Java Reference
In-Depth Information
Download the zip file into the location of your choice and unpack it. If you're using the
J2ME Wireless Toolkit, just drop the
midp_classes.zip
file (extracted from your Bouncy Castle
lightweight API for J2ME download) into the
lib
directory of your project. You can go ahead
and write MIDlets that use the Bouncy Castle packages.
Protecting Passwords with a Message Digest
Having installed the Bouncy Castle cryptography package, try a simple example involving
authentication. Computer systems often use passwords instead of digital signatures (or certif-
icates) because they're so much easier. A password is a
shared secret
, which means that you
know it and the server knows it, but nobody else should know it.
WHAT IF SOMEONE STEALS YOUR PHONE?
For convenience, an application will probably store your password in persistent storage. This is a conscious
trade-off of security for usability. The user never enters a password, but the password is available in device
storage, vulnerable to theft by other applications on the device. Furthermore, if someone steals the device
itself, that person will be able to use the application without being challenged for a password.
JSR 177, Security and Trust Services for J2ME (
http://jcp.org/en/jsr/detail?id=177
), will
address these concerns by providing an API to secure storage, among other things.
The Problem with Passwords
The problem with passwords is that you don't want to send them over an insecure network.
Imagine, for example, that your MIDlet requires the user to sign on to a server using a user
name and password. On the MIDP device, you key in your user name and password, and then
click the button to send the information up to the server. Unfortunately, your data is sent as
plaintext in some HTTP request. Anybody snooping on the network can easily lift your password.
Using a Message Digest
Message digests provide a way to solve this problem. Instead of sending a password as plain-
text, you create a message digest value from the password and send that instead. An attacker
could just steal the digest value, of course, so you add some other stuff to the digest as well so
that only the server, knowing the password, can re-create the same digest value. Figure 18-1
shows the process.
Figure 18-1.
Protecting a password with a message digest
Search WWH ::
Custom Search