Flex security - RSA implementation?
Hi all,
i am developing a client server app, the client is a flex app that communicate with a php server with amf protocol.
I need some security so i think some possible solution:
1. using https, but with any "web debugging proxy" anyone can decrypt ssl, so this is not a solution
2. using an rsa implementation, so if someone read the traffic it wont be a problem, but if someone
deassemble flex client, can access to the client private key and then the security will go away
Is there some stuff to securize the communication?
Thank you
Hi,
For security purposes, you would store the private key in the card and perform all private key operations there. One approach could be to store a certificate and the corresponding private key in a java card applet and then retrieve the certificate from the card. You could then send a random number (nonce) to the card and ask it to sign the number. The host application can then verify the signature with the public key in the certificate. The host could also verify the certificate against a certificate authority or a known trust chain.
The hard part is that you will need to implement this in the applet yourself. You can define a set of APDU's that you could send to the card for specific responses. For instance one command to get the certificate and another to sign some arbitrary data. You would also want a way of injecting the keys (this is the simple less secure approach though).
With certificates you can use the cryptographic properties to verify that you trust the card and if you do not receive a trusted certificate the program can terminate. Also if the signature is not verified then you could exit as well as the card has not proven ownership of the private key.
Cheers,
Shane
Similar Messages
-
Hi,
Iam totally new to the Java Card programming. I want to find out how is RSA implemented. Now if I need to get some information from card (eg. serial number) and check the same. How do I implement the same using the Host and Smart Card.
Any light on the same would be appreciated. Also, if anyone has example of implementation of RSA between Host and Smart card would be appreciated (in Delphi and Java) ...
ThanksHi,
I have written a code based on a sample. The program has a client which accepts a string at frontend and sends the information to be encrypted at card, then writes the encrypted information to the card. To decrypt the same, there is an option at the frontend to read the string from card, so the program, gets the string from the card (in encrypted form), then sends the string to card decrypt the same. Iam getting an Techincal error (error 38) while decrypting. Can you please help? I need a solution immediately. I been trying to work on the same for last few days.
I have pasted the code below for reference. Appreciate if some one could respond quickly.
package rsa_encrypt_decrypt;
import javacard.framework.*;
import javacard.security.*;
import javacardx.crypto.Cipher;
Host Call:
iopCard.SendCardAPDU(0x00,0xAA,0x02,P2,iArray,iArray.length);
Card Applet:
public class RSAEncryptDecrypt extends javacard.framework.Applet
// This applet is designed to respond to the following
// class of instructions.
final static byte GETSET_CLA = (byte) 0x85;
final static byte CRYPT_CLA = (byte) 0x00;
// Instruction set for SimpleString
final static byte SET = (byte)0x10;
final static byte GET = (byte)0x20;
final static byte SELECT = (byte) 0xA4;
// This buffer contains the string data on the card
byte TheBuffer[];
//globals
RSAPrivateCrtKey rsa_PrivateCrtKey;
RSAPublicKey rsa_PublicKey;
KeyPair rsa_KeyPair;
Cipher cipherRSA;
final short dataOffset = (short) ISO7816.OFFSET_CDATA;
//constructor
private HandsonRSAEncryptDecrypt(byte bArray[], short bOffset, byte bLength)
TheBuffer = new byte[100];
//generate own rsa_keypair
rsa_KeyPair = new KeyPair( KeyPair.ALG_RSA_CRT, KeyBuilder.LENGTH_RSA_1024 );
rsa_KeyPair.genKeyPair();
rsa_PublicKey = (RSAPublicKey) rsa_KeyPair.getPublic();
rsa_PrivateCrtKey = (RSAPrivateCrtKey) rsa_KeyPair.getPrivate();
cipherRSA = Cipher.getInstance(Cipher.ALG_RSA_PKCS1, false);
register(bArray, (short) (bOffset + 1), bArray[bOffset]);
//install
public static void install(byte bArray[], short bOffset, byte bLength)
new HandsonRSAEncryptDecrypt(bArray, bOffset, bLength);
public void process(APDU apdu)
if (selectingApplet())
return;
byte[] buf = apdu.getBuffer();
byte cla = buf[ISO7816.OFFSET_CLA];
byte ins = buf[ISO7816.OFFSET_INS];
if ((buf[ISO7816.OFFSET_CLA] != 0) && (buf[ISO7816.OFFSET_CLA] != GETSET_CLA)) ISOException.throwIt (ISO7816.SW_CLA_NOT_SUPPORTED);
if ((buf[ISO7816.OFFSET_INS] != (byte) (0xAA)) && (buf[ISO7816.OFFSET_INS] != (byte) (0x10)) && (buf[ISO7816.OFFSET_INS] != (byte) (0x20))) ISOException.throwIt (ISO7816.SW_INS_NOT_SUPPORTED);
switch (cla)
case GETSET_CLA:
switch (ins)
case SET:
SetString(apdu);
break;
case GET:
GetString(apdu);
break;
case CRYPT_CLA:
switch (buf[ISO7816.OFFSET_P1])
case (byte) 0x01:
encryptRSA(apdu);
return;
case (byte) 0x02:
decryptRSA(apdu);
return;
private void encryptRSA(APDU apdu)
byte a[] = apdu.getBuffer();
short byteRead = (short) (apdu.setIncomingAndReceive());
cipherRSA.init(rsa_PrivateCrtKey, Cipher.MODE_ENCRYPT);
short cyphertext = cipherRSA.doFinal(a, (short) dataOffset, byteRead, a, (short) dataOffset);
// Send results
apdu.setOutgoing();
apdu.setOutgoingLength((short) cyphertext);
apdu.sendBytesLong(a, (short) dataOffset, (short) cyphertext);
//SetString(apdu);
private void decryptRSA(APDU apdu)
byte a[] = apdu.getBuffer();
short byteRead = (short) (apdu.setIncomingAndReceive());
cipherRSA.init(rsa_PublicKey, Cipher.MODE_DECRYPT);
cipherRSA.doFinal(a, (short) dataOffset, byteRead, a, (short) dataOffset);
// Send results
apdu.setOutgoing();
apdu.setOutgoingLength((short) 24);
apdu.sendBytesLong(a, (short) dataOffset, (short) 24);
// SetString stores the string on the card.
private void SetString(APDU apdu) {
byte buffer[] = apdu.getBuffer();
byte size = (byte)(apdu.setIncomingAndReceive());
byte index;
// Store the length of the string and the string itself
TheBuffer[0] = size;
for (index = 0; index < size; index++)
TheBuffer[(byte)(index + 1)] = buffer[(byte)(ISO7816.OFFSET_CDATA + index)];
return;
// 1. Client sends a GetString APDU with a length of 0
// 2. Card responds with a Status Word of 0x62YY, where YY is the length
// of the string (in hex).
// 3. The client sends its GetString APDU again, but this time with the
// correct length.
private void GetString(APDU apdu) {
byte buffer[] = apdu.getBuffer();
byte numBytes = buffer[ISO7816.OFFSET_LC];
if (numBytes == (byte)0) {
ISOException.throwIt((short)(0x6200 + TheBuffer[0]));
apdu.setOutgoing();
apdu.setOutgoingLength(numBytes);
byte index;
for (index = 0; index <= numBytes; index++)
buffer[index] = TheBuffer[(byte)(index + 1)];
apdu.sendBytes((short)0,(short)numBytes);
return;
} -
Secured LDAP implementation in Oracle BI
Hi All,
Can anyone tell me how can I implement the secured LDAP in Oracle BI as I have enabled SSL certificate box during the LDAP configuration in the Oracle BI Repository. Is this enough to say that we have implemented secured LDAP or there is something more that I need to do.
Thanks!In terms of securing your LDAP credentials you probably want the OBIEE Presentation Layer as well to be running over HTTPS otherwise the user LDAP credentials will be sent over a clear text HTTP session (although it might not be an issue for you as the BI Server and the Presentation Services might be running on the same box).
-
Hi there,
I have a Java webservice at:
http://mydomain/service/service?wsdl
And I have a Flex app located at:
http://mydomain/
If mydomain is "localhost" then my flex app can call the
webservice without any problem. However, when I migrated the two
apps to a non-localhost I got a security error:
Webservice call failed: [FaultEvent fault=[RPC Fault
faultString="Security error accessing url"
faultCode="Channel.Security.Error" faultDetail="Destination:
DefaultHTTP"] messageId=null type="fault" bubbles=true
cancelable=true eventPhase=2]
Does anyone know what the problem is?
Thanks a lot,
ChrisI mean that I have been developing and testing on my local
machine with a local webserver (localhost) and now I've put both
the flex app and webservice on a remote machine.
Anyway, I've actually fixed this problem now - I didn't
update the webservice files to point to the new host - however now
I have another problem...
Webservice call failed: [FaultEvent fault=[RPC Fault
faultString="HTTP request error" faultCode="Server.Error.Request"
faultDetail="Error: [IOErrorEvent type="ioError" bubbles=false
cancelable=false eventPhase=2 text="Error #2032: Stream Error. URL:
http://mydomain:8080/service/service"
URL:
http://mydomain:8080/service/service"
messageId=null type="fault" bubbles=true cancelable=true
eventPhase=2]
Any ideas on this one? I read that you can get this error if
the URL is incorrect, but these are definitely correct.
Thanks
Chris -
Abode Flex 3 - Hindi implementation
Hello EXPERTS,
We want to support Hindi language in our solution. I think this should possible. I need your expert opinion and help to make this implementation possible.
Please guide us with the steps and basic example to start a proof of concept. Currently to start with we like to support both Hindi and English.
Any supporting help document will be highly appreciated.
Thanks,
VikramAha, found my problem.
It seems I forgot to select the Flex 3 SDK. Switched that
over, and the errors disappeared. -
Light Weight JCE Provider with RSA implementation
Hi all,
I'm working on an applet that requires RSA encryption, but I have size constraints so I canno tuse the BouncyCastle provider (891 KBs)
Does anyone know where to find a light weight JCE provider with an implementation of RSA, I've been searching for a while but without any luck!
Thank you in advanceYou can use the lw-apis from BC and drop the JCE part. The JCE for BC is just a facade to the lw-apis anyway. And if you use the lw-apis you don't have to worry about any signing issues with the applet.
Cheers,
--- jon -
Hello,
probably this sounds really silly... however wanted to ask
just how secure is Flex/Flash? Since it's on the client, a user can
easily decompile a .swf and modify any variables and pass them to
the server.. you know like client script to server.
also is there something that can be done to invalidate the
application or the .swf once a third party client modifies any
variables?
I wanted a 100% confirm.
Thanks!It wouldn't be possible to hijack the SWF bytecode and alter
it on the fly - it is too complex for that (and if someone can do
that with an AI of some sort, well, no one is safe). They will have
to copy the SWF and mess with it, then post it to some domain of
their own and then the Flash Player will recognize the different
domains.
Another thing you can do is have a shell SWF which loads your
main swf. This is atypical behavior and while it does make a second
request to the server (which someone can see with a sniffer) you
can use this to your advantage.
When you load main.swf into shell.swf, you can ask main.swf
how many bytesTotal it is. Then you change shell.swf to hold this
value: var mainSize:int = 654321. Now shell.swf requests main.swf
and compares main.swf's size against mainSize. If shell.swf sees
that the values aren't identical, it knows main.swf isn't correct.
This isn't 100% foolproof, but someone would have to a) know
you are doing this and b) hack your main.swf in such a way that the
byte size remains the same. Quite a challenge I think.
Finally, all security measures are automatic. You can
override some of them (check the documentation for the
Security.allowDomain function and others in the Security class).
One more thing: suppose someone writes their own shell.swf
and uses it to load your main.swf. Unless they have access to your
server, they will launch their evilshell.swf from their domain:
evildoer.com. That becomes the "home" domain for the Flash Player.
Now they load your swf from yourdomain.com. Since evildoer.com is
not yourdomain.com, your SWF can request your data, but since the
home domain is no longer yourdomain.com, there is a security
violation. The home domain for the Flash Player must be
yourdomain.com in order to read data from yourdomain.com.
Anyone loading your swf into their swf also cannot access
data and functions (see allowDomain) so your information is still
protected. -
Flash / Flex - security in corprate environment
we are considering platforms to develop a new project with, flex came up and is very appealing.however, we are dealing with a hosted solution which will be used by companies who'se users will need to download the swf to their browser. Are there any problems that may occur in a company that has strcit security policies that may cause the swf download to fail?
thanks in advanceHmmm... May need to use AIR, or else upload those local
assets to server then download. Strange but maybe this is
so. -
Lightweight RSA implementation (lighter than BouncyCastle)?
I wonder if by chance there is a more lightweight implementation of RSA for MIDP than the one provided by BouncyCastle? I managed to use the BouncyCastle classes, but RSA+AES encryption together make up for more than 16KB of the jar-File. The bulk of it seems to stem from the BigInteger class. Perhaps by implementing only the operations that are relevant to RSA it would be possible to arrive at a shorter solution?
If anybody knows of a smaller implementation, it would be great to hear about it!
Many thanks in advance!I've done this helping another ThoughtWorker migrate from Cryptix to BC. It's not an easy task, especially seeing that Cryptix did some really "non-standard" stuff early on.
It does work (or at least I believe it does work, as I haven't been asked for assistance recently ;-) ), and you should be able to just convert the keys by using the bits you need.
The other thing that's worth being careful about is that the Cryptix code allowed data encrypted with the RSA keys to be of any mode, including some really busted padding called "ZerosAndOnes". (Don't ask, it's too stupid for words).
Make sure your encrypted data can be successfully decrypted, and what the various modes are, because if you convert all your code, then you might have difficulties later on trying to decrypt it.
The first thing I did was to create some code that was a compatibility mode and used the light-weight API's to deal with the transformations. After all the Cryptix code has been removed, it will be a trivial matter to implement the bits that are really needed using the JCE code (if desired).
Why use the lw-api ? Well, I needed to create a new padding, and doing that with the JCE (and then resigning it) was going to be a real pain. And, all the JCE code uses the LW code underneath anyway, so I knew there wasn't going to be a compatibility problem.
So, after all that waffle, it should work, but just watch out for how people used the Cryptix RSA keys for encrypting the data. Cryptix didn't check if people were doing dumb things, and that may be the case.
Cheers,
-- jon -
Security component implementation
I'm working on a security component that will grant access (or deny access) to protected resources through a password verification, in a JSF RI website.
Can you tell me, in your opinion, what is the best practises to achieve this? Can I rely on the standard JSF validation approach?
Thank you very much,
Ivan Saorinivan.saorin wrote:
Maybe we have found an anomaly in the way JSF manage validation/security. It is not a exactly a bug, rather, the absolute lack of documentation on the argument.
We have found that in certain situation the standard security offered by JSF MUST be enforced by some kind of measure.
Immagine a scenario like this (real life sick), you build a custom component with an internal validation. The component accepts a password from the user, the confirm button is not on the component itself, instead the component rely on the confirm button present on the page (becouse the button is on a toolbar).
The page confirm button usually is associated with an action that, for example, grant to the user to confirm a transaction of some kind.
What normaly happen if the user put the wrong passord in the password field, is that tha validation rule fails, a ValidationException is thrown by the validator. The page re-render itself signaling the error occured to the user.
But if an ill-intentioned user remove the component from the page (with a famous firefox plugin for example),The component exists on the server and the server only. The client cannot remove it from the JSF view.
or simply remove the secCmpId=secCmpId parameter from the request, the decode of the component is not even called, and so any associated validation rule. The result is that the action fired by the page confirm button is not blocked at all!That sounds like a poorly written component to me. The component will exist in the restored view (or this is kept server side); if it is enabled and rendered then it should be decoded. The absence of the expected parameter in the request parameter map should cause an error.
>
For me isan error that JSF is not blocking action by default. They should be admitted only and only is all the validation are gone ok, ad not if one fails.
I know that is a rather peculiar use case, but the extreme confidence in the absolute server-side security usually bounded by JSF can lead to such an implementation.
Obviously we have resolved the security hole that luckily was found during an internal security test.Personally I wouldn't (and haven't) checked something like a password in a validator, preferring to do it in the action method. -
Ok, so when I pass in a user:pass with the url, it works
inside Eclipse, HOWEVER when I export my project and run it from
it's exported location (on my local box and the server), I get the
following error:
faultCode:Channel.Security.Error faultString:'Security error
accessing url' faultDetail:'Destination: DefaultHTTP'
What does this mean?The flash player enforces a variety of security rules. Most
if not all of these
are turned off when running from eclipse. One of the rules is
you are not allowed to access a url from a different domain then
your flex application swf file was
served from.
So you flex app comes from
http://myserver:8080/MyWeb/myFlex.html
but you are trying to access
http://otherServer:9000/something.xml
So you have two choices:
Put a crossdomain.xml file in the root of otherServer or
write a proxy
for myServer that forwards your requests.
Look in the doc for the crossdomain.xml format. It's a bit
vague as to the location. They just say the ROOT of the webServer.
In tomcat that is in webapps/ROOT other web servers may be
different. To test
if your crossdomain policy file is in the correct spot you
should be able to see the file by entering
http://otherServer:9000/crossdomain.xml -
RSA Implementation for SunJCE Provider
Hello there!
I just would like to inquire if there are plans/news for the sun developers to include the RSA Algorithm as part of the cryptographic services available in the pre-installed SunJCE Provider? If so, when?
Thanks.
Regards,
RonronWhich RSA algorithm are you looking for? BTW Sun has 4
JCE providers: SUN, SunJCE, SunRsaSign, SunJSSE.I am referring to the SunJCE Provider, which is
already included in the latest Java 2 SDK, v 1.4
release. Those 4 providers are from JDK 1.4
I am looking for the RSA Algorithm for
encryption/decryption of data. Because I believe that
it would be very helpful when the SunJCE would include
the implementation of that algorithm since the
provider had been pre-installed in the latest Java 2
SDK.
Do you have any idea?I believe they still don't want to have any issues with US export restrictions, especially with that little case when someone need to use RSA encryption. So, they let you to use any 3rd part JCE provider. And there is such a good one for free. Look at the BouncyCastle. -
Secure Backup Implementation - Step By Step
Hi all,
I'm really need help to implement the Secure Backup in my site. I have the following Hardware components;
WIn2003 - Enterprise Edition
IBM AIX5L - Media Server
IBM TotalStorage Ultrium LTO3 attached to AIX5L Server.
Someone Please help me to configure.
Thanks
KDI suggest you read the documentation that comes with OSB to plan and implement your installation.
If you have a specific question, please post it here and we will do our best to help you -
Hi,
I am new to flex. How can I protect the source code of my written flex application? As we know, there a quite a number of program that can easily decomplie flex to get back the source code such as Sothink SWF Decomplier. How is it possible to prevent people from viewing the source code and then modify it and then even use it to connect to our databases?
Thanks.You can check this too.
http://www.tokaos.com/swf-encrypt-example.asp
with Regards,
Shardul Singh Bartwal -
I have a multi threaded TCP socket based server in which several clients sending data parallel. I am planning to introduce NIO to support several more clients to send data to my server using Non Blocking IO, Issue I am facing now is the current design using Secured SSL for the data transfer. How can I achieve SSL based NIO, can any one help me on this
Thanks in advanceVery difficult. You use the SSLEngine. See the [chapter in my book|http://www.telekinesis.com.au/wipv3_6/FundamentalNetworkingInJava.A21].
Maybe you are looking for
-
The Port : 6001 is not working in the system
Hi Experts, OS : AIX 6.1 SAP : SAP Netweaver EHP1 In the OS level the Port : 6001 is not working and giving the out put as... pb2adm> telnet abcprdpb2 6001 Trying... telnet: connect: A remote host refused an attempted connect operation. Virtual h
-
How to make an action that creates a composite onto one image from a non specific source??
Hi I'm trying to create an action, But having some trouble. I have a fair knowledge of CS4 and actions but this one is tricky. Basically i need to create a new document out of a folder full of images. These images need to have their opacity reduced t
-
I am having trouble receiving large files using a T1 line.
I can receive large files (3-10meg) using any connection other than T1. Is there a setting I need to change on my Macbook pro?
-
It appears that I have a number of duplicate files on my Ipod Nano. I have deleted the duplicates in my Itunes Music folder on my PC. How can I remove the duplicate files from the Ipod nano? Would it be simpler to "reset" the nano and delete all the
-
How do I share my slideshow in iPhoto 11 to my mobile me account?
I can export a slideshow to itunes, but can;t seem to share it to my mobile me account. Any thoughts, thanks.