6

I have some text that is in a file. I want to encrypt this file so that an end user can not read or write to this file, but the application can read it. There can be a stored secret in the application because it is being secured in another way.

What type of Encryption support these requirements?

I was thinking of AES. I do not know much about encryption, and was looking for a starting point. An algorithm or a framework suggestion would be great.

One last note, the code is in Java running on a Windows and Linux environment.

Paŭlo Ebermann
  • 73,284
  • 20
  • 146
  • 210
user489041
  • 27,916
  • 55
  • 135
  • 204

3 Answers3

5

Since you've tagged the post as "Java" - I'd recommend looking at the "Java Cryptography Extension" (JCE). Since J2SE 1.4 it's been bundled with the SDK and JRE.

And of course, a requisite example and overview of using AES in the JCE.

xelco52
  • 5,257
  • 4
  • 40
  • 56
4

If the application can read it, the application has a key in it. And if the application has a key in it, a sufficiently energetic user can find that key and use it for themselves. Or spy on memory and see the decrypted version.

bmargulies
  • 97,814
  • 39
  • 186
  • 310
  • Actually, we use something call Software Shield on of product. It is a mini OS that wraps you application and obfuscates things like that so we can store keys on the software. It is some neat stuff. – user489041 Mar 05 '11 at 21:33
  • Huile de serpent. 'Obscurity' is never really security, but on the other hand 'security' is a matter of how much you care and how much you care to spend. If some obscurity floats your boat, it floats your boat. – bmargulies Mar 05 '11 at 22:45
3

AES or RSA would be just fine. An important thing to notice though is that once your program decrypts data, a reverse engineer would easily recover the plaintext without any knowledge of the key or algorithm of encryption.

Spyros
  • 46,820
  • 25
  • 86
  • 129
  • 2
    I don't think RSA fits this problem at all. – CodesInChaos Mar 04 '11 at 23:01
  • If you had to pick one, what would you go for. I really dont know too much about encryption. I just want something that will be easy and fast to implement. – user489041 Mar 05 '11 at 21:34
  • It doesn't matter so much because the decrypted data can be extracted whatsoever. I think i would probably pick AES, but if i wanted to be a bit more versatile i could include a dynamic library that would be responsible for handling the public key and doing the decryption. To do things fast use AES, for more versatility RSA. – Spyros Mar 05 '11 at 21:37
  • -1. RSA isn't the proper algorithm for file encryption. *can* it be done - yes. RSA is a asymmetric encryption algorithm and is best suited for encrypting keys. Use AES or another symmetric block cypher and then if you need to transport the AES password/key, encrypt the key with RSA using the recipient's public key. – xelco52 Mar 07 '11 at 23:46
  • Can you a provide of a real reason(i know theory) of why it would be a bad idea to encrypt with RSA ? Because i've seen it happen in software thousands of times, even used with self modifying techniques. Please don't base your reply on the fact that PGP works the way you describe it. This is just a system. Rather provide a solid argument on why encrypting with RSA got your -1. I'm really curious to learn something today. – Spyros Mar 08 '11 at 00:29
  • Btw, a public key cryptosystem is used to encrypt keys because there is a reason behind that, and that is an insecure channel. That does not apply for encrypting text in a software program of course. Thus, your saying that RSA isn't "proper" is just saying something to disagree(and that's a really friendly way to put it). Hope that you will show up and provide a convincing argument, though i pretty much doubt that there is a single one. – Spyros Mar 08 '11 at 00:42
  • 5
    @SpyrosP - RSA was designed specifically to encrypt data blocks shorter than it's key length. The concept of public key cryptography was designed to transmit very small blocks of data (keys) over insecure channels. The max number of bytes that can be encrypted with RSA is calculated: ((KeySize - 384) / 8) + 37. Even if you could, the algorithm is too incredibly inefficient to be encrypting large files! I am not going out on a limb here, this is basic stuff. Don't take my word for it though, do some research. You can even start right here on SO: http://stackoverflow.com/q/1199058/573083 – xelco52 Mar 08 '11 at 02:06
  • What you say is almost correct and indeed very basic. Still, this does not mean that text cannot be encrypted or that there is absolutely any drawback. And no, public key cryptography was not designed for encrypting keys. When Merkle and Hellman first proposed it, it was about solving a hard problem. Encrypting keys, digital signatures and the likes are just some uses of RSA. Like text encryption. And i've done quite a lot of research on cryptography for writing a big number library, rsa protections and other such things, thanks. Btw,the question is not about encrypting a whole file, but text. – Spyros Mar 08 '11 at 02:16
  • This is a good conversation, and will hopefully be useful to viewers in the future. You're arguing that it *can* be done. You are correct. I even stated that in my original comment. But recommending, and then insisting that it is the right way to steer this new coder is... borderline irresponsible. A hammer can be used to bang in a screw - but it is still not a good approach. By all means, if all you have is a hammer, then bang away. – xelco52 Mar 08 '11 at 03:28
  • I don't say that it's the right way. Because there is no right way. Both ways are just fine FOR THIS PARTICULAR question. If you care about speed of execution, it's elementary that a private key crypto is faster of course. For this occasion, where the question is about encrypting plaintext, rest assured that RSA and AES are both perfectly fine and virtually the same. And the hammer example, in my opinion is, at least, extremely irrelevant. And actually, in this particular question, even a xor encryption is just the same as RSA or AES. You disagree ? – Spyros Mar 08 '11 at 03:33
  • And since there is no more space on the previous comment, let me rest my case by saying that Public Key cryptography is different than Key Exchange, and you somehow mix them, probably thinking that PKC starts and ends with PGP. – Spyros Mar 08 '11 at 03:42
  • This has been very informative. The data that I need to encrypt is a very small amount of text. 50 chars max. I tried RSA. Here is a link http://www.javamex.com/tutorials/cryptography/rsa_encryption.shtml. Here is the solution I came up with. I generate a file with the text. I generate a public and private key. I then distribute the encrypted file along with the public key. The user on the other end can decrypt it with their public key. What would the AES way of doing things be with my solution? – user489041 Mar 09 '11 at 17:26
  • @user489041 - I know this thread has gone to hell, but lets try to recover. In your example, you have the recipient on the other end decrypting with their public key. That is not correct. If you want to transport the encrypted file to someone, *your* keys are not used for encryption. You encrypt with their public key, and they decrypt with their private key. You distribute *your* public key so that someone else may encrypt data to *you*, which you then decrypt with your private key. AES - is symmetric. There is one key. You encrypt with the key, and decrypt with the same key. – xelco52 Mar 09 '11 at 21:43