2

I just want to clear the concept about Java serialization process. It clearly states that it helps to convert the object's state in the sequence of byte, that means it helps to save the object's information into byte formed.

My question is, is Java's Serialization and Deserialization process comparable with network's encryption and decryption process? Here is my simple code:

package com.java;

import java.io.Serializable;

public class employee implements Serializable
{
   public String firstName;
   public String lastName;

}

Here class employee implements the Serializable interface.and it has two variable firstName and lastName. It is very OK:

package com.java;

import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;

public class SerializaitonClass {

public static void main(String[] args) {
employee emp = new employee();
emp.firstName = "Gary";
emp.lastName = "Michel";

try {
FileOutputStream fileOut = new FileOutputStream("./employee.txt");
ObjectOutputStream out = new ObjectOutputStream(fileOut);
out.writeObject(emp);
out.close();
fileOut.close();
System.out.printf("Serialized data is saved in ./employee.txt file");
} 
catch (IOException i) {
i.printStackTrace();
}
}
}

In the class SerializaitonClass,create the employee object and access the instance variable(firstname,lastname) and initilize the value.

When I run this,it creates employee.txt file.

When open this file, I get like that

¬í sr com.java.employeeÜ@<~â™` L    firstNamet Ljava/lang/String;L lastNameq ~ xpt Garyt Michel

so it converts the whole object's information into byte format. When I use deserialization then I get desired output.

So, can I compare this process with encryption process in network? Maybe I'm totally wrong, so please help me understand.

halfer
  • 19,824
  • 17
  • 99
  • 186
Gary MIchel
  • 31
  • 1
  • 2
  • https://docs.oracle.com/javase/tutorial/jndi/objects/serial.html might help –  Aug 09 '15 at 20:21
  • You should be able to glance at the file and immediately realise that the text you can easily read is not encrypted. – Peter Lawrey Aug 09 '15 at 20:31

2 Answers2

2

They don't really compare in purpose, encryption takes a series of bytes and modifies them in a way so only the proper receiver can undo the modifications.

Serialisation just gathers the data of the object, which is in different memory locations, and creates an array of bytes with all that data together, so you can transfer it. You can think of it as "converting" the Java object to a string, and then recovering the object from that string.

But anyone with a serialised object can de-serialise it.

Joaquin Rocco
  • 66
  • 3
1

No, You can not compare Java serialization and deserialization with Cryptography.

Encryption is a process where your information is encoded using a key and encryption algorithm. The information can be decrypted only by the authorized parties.

Java serialization follows a set of rules to generate the byte sequence. If you want to pass the serialized object over the network, you may need to use another layer of encryption over the serialized bytes to achieve the data integrity.

RP-
  • 5,827
  • 2
  • 27
  • 46