secure encryption key j2me

**dazza66667** · 2010-02-16, 14:47

Hello all, I have written an application that comes with an AES encrypted datafile in the jar, upon running the application the datafile is decrypted and then stored in the RMS in an unencrypted form (the reason we put it in the RMS is because the data is not static, particular records in the datafile get updated)
Now obviously I need to include my decryption key in the code, but despite the fact I am using obfuscation am I feel there’s more I need to do to protect my key! What other options do I have with this?

I’m thinking

--use fake keys dotted around application
--call encrypted file blowfishdata or something to throw attackers off the real encryption method used as attacks differ

But these are just minor inconveniences I feel...

If it helps, the encryption is AES 256bit

**grahamhughes** · 2010-02-16, 14:56

If someone can get your JAR, and has some experience in MIDP development, extracting your encrypted data is simply a matter of running the MIDlet in the emulator. I don't think any other measure will increase your security significantly.

Graham.

**Enthusiastic** · 2010-02-17, 13:05

Hii
There r certain ways by which you can avoid storing decryption key inside application to ensure ur security measures but they have their own overheads

1. Use of SMS : First time when user will start application ask him to send one SMS which has some predifined CODE then in response of that SMS send ur decryption Key.

2. Use of GPRS: same instead of SMS hit one url and in response send decryption key.

it has some drawback also like haking of SMS, or http url. for that u need to do Key Exchange between ur app and server using either way (SMS/GPRS) definately this will make ur application bit complex both for developement n for hack.

Hope this will help u.

regards
Nikesh
Enthusiastic

**dazza66667** · 2010-02-17, 17:10

Originally Posted by grahamhughes

If someone can get your JAR, and has some experience in MIDP development, extracting your encrypted data is simply a matter of running the MIDlet in the emulator. I don't think any other measure will increase your security significantly.

Graham.

sorry, I neglected to mention that the data stored in the RMS is encoded, so it will be just nonsense if the .db file is extrated from one of the emulator folders

**dazza66667** · 2010-02-17, 17:12

Originally Posted by Enthusiastic

Hii
There r certain ways by which you can avoid storing decryption key inside application to ensure ur security measures but they have their own overheads

1. Use of SMS : First time when user will start application ask him to send one SMS which has some predifined CODE then in response of that SMS send ur decryption Key.

2. Use of GPRS: same instead of SMS hit one url and in response send decryption key.

it has some drawback also like haking of SMS, or http url. for that u need to do Key Exchange between ur app and server using either way (SMS/GPRS) definately this will make ur application bit complex both for developement n for hack.

Hope this will help u.

regards
Nikesh
Enthusiastic

what would stop a attacker extracting the predef code and sending / hitting the page it to the number and getting the key back that way?

**grahamhughes** · 2010-02-17, 17:16

Originally Posted by dazza66667

upon running the application the datafile is decrypted and then stored in the RMS in an unencrypted form

Originally Posted by dazza66667

sorry, I neglected to mention that the data stored in the RMS is encoded, so it will be just nonsense if the .db file is extrated from one of the emulator folders

If the unencrypted data is unusable, why encrypt it?

Graham.

**dazza66667** · 2010-02-17, 17:28

Ok, the data is encoded once it’s in the RMS database but no longer encrypted...

We don’t want to encrypt it in the RMS database because we need it to be as fast as possible; there are utility methods to unscramble the data from the RMS at runtime...

I’m just looking for the best way to hide the decryption key in the code to cause the most aggravation for an attacker rather than just having the string sitting there in plaintext. Any ideas?

**grahamhughes** · 2010-02-17, 17:45

I must confess to being completely at a loss to the point of the exercise, if the unencrypted data is considered useless.

I guess you could have lots of similar looking strings, only one of which is the real one, but decompiling the code would make it easy to see which one is the right one (and if some are never referenced, or referenced only from methods that are never called, for example, you risk them being removed by the obfuscator).

What kind of attacker are you hoping to avoid? Realistically, anyone familiar enough with MIDP development to have a decompiler and an emulator will have little difficulty unravelling your code.

By encrypting the data, you've already protected yourself from someone whose skills extend only to unzipping the JAR (though, since you believe that unencrypting the data does not make it usable, I'm not seeing what you've gained).

You could put the bytes of the key in an array, in the wrong order, encode them simply (xor), something like that, so that some decyphering of the code is necessary. But if I can find the point in your code where the data is read from the file (easy), I can probably find where the decryption key must exist, and easily acquire it by running the code in the debugger. But I wouldn't, because I can simply acquire the data at the end of the decryption process, and get the unencrypted data without any effort. But if that's useless to me, why would I want to get the key in the first place?

Graham.

**mydreamgirl** · 2010-08-13, 20:47

I am new to this room. I just wrote a encryption in j2me. I need to store key information and other encrypted data in byte[] in RMS. Question: how can I write data into, update and read them out in byte[] with all other data types, such as UTF, int and boolean, in the RMS? If possible, some sample code, please. Thanks a lot.

Mydreamgirl

**ektasrv** · 2010-08-14, 09:34

Originally Posted by mydreamgirl

I am new to this room. I just wrote a encryption in j2me. I need to store key information and other encrypted data in byte[] in RMS. Question: how can I write data into, update and read them out in byte[] with all other data types, such as UTF, int and boolean, in the RMS? If possible, some sample code, please. Thanks a lot.

Mydreamgirl

Please refer to this FN wiki link - http://wiki.forum.nokia.com/index.ph...re_Data_in_RMS
it will help you. It shows how to store various data types in RMS

**mydreamgirl** · 2010-08-16, 16:23

Got it. Never mind. -MyDreamGirl

Originally Posted by mydreamgirl

I am new to this room. I just wrote a encryption in j2me. I need to store key information and other encrypted data in byte[] in RMS. Question: how can I write data into, update and read them out in byte[] with all other data types, such as UTF, int and boolean, in the RMS? If possible, some sample code, please. Thanks a lot.

Mydreamgirl

**mydreamgirl** · 2010-08-21, 14:35

I am trying to send some text and byte[] messages from a j2me application to a servlet. I am able to get all text messages in servlet but unable to get byte[] message correctly. I set http.setRequestProperty("Content-Type", "application/x-www-form-urlencoded") in client side and response.setContentType("multipart/form-data") in the server side.Do you have a sample code to handle and parse both text and byte[] messages in server side? If you have, would you mind share it with us?

MyDreamGirl

Discussion Board

Thread: secure encryption key j2me

Thread Tools

Search Thread

Rate This Thread

Display

Similar Threads

Urgent --how to assign select command for center key in N-73 using J2ME

How to secure a Mifare key in a midlet?

Does J2ME support simulate key event?

3220 + Secure Cover + J2ME

Posting Permissions