Re: Java encryption implementation
From: Brian McKeever (brian.mckeever_at_gmail.com)
Date: 11/27/05
- Next message: Unruh: "Re: every number has its own significance....."
- Previous message: Lars Schoening: "Re: Java encryption implementation"
- In reply to:(deleted message) Sebastian Gottschalk: "Re: Java encryption implementation"
- Next in thread: Sebastian Gottschalk: "Re: Java encryption implementation"
- Reply:(deleted message) Sebastian Gottschalk: "Re: Java encryption implementation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 27 Nov 2005 11:53:00 -0800
Sebastian Gottschalk wrote:
> Besides that, the class itself is insecure as hell. One can easily extend
> it, serialize everything and either extract the password fromt he
> bytestream or deserialize it into public variables. Not to metion that by
> calling encrypt() with an empty byte[] and false moves the password to
> seed, therefore allowing to easily extract the password as initial seed
> value.
What's the threat model in which this is significant? The attacker not
only gets to load executable code, but gets to replace one
implementation with another? A few "final"s and "private"s aren't going
to help with that.
Brian
- Next message: Unruh: "Re: every number has its own significance....."
- Previous message: Lars Schoening: "Re: Java encryption implementation"
- In reply to:(deleted message) Sebastian Gottschalk: "Re: Java encryption implementation"
- Next in thread: Sebastian Gottschalk: "Re: Java encryption implementation"
- Reply:(deleted message) Sebastian Gottschalk: "Re: Java encryption implementation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
