IL150933A - Method, apparatus and computer program product for providing security of java objects - Google Patents
Method, apparatus and computer program product for providing security of java objectsInfo
- Publication number
- IL150933A IL150933A IL150933A IL15093302A IL150933A IL 150933 A IL150933 A IL 150933A IL 150933 A IL150933 A IL 150933A IL 15093302 A IL15093302 A IL 15093302A IL 150933 A IL150933 A IL 150933A
- Authority
- IL
- Israel
- Prior art keywords
- java
- server
- client
- digest
- secure authentication
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims description 16
- 238000004590 computer program Methods 0.000 title claims description 7
- 238000004364 calculation method Methods 0.000 claims description 8
- 244000035744 Hura crepitans Species 0.000 description 3
- 239000012634 fragment Substances 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 244000046052 Phaseolus vulgaris Species 0.000 description 1
- 235000010627 Phaseolus vulgaris Nutrition 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000001028 reflection method Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Description
METHOD, APPARATUS, AND COMPUTER PROGRAM PRODUCT FOR PROVIDING SECURITY OF JAVA OBJECTS numn mom -mm 150933/3 Method, apparatus, and computer program product for providing security of Java objects Copyright Notice A portion of the disclosure of this patent document contains material, which is subject to copyrights protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyrights rights whatsoever.
Field of the Invention The present invention generally relates to computer systems, and more particularly, to methods and apparatuses, which provide secure connections between Java programs and an outer environment. That includes: Internet security, Intellectual property & Digital content protection, Preview systems (Product display) , DR - Digital right management, as well as the protection of the Java program code (re-engineering protection/obfuscation) itself .
Description of the Related Art The Java™ technology was originally developed for use in developing and executing other computer programs on computers, computer networks, and global communication networks as well as for use in navigating, browsing, transferring information and distributing and viewing other computer programs on computers, computer networks, and global communication networks - "Internet", and providing hight level of security in its using. That is everything all right, and the Java Virtual Machine sandbox is very secure, with the exception of the Java program byte code is extreme easy for recompilation, which means the Java programs themselves are very vulnerable. E.g., a very smart Java algorithm can be unbreakable by itself, but the recompilation makes all this smartness almost unhelpful. The common solution is the using of an external (to Java program) password. It is securing enough, but requires additional efforts - plug-ins if the JVM is inside of a browser or licensing for the stand-alone Java applications.
The proposed solution is a reasonable workaround for the reducing of the aforementioned difficulties.
Summary of the Invention To achieve the objectives of this invention there is provided a method of the secure authentication for a Java object running in a Java Virtual Machine. The method comprises: loading a Java class from the outer environment to a byte array; defining a Java object from a loaded byte array; running the defined Java object as a Java program; and calculation the secure ID (digest) so it can't be visible outside the JVM. In this way, the security of Java objects is guaranteed by the security of the JVM sandbox. This leads to the possibility of use Java program for secure auto-authentication . 150933/3 The novelty of the invention consists in the use of the internal properties of Java object (bean properties or reflection, class file, and source file properties, the JVM parameters , etc.) for calculating the digest of the Java object as a "password", and it is based on what, from one side, the Java object can be extremely easily decompiled, so to hide predefined password inside it is impossible, and with another side on the impossibility of absolutely precise decompilation of the original Java source code which indicates the theoretical impossibility to restore the digest.
According to one aspect of the invention, this method implemented for Java applets, provides the secure connection between the applet as a client and a remote data storage as a server. This allows using the method for the secure preview of digital data.
According to another aspect of the invention there is provided a method of an auto-authentication of Java programs and that leads to the possibility of using the said method for providing code protection of Java programs themselves .
Furthermore, the method provides also the possibility to protect from decompilation the code of Java applet (and a stand-alone application, of course) when implemented to class file of the said applet as a digital content .
As a result of this invention the following is achieved: reduced the step of registration for customer as a result of the auto-authentication; reduced the step of a licensing for evaluation of the Java application; improved client security as a result of the aforementioned; and improved the Java client, both an applet and an application, obfuscation (protection from reverse engineering) .
Brief Description of the Figures The above objectives and advantages of the present invention will become more apparent by describing in the detail preferred embodiments thereof with reference to the attached drawings in which: Fig. 1 is a general representation of Java object work-flow and the calculation of the secure authentication ID (digest) ; Fig. 2 is a fragment of Java program calculating of the secure ID (digest); Fig. 3 shows a fragment of Java program trying to steal" the secure ID; Fig. 4 and 5 show unsuccessful attempts to break the method with various hacker attacks (decompilation, "doctored" ClassLoader, etc.) Detailed Description of the Preferred Embodiment Referring to Fig. 1 there is represented a Java class file 1001. Such class file is typically *.class file or a part (entry) of *.jar file placed either on a local machine on a remote server (web) . The work-flow of loading of Java program from class file to JVM and then running it is representing as steps 1002, 1003, 1004, and 1005 in Fig. 1. The calculation of secure authentication ID (or digest) comprises the control transfer from JVM to Java program 1006 and calculation itself 1007. The calculated ID then is sent via secure connection 1008 to server for approving 1009. After that, the server either sends response to the Java program 1010 or treats it by itself 1011. Due to security of the JVM sandbox, direct interaction between 150933/3 JVM and outer environment including any attempts to break secure ID are impossible 1012.
Fig. 2 shows the fragment of Java program calculating the digest or secure authentication ID via calculation of the general digest from the specific digests: the lines 2003-2010. The first and the second digests use the reflection methods: the lines 2012-2023 and 2025-2037, correspondingly, the third digest uses the serialization of the said Java class: the lines 2039-2046, and the last digest analyzes the external parameters of JVM: the lines 2048-2056. The other code is not relevant to the described method.
With reference to Fig. 3, a number attempts of stealing of the Client secure ID are shown at the lines 3005-3013. When "hacker" try to "steal" the Client object either with a "doctored" (modified, so it can dump the loaded Java class) ClassLoader, the lines 3015-3031 or with the Remote Profiler Agent: lines 3033-3048, he has an "attacked" copy of the aforementioned Client object only. It follows that digestl÷N at the lines 3007-3011 are not the same as original digests at the lines 2004÷2008 of Fig. 2 due to the necessary difference between the said copies and the original object.
Fig. 4 and 5 are flow diagrams representing attempts of the decompiling - (Fig. 4), and Fig. 5. - with the use of a "doctored" (modified) ClassLoader, and the "direct" attack, that is the attempt to launch "attacked" Java class with the Java "attacker". Again, the client class 4003 and "stolen" class 4011 are different by virtue of the impossibility of the authentic decompilation, and the comparison 4007 of the calculated digests 4006, 4014 easily show the difference. In a similar manner, the client class 5003 loaded with "doctored" (modified) ClassLoader 5008 get the different digest 5010, not equal to 5006, and the "attacked" class 5013 after loading to JVM 5015 will calculate the different digest 5016, because the "attacked" Java class analyzes both the ClassLoader and the calling objects (see Fig. 2) .
Briefly saying, any external "attack" disturbs the "attacked" Java object and changes the digest, and so the said Java object is automatically preserved from the "stealing" .
Conclusion In summary there is described a method relating to the Secure Authentication of Java objects and to the Intellectual Property protection systems as well as to the Digital Right Management systems . The code of Java program serves as the secret ID to authenticate itself to the server, to provide delivering the digital content (including Java code itself as a content) available for customer for the preview and the evaluation.
Claims (5)
1. A method for a secure authentication of a Java object (as a client) via a Java virtual machine and a web browser and a web server or a local computer (as a server) , the method comprising the steps of: loading a Java class file for the client from the server (from the web site or from the local file system) to a byte array; defining the Java class from the loaded byte array; starting the Java client object; calculation of the secure authentication ID (digest) of the said Java object, comprising in its turn the calculation of: - the digest of the said Java object itself via reflection of the said Java object as well as the serialization of the said Java object (parsing and analysis of the Java class file) ; the digests of the external objects, including the system ClassLoader, the JVM parameters, and the digests of the calling Java objects (if any) ; - and, finally, the calculation of the general digest of the aforementioned entities ; creating the secure connection between the Java client and the server; and approving the secure authentication ID by the server.
2. An apparatus for the secure authentication of the Java object (as a client) via Java virtual machine and a web browser and a web server or a local computer (as a server), the apparatus comprising: means for loading the Java class file for the client from the server; means for storing the Java class byte array of the client in the Java virtual machine; means for defining the Java class from the loaded byte array; means for calculating the secure authentication ID (digest) for the said Java object; means for creating a connection between the Java client and the server; means for approving the secure authentication ID by the server.
3. The apparatus of claim 2 wherein the means for calculating the secure authentication ID (digest) from the Java object, includes: means for executing, in response to loaded main Java class, the Java program in the corresponding Java virtual machine thread; and means for calculating, via the serialization and the reflection of the said Java object as well as the analysis of the external objects, including the system ClassLoader, the JVM parameters, and the calling Java objects (if any) , the secure authentication ID (digest) .
4. A computer program product comprising: a computer readable usable medium having computer readable program code means embodied in the medium for providing a security of a Java object, using a Java virtual machine, the computer readable program code means including: 150933/3 means for storing a Java class file for the client on the server; means for loading said the Java class from the server to the JVM; means for defining a Java object according to the loaded Java class; means for running a Java program corresponding to said Java object; means for calculating, using the serialization, Java reflection tools and analysis of external objects, the secure authentication ID (digest) ; and means for approving the calculated secure authentication ID (digest) via client-server secure connection.
5. The computer program product of claim 4 wherein the means for calculating the secure authentication ID, includes: means for executing, in response to loaded main Java class, the Java program in the corresponding Java virtual machine thread; and means for calculating, via the serialization , and the reflection of the said Java object as well as the analysis of the external objects, including the system ClassLoader, the JVM parameters, and the calling Java objects (if any) , the secure authentication ID (digest) . November 16, 2008 Yury Benders ky
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| IL150933A IL150933A (en) | 2002-07-28 | 2002-07-28 | Method, apparatus and computer program product for providing security of java objects |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| IL150933A IL150933A (en) | 2002-07-28 | 2002-07-28 | Method, apparatus and computer program product for providing security of java objects |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| IL150933A0 IL150933A0 (en) | 2003-02-12 |
| IL150933A true IL150933A (en) | 2009-09-22 |
Family
ID=29596371
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| IL150933A IL150933A (en) | 2002-07-28 | 2002-07-28 | Method, apparatus and computer program product for providing security of java objects |
Country Status (1)
| Country | Link |
|---|---|
| IL (1) | IL150933A (en) |
-
2002
- 2002-07-28 IL IL150933A patent/IL150933A/en active IP Right Grant
Also Published As
| Publication number | Publication date |
|---|---|
| IL150933A0 (en) | 2003-02-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11704389B2 (en) | Controlling access to digital assets | |
| EP1342149B1 (en) | Method for protecting information and privacy | |
| US6330670B1 (en) | Digital rights management operating system | |
| US7991995B2 (en) | Method and apparatus for protecting information and privacy | |
| US7302709B2 (en) | Key-based secure storage | |
| US6108420A (en) | Method and system for networked installation of uniquely customized, authenticable, and traceable software application | |
| US8510861B2 (en) | Anti-piracy software protection system and method | |
| EP1443381B1 (en) | System and method for secure software activation with volume licenses | |
| US7174457B1 (en) | System and method for authenticating an operating system to a central processing unit, providing the CPU/OS with secure storage, and authenticating the CPU/OS to a third party | |
| CN101802833B (en) | Local stores service is provided to the application run in application execution environment | |
| US6327652B1 (en) | Loading and identifying a digital rights management operating system | |
| CN101156166A (en) | System and method for using machine attributes to deter software piracy in an enterprise environment | |
| US20050060549A1 (en) | Controlling access to content based on certificates and access predicates | |
| US7080249B1 (en) | Code integrity verification that includes one or more cycles | |
| US8103592B2 (en) | First computer process and second computer process proxy-executing code on behalf of first process | |
| US7197144B1 (en) | Method and apparatus to authenticate a user's system to prevent unauthorized use of software products distributed to users | |
| US20050246285A1 (en) | Software licensing using mobile agents | |
| IL150933A (en) | Method, apparatus and computer program product for providing security of java objects | |
| HK1027178A (en) | Method and system for networked installation of uniquely customized, authenticable, and traceable software applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FF | Patent granted |