File Security

The files on a local disk can be vulnerable to theft or modification. If you’re running any sort of server software, of course, you shouldn’t keep anything private on the server machine. Even a machine without server software, however, is vulnerable to viruses, Trojan horses, and other types of skullduggery. It doesn’t do much good to encrypt all your communications if someone can pull files off your local disk.

If you’re especially paranoid, you should encrypt any sensitive files on your local disk. Keep the key on a removable disk or a smart card, or use a passphrase (but don’t write it down anywhere!).

Serialization

JDK 1.1 introduced the technique of object serialization , where Java objects can be written to streams and read from streams. By itself, object serialization offers nothing in the way of security. If you write objects out to a file, it’s pretty easy for almost anyone to read the file and find out what’s in it. Several of the examples in this book, for example, serialize a key to a file for later use. This offers no protection for the key, as it is stored in the clear in the file. To protect sensitive data, you can combine object serialization with an encrypted data stream (that is, wrap an ObjectOutputStream around a CipherOutputStream). Alternately, you might use a javax.crypto.SealedObject (see Chapter 7).

Deleting Files

A more subtle security risk comes from deleted files. Suppose you receive an encrypted message from a fellow freedom fighter. Naturally, ...

Get Java Cryptography now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.