.
I have two ideas, but both are susceptible to some attacks:
I ship signature, A.txt and public key as a plain text with the application but if the attacker simply signs his own file, replaces the signature, A.txt and public key the verification will pass.
I hard code the public key into java app - apart from decompiling, if I send A.txt to person A and B.txt to person B and they exchange their txts they will both verify successfully, and I'd rather have person A verify just A.txt successfully.
How can I do this without any possibilities of being attacked? Or how can I implement my ways so that they are safe?
Upvotes: 1
Views: 53
Answers (1)
Reputation: 36
Hiding an encryption key within code can be very dangerous. Reinard had a good idea about the web service that can encrypt and decrypt the file.
Another option might be to hide the key inside the registry or somewhere in a hidden directory. You can also try building your own algorithm that can build up the decryption key.
But what about decompiling? This has always been a major pain for most developers. How do you properly hide secrets within code? You can try using application packagers or scramblers that can slow down the decompiling process. You can also get a java obfuscator like ProGaurd make your code harder to reverse engineer.
I really hope this helps.
Upvotes: 1
Related Questions
- Can't execute jar- file: "no main manifest attribute"
- How do I create a file and write to it?
- How to avoid reverse engineering of an APK file
- How do I create a Java string from the contents of a file?
- Dealing with "Xerces hell" in Java/Maven?
- Verifying signature of a file using the certificates available in store