Clients and certificates ...

Jatinder Bali (jbali@lucent.com)
Tue, 30 Jun 1998 13:19:51 -0400

To: java-security@java.sun.com
Message-Id: <005e01bda44b$4b28a7e0$46265c87@atlantis.hr-firewalls.lucent.com>
From: "Jatinder Bali" <jbali@lucent.com>
Subject: Clients and certificates ...
Date: Tue, 30 Jun 1998 13:19:51 -0400

This is a multi-part message in MIME format.

------=_NextPart_000_005B_01BDA429.C3673FE0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hello,
=20
I have a basic question on signatures in 1.1.=20
=20
How do I protect clients from modifying license files signed by me. I =
need access to these files so that I can verify when it expires, etc ... =
and I also need a way to verify the signature on these files. Since my =
program is 100% java they can easily decompile it, change the public =
key, generate a new signature and hence modify the license file to =
whatever they please or simple bypass the code that checks the =
signatures.
=20
The basic problem here is that everything in Java is decompilable =
including appletviewer and javakey. Obfuscation helps but there are a =
lot of smart guys who can modify it in minutes.
=20
In "C" or "C++" it is fairly less obvious on how to do this. What is the =
equivalent security in Java. I cannot use a "C" or "C++" wrapper unless =
I have a "C" or "C++" implementation of the certificate/keys etc.
=20
I would appreciate any help.
=20
Thanks,
Jatinder
=20
=20

------=_NextPart_000_005B_01BDA429.C3673FE0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">

Hello,
 
I have a basic question on = signatures in 1.1.=20
 
How do I protect clients from = modifying license=20 files signed by me. I need access to these files so that I can verify = when it=20 expires, etc ... and I also need a way to verify the signature on these = files.=20 Since my program is 100% java they can easily decompile it, change the = public=20 key, generate a new signature and hence modify the license file to = whatever they=20 please or simple bypass the code that checks the = signatures.
 
The basic problem here is that everything in Java is = decompilable including appletviewer and javakey. Obfuscation helps but = there are=20 a lot of smart guys who can modify it in minutes.
 
In "C" or "C++" it is fairly = less obvious=20 on how to do this. What is the equivalent security in Java. I cannot use = a=20 "C" or "C++" wrapper unless I have a "C" = or=20 "C++" implementation of the certificate/keys etc.
 
I would appreciate any help.
 
Thanks,
Jatinder
 
 
 
------=_NextPart_000_005B_01BDA429.C3673FE0--