Database Reference
In-Depth Information
Oracle database as we discuss it, or you can execute all the SQL code at the end before we do the phase
two tests.
Java Code for Secret Password Encryption
We are returning to add code to and edit the
OracleJavaSecure
class that we introduced in the last
chapter. This class will form the core of all our security processes on both the client and the Oracle
database. You will benefit by opening
OracleJavaSecure.java
and referring to the full code listing as we
progress through this section. We will replace the
OracleJavaSecure
class in the Oracle database and
compile and run the updated code on our client computer when we get to the end of the chapter and do
some testing.
Sharing the Artifacts of a Secret Password Key
There are several artifacts of DES password-based encryption that must be shared between the client
and server in order to have an identical encryption key and
Cipher
at each end. First, there is a
passphrase, which is known only to the two parties involved in the encrypted dialog.
There are two other artifacts that must be shared, but are often treated as constants in a specific
context. Those are the salt and the iteration count. Fixing those two parameters as constants is a major
weakness. Vendors will often obfuscate (make hidden) their code in order to hide those values. Any
hacker who can steal the salt and iteration count has a leg up on decrypting your data.
Our plan is to generate all three artifacts to be different for each session. We will use the
SecureRandom
instance to generate a random iteration count and a random salt. We will also generate a
maximum-length passphrase from random acceptable characters.
Generating the Password and Artifacts
While we're on the subject, let's go ahead and see how we generate these artifacts. We do it in the
makeSessionSecretDESPassPhrase()
method, the code for which is shown in Listing 6-1.
Listing 6-1.
Generating DES Password Artifacts
makeSessionSecretDESPassPhrase()
private static SecureRandom
random
= new SecureRandom();
private static final int SALT_LENGTH = 8;
private static int maxPassPhraseBytes;
private static char[] sessionSecretDESPassPhraseChars = null;
private static byte[] salt;
private static int iterationCount;
private static void makeSessionSecretDESPassPhrase() {
// Pass Phrase, Buffer size is limited by RSACipher class (on Oracle JVM)
// Max size of data to encrypt is equal to the key bytes minus padding
// (key.bitlength/8)-PAD_PKCS1_LENGTH (11 Bytes)
maxPassPhraseBytes = ( keyLengthRSA/8 ) - 11;
sessionSecretDESPassPhraseChars = new char[maxPassPhraseBytes];
for( int i = 0; i < maxPassPhraseBytes; i++ ) {
// I want printable ASCII characters for PassPhrase
sessionSecretDESPassPhraseChars[i] =
( char )(
random
.nextInt( 126 - 32 ) + 32 );
