Databases
StackOverflow2013
Postsdbo
POCan a secret be hidden in a 'safe' java class offering access credentials?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POCan a secret be hidden in a 'safe' java class offering access credentials?
    primarykey
    data
    text
    <p>This is a brainstorming question about what's possible in Java (or not). I want to know if it is possible to hide a secret within a class and prevent anymore from accessing it <strong>using Java code or any of its feature only</strong> (security, reflexion, serialization, class loaders, you-name-it...).</p> <p>Here is what I have in mind so far:</p> <pre><code>public final class Safe { private String secret; private HashMap&lt;String, Credentials&gt; validCertificates = new HashMap&lt;String, Credentials&gt;(); public Safe(String aSecret) { this.secret = aSecret; } public final class Credentials { private String user; private Credentials(String user) { this.user = user; } } public final Credentials getCredential(String user) { // Following test is just for illustrating the intention... if ( "accepted".equals(user) ) { return new Credentials(user); } else { return null; } } public String gimmeTheSecret(Credentials cred) { if ( this.validCertificates.get(cred.user) == cred ) { return secret; } else { return null; } } private void writeObject(ObjectOutputStream stream) throws IOException { throw new RuntimeException("No no no no no no no!!!"); } } </code></pre> <p>Can it be improved? Should it be improved? Is the idea of locking a secret in a safe class impossible to achieve?</p> <p><strong>EDIT</strong></p> <p><em>Relevance:</em></p> <p>Some people question the relevance of the issue I am raising here. Although I am asking a general question in order to trigger an open conversation, there is a very concrete application to this class:</p> <ul> <li>If I want to decrypt some messages, I need to load a private key data into a class. If I can't prevent other Java code from accessing it, then it is impossible to create a secure system. Of course, if I want to decrypt a message, I should rather do it in the class than giving away the secret, but still, the safe has to remain unbreakable.</li> </ul> <p><em>Clarification:</em></p> <ul> <li>Instances of the class are only created at runtime, not at compile time</li> <li>Code can run in web server applications or any desktop or device applications</li> <li>The class is only used to store a secret at runtime, in memory, no plans to persist it (for persistence, one can/should use classic encryption techniques)</li> </ul> <p><em>Facts:</em></p> <ul> <li>To implement security in a Java application, one should set a SecurityManager instance where <em>checking</em> methods are overridden as needed</li> <li>This application can load untrusted code with secure class loaders and assign a protection domain for the classes it loads. This domain <strong><em>should not</em></strong> include a RuntimePermission("setSecurityManager").</li> <li>Untrusted code can try to change the SecurityManager, but since the Secure Class Loader did not grant the setSecurityManager permission, a SecurityException will be thrown.</li> </ul> <p><em>Solved issues:</em></p> <p>Regarding the execution environment, we need to distinguish two cases:</p> <ul> <li><strong>Controlled environment:</strong> We get to start the application that will use untrusted code trying to break our 'safe'. </li> </ul> <p>If we set a proper SecurityManager disabling reflection and restricting permissions on any loaded untrusted code, then our secret is safe.</p> <ul> <li><strong>Uncontrolled environment:</strong> Hacker gets to start the application which uses untrusted code trying to break our 'safe'.</li> </ul> <p>The hacker can create his own application with its own security manager and Secure Class loader. It could load our code from the classpath and execute it as if it were our own application. In this case, he could break the safe.</p> <ul> <li>As established in <a href="https://stackoverflow.com/questions/5761702/can-one-break-a-secure-class-loader-with-a-sun-misc-unsafe">a separate question</a>, sun.misc.Unsafe cannot break a security manager</li> </ul>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USCommunity
    1. USJérôme Verstrynge
    plurals
    1. PL
      singulars
      1. LTLinked
    1. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POCan a secret be hidden in a 'safe' java class offering access credentials?
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POCan a secret be hidden in a 'safe' java class offering access credentials?
      1. USJérôme Verstrynge
      1. VTBountyStart
    3. VO
      singulars
      1. POCan a secret be hidden in a 'safe' java class offering access credentials?
      1. This table or related slice is empty.
      1. VTUpMod
    1. CONo, there's not. Security through obscurity fails in pretty much all cases.
      singulars
      1. POCan a secret be hidden in a 'safe' java class offering access credentials?
      1. USBrian Roach
    2. CO@Brian Roach Ok, but in that case, how do you break the class described above?
      singulars
      1. POCan a secret be hidden in a 'safe' java class offering access credentials?
      1. USJérôme Verstrynge
    3. COCan you clarify what specifically you're trying to protect against? Where is this code running and what potential threats are there? E.g. is this in a deployed server environment and you're worried about other code getting access to a secret, or is it running on a client device like a phone or applet.
      singulars
      1. POCan a secret be hidden in a 'safe' java class offering access credentials?
      1. USWhiteFang34
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload