×

Discussion Board

Results 1 to 12 of 12
  1. #1
    Registered User
    Join Date
    Jul 2006
    Posts
    22

    secure encryption key j2me

    Hello all, I have written an application that comes with an AES encrypted datafile in the jar, upon running the application the datafile is decrypted and then stored in the RMS in an unencrypted form (the reason we put it in the RMS is because the data is not static, particular records in the datafile get updated)
    Now obviously I need to include my decryption key in the code, but despite the fact I am using obfuscation am I feel there’s more I need to do to protect my key! What other options do I have with this?

    I’m thinking

    --use fake keys dotted around application
    --call encrypted file blowfishdata or something to throw attackers off the real encryption method used as attacks differ

    But these are just minor inconveniences I feel...

    If it helps, the encryption is AES 256bit

  2. #2
    Super Contributor
    Join Date
    Jun 2003
    Location
    Cheshire, UK
    Posts
    7,395

    Re: secure encryption key j2me

    If someone can get your JAR, and has some experience in MIDP development, extracting your encrypted data is simply a matter of running the MIDlet in the emulator. I don't think any other measure will increase your security significantly.

    Graham.

  3. #3
    Regular Contributor
    Join Date
    Feb 2010
    Posts
    69

    Re: secure encryption key j2me

    Hii
    There r certain ways by which you can avoid storing decryption key inside application to ensure ur security measures but they have their own overheads

    1. Use of SMS : First time when user will start application ask him to send one SMS which has some predifined CODE then in response of that SMS send ur decryption Key.

    2. Use of GPRS: same instead of SMS hit one url and in response send decryption key.

    it has some drawback also like haking of SMS, or http url. for that u need to do Key Exchange between ur app and server using either way (SMS/GPRS) definately this will make ur application bit complex both for developement n for hack.

    Hope this will help u.

    regards
    Nikesh
    Enthusiastic

  4. #4
    Registered User
    Join Date
    Jul 2006
    Posts
    22

    Re: secure encryption key j2me

    Quote Originally Posted by grahamhughes View Post
    If someone can get your JAR, and has some experience in MIDP development, extracting your encrypted data is simply a matter of running the MIDlet in the emulator. I don't think any other measure will increase your security significantly.

    Graham.
    sorry, I neglected to mention that the data stored in the RMS is encoded, so it will be just nonsense if the .db file is extrated from one of the emulator folders

  5. #5
    Registered User
    Join Date
    Jul 2006
    Posts
    22

    Re: secure encryption key j2me

    Quote Originally Posted by Enthusiastic View Post
    Hii
    There r certain ways by which you can avoid storing decryption key inside application to ensure ur security measures but they have their own overheads

    1. Use of SMS : First time when user will start application ask him to send one SMS which has some predifined CODE then in response of that SMS send ur decryption Key.

    2. Use of GPRS: same instead of SMS hit one url and in response send decryption key.

    it has some drawback also like haking of SMS, or http url. for that u need to do Key Exchange between ur app and server using either way (SMS/GPRS) definately this will make ur application bit complex both for developement n for hack.

    Hope this will help u.

    regards
    Nikesh
    Enthusiastic
    what would stop a attacker extracting the predef code and sending / hitting the page it to the number and getting the key back that way?

  6. #6
    Super Contributor
    Join Date
    Jun 2003
    Location
    Cheshire, UK
    Posts
    7,395

    Re: secure encryption key j2me

    Quote Originally Posted by dazza66667 View Post
    upon running the application the datafile is decrypted and then stored in the RMS in an unencrypted form
    Quote Originally Posted by dazza66667 View Post
    sorry, I neglected to mention that the data stored in the RMS is encoded, so it will be just nonsense if the .db file is extrated from one of the emulator folders
    If the unencrypted data is unusable, why encrypt it?

    Graham.

  7. #7
    Registered User
    Join Date
    Jul 2006
    Posts
    22

    Re: secure encryption key j2me

    Ok, the data is encoded once it’s in the RMS database but no longer encrypted...

    We don’t want to encrypt it in the RMS database because we need it to be as fast as possible; there are utility methods to unscramble the data from the RMS at runtime...

    I’m just looking for the best way to hide the decryption key in the code to cause the most aggravation for an attacker rather than just having the string sitting there in plaintext. Any ideas?

  8. #8
    Super Contributor
    Join Date
    Jun 2003
    Location
    Cheshire, UK
    Posts
    7,395

    Re: secure encryption key j2me

    I must confess to being completely at a loss to the point of the exercise, if the unencrypted data is considered useless.

    I guess you could have lots of similar looking strings, only one of which is the real one, but decompiling the code would make it easy to see which one is the right one (and if some are never referenced, or referenced only from methods that are never called, for example, you risk them being removed by the obfuscator).

    What kind of attacker are you hoping to avoid? Realistically, anyone familiar enough with MIDP development to have a decompiler and an emulator will have little difficulty unravelling your code.

    By encrypting the data, you've already protected yourself from someone whose skills extend only to unzipping the JAR (though, since you believe that unencrypting the data does not make it usable, I'm not seeing what you've gained).

    You could put the bytes of the key in an array, in the wrong order, encode them simply (xor), something like that, so that some decyphering of the code is necessary. But if I can find the point in your code where the data is read from the file (easy), I can probably find where the decryption key must exist, and easily acquire it by running the code in the debugger. But I wouldn't, because I can simply acquire the data at the end of the decryption process, and get the unencrypted data without any effort. But if that's useless to me, why would I want to get the key in the first place?

    Graham.

  9. #9
    Registered User
    Join Date
    Aug 2010
    Posts
    6

    Re: secure encryption key j2me

    I am new to this room. I just wrote a encryption in j2me. I need to store key information and other encrypted data in byte[] in RMS. Question: how can I write data into, update and read them out in byte[] with all other data types, such as UTF, int and boolean, in the RMS? If possible, some sample code, please. Thanks a lot.

    Mydreamgirl

  10. #10
    Registered User
    Join Date
    Oct 2009
    Location
    Noida
    Posts
    941

    Re: secure encryption key j2me

    Quote Originally Posted by mydreamgirl View Post
    I am new to this room. I just wrote a encryption in j2me. I need to store key information and other encrypted data in byte[] in RMS. Question: how can I write data into, update and read them out in byte[] with all other data types, such as UTF, int and boolean, in the RMS? If possible, some sample code, please. Thanks a lot.

    Mydreamgirl
    Please refer to this FN wiki link - http://wiki.forum.nokia.com/index.ph...re_Data_in_RMS
    it will help you. It shows how to store various data types in RMS
    Thanks,
    Ekta

  11. #11
    Registered User
    Join Date
    Aug 2010
    Posts
    6

    Re: secure encryption key j2me

    Got it. Never mind. -MyDreamGirl

    Quote Originally Posted by mydreamgirl View Post
    I am new to this room. I just wrote a encryption in j2me. I need to store key information and other encrypted data in byte[] in RMS. Question: how can I write data into, update and read them out in byte[] with all other data types, such as UTF, int and boolean, in the RMS? If possible, some sample code, please. Thanks a lot.

    Mydreamgirl

  12. #12
    Registered User
    Join Date
    Aug 2010
    Posts
    6

    Re: secure encryption key j2me

    I am trying to send some text and byte[] messages from a j2me application to a servlet. I am able to get all text messages in servlet but unable to get byte[] message correctly. I set http.setRequestProperty("Content-Type", "application/x-www-form-urlencoded") in client side and response.setContentType("multipart/form-data") in the server side.Do you have a sample code to handle and parse both text and byte[] messages in server side? If you have, would you mind share it with us?

    MyDreamGirl

Similar Threads

  1. Urgent --how to assign select command for center key in N-73 using J2ME
    By J2meDeveloper in forum Mobile Java General
    Replies: 4
    Last Post: 2010-08-20, 09:21
  2. How to secure a Mifare key in a midlet?
    By microchi in forum Near Field Communication
    Replies: 16
    Last Post: 2010-08-06, 03:15
  3. Does J2ME support simulate key event?
    By andy205214 in forum Mobile Java General
    Replies: 2
    Last Post: 2008-07-31, 04:14
  4. 3220 + Secure Cover + J2ME
    By geri-m in forum General Development Questions
    Replies: 0
    Last Post: 2005-09-06, 13:04

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •