1. Home
  2. Lainnya

Smart Serialization Message Digest

Security Concern Refactoring – Putu Ashintya Widhiartha Katsuhisa Maruyama ISSN 1858-1633 2005 ICTS 97 Figure 5. Array Representation of Flattening Arrays refatoring.

3.3. Generating Secure Random Number

As mentioned above, generating random number seems become an unimportant aspect in security. However, if we could increase the security level of our code by altering a piece of our code without change the behavior of entire program, we should try to use more secure method or class in our code. For Java programmers, it does not need big effort for changing random generator to a more secure one. Java provides java.util.Random class for generating random number. Despite of using this class it will be better if we use its subclasses java security.SecureRandom. This class provides a cryptographically strong pseudo-random number generator PRNG. The Secure Random class must produce non-deterministic output and therefore it is required that the seed material should be unpredictable and the output of the SecureRandom class will be cryptographically strong sequences as described in RFC 1750: Randomness Recommendation for Security [9]. The mechanism of this refactoring could be observed in Figure 6. Perhaps people will ask what are the weaknesses of SecureRandom class compared with Random class? The answer is the features of SecureRandom are less than Random class. This is a common dilemma for secure programming since the features of the software and the security level usually opposite each other [3]. Figure 6. Secure Random Number refactoring

3.4. Storing Deleting Passwords

We know that in Java programming language String variable are immutable, it means we are not able to delete them from memory. This unique characteristic of Java String data type leads us to avoid using it for passwords because String passwords will stay in memory and vulnerable from snooping [10]. Even worse, if real memory runs low, the operating system might page this password String to the disk’s swap space. Therefore, it will be vulnerable to disk block snooping. The solution, although not a perfect solution, is by substituting the String passwords with Char arrays passwords. Figure 7 shows codes before and after applying the StoringDeleting Password Refactoring. The last line is needed in order to overwrite the value of PassKey variable in memory with fake value. Figure 7. Storing Deleting Password Refactoring

3.5. Smart Serialization

Java has ability to serialize object for storage or transmission. Unfortunately, since any private field also will be present in the stream during this process, sensitive data is vulnerable to snooping when objects are serialized [10]. We could use transient keyword to flag an attribute so that it will be skipped in the streaming. In Figure 8, the keyword transient was attached to the code after a Smart Serialization refcatoring. Figure 8. Smart Serialization Refactoring

3.6. Message Digest

Message Digest is a security feature that ensures the integrity of a message. Message digest use a message as input and generate a block of bits that represents the fingerprint of the message. Each small change in the message automatically will create a change in the fingerprint. Although using java.security.MessageDigest class is definitely easy and secure, however for easing programmers maintain their code security we would like to propose the refactoring which helps programmers for create their message digest. before refactoring String PassKey = “enter”; after refactoring char KeyInChar[ ] = {‘e’,’n’,’t’,’e’,’r’}; String PassKey = new StringKeyInChar; ………… after execution lines String PassKey = “fake passwords”; before refactoring A 11 A 12 A 13 A 21 A 22 A 23 A 31 A 32 A 33 after refactoring A 11 A 21 A 31 A 12 A 22 A 32 A 13 A 23 A 33 before refactoring private char KeyInChar[ ] = {‘e’,’n’,’t’,’e’,’r’}; after refactoring private transient char KeyInChar[ ] = {‘e’,’n’,’t’,’e’,’r’}; before refactoring import.java.util.random; Random generator = new Random ; int ran = generator.nextInt ; after refactoring import.java.security.SecureRandom; SecureRandom generator = new SecureRandom ; int ran = generator.nextInt ; Information and Communication Technology Seminar, Vol. 1 No. 1, August 2005 ISSN 1858-1633 2005 ICTS 98 In the code after a Message Digest refactoring of Figure 9, new code fragments for creating a message digest object and calculating the digest were inserted.

3.7. Convert Message with Private Key to Public Key

Dokumen yang terkait

Proceeding the 21 st National Congres Des 2011

0 0 11

Proceeding The Level of Understanding

0 0 10

9. Proceeding_The development of virtual math teaching

0 0 8

Proceeding The 4th International Seminar on Science Education

0 1 6

Abstract Proceeding the impact of developmental care

0 0 7

z Makalah Ini Disusun Untuk Memenuhi Tugas Mata Kuliah Kajian Kurikulum dan Buku Teks Dosen Pembimbing Annisa Ratnasari, MS.Ed.

0 0 22

KEPEMIMPINAN PENDIDIKAN UNTUK MENGEMBANG dan

0 0 18

THE 5 TH URECOL PROCEEDING MODEL KEBIJAK

0 2 13

SIMPLE PROOF CONCEPT IN THE PROCEEDING OF BANKCRUPTCY

0 0 16

The Proceeding of 3'o lnternational Nursing Conference

0 0 29