File Security
The files on a local disk can be vulnerable to theft or modification. If you’re running any sort of server software, of course, you shouldn’t keep anything private on the server machine. Even a machine without server software, however, is vulnerable to viruses, Trojan horses, and other types of skullduggery. It doesn’t do much good to encrypt all your communications if someone can pull files off your local disk.
If you’re especially paranoid, you should encrypt any sensitive files on your local disk. Keep the key on a removable disk or a smart card, or use a passphrase (but don’t write it down anywhere!).
Serialization
JDK 1.1 introduced the technique of object
serialization
, where Java objects can be written to
streams and read from streams. By itself, object
serialization offers
nothing in the way of security. If you write objects out to a file,
it’s pretty easy for almost anyone to read the file and find
out what’s in it. Several of the examples in this book, for
example, serialize a key to a file for later use. This offers no
protection for the key, as it is stored in the clear in the file. To
protect sensitive data, you can combine object serialization with an
encrypted data stream (that is, wrap an
ObjectOutputStream around a
CipherOutputStream). Alternately, you might use a
javax.crypto.SealedObject (see Chapter 7).
Deleting Files
A more subtle security risk comes from deleted files. Suppose you receive an encrypted message from a fellow freedom fighter. Naturally, ...
Get Java Cryptography now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
