This discussion is archived
6 Replies Latest reply: May 30, 2012 6:19 AM by 937672 RSS

Secure way to obtain host address

937672 Newbie
Currently Being Moderated
I'm doing a simple RMI project that guarantees a secure communication between a server and client residing on different computers.

So, for communication, I thought of using RMISocketFactory, with an SSLSocket.

My problem resides in obtaining the host address, I don't want it hard-coded in my program.

What secure ways do I have for obtaining an host address?

Encrypt in a text file and read from it?

Regards, Nuno.
  • 1. Re: Secure way to obtain host address
    796440 Guru
    Currently Being Moderated
    >
    What secure ways do I have for obtaining an host address?

    Encrypt in a text file and read from it?
    Yes, but only if a person has to provide the password to decrypt the file every time the program starts. Otherwise, you have to hardcode the password in the app, and if you're going to do that, you might as well just hardcode the password.

    Another alternative would be to put the address in a plain text file, but make that file readable only by the user id that runs the app.

    It's impossible to know whether any particular solution is viable for you however, without knowing the details of your requirements and constraints.
  • 2. Re: Secure way to obtain host address
    EJP Guru
    Currently Being Moderated
    There's not much to be lost by leaking the host address. I assume you are talking about the server host adress here. An attacker would still need:

    1. The RMI Registry lookup name
    2. Your remote interface .class, and all the classes it depends on, recursively to closure, with matching serialVersionUIDs in the case of the Serializable objects
    3. To know how to call it and in what sequence
    4. If you use a security manager at the server, a client host address for which a SocketPermission 'accept' exists in the server's security policy, and
    5. If you use client authentication, a client certificate that is acceptable to the server.
  • 3. Re: Secure way to obtain host address
    937672 Newbie
    Currently Being Moderated
    Hi,

    Sorry for not being precise enough.

    My problem resides on the client side and how he gets the server's address, the one he uses for lookup.

    EJP, so I could just read it from a file (in case the server changes address) and use a security manager? That would be enough?

    Thanks!

    Edited by: Nuno Miguel Santos on 30/Mai/2012 1:39
  • 4. Re: Secure way to obtain host address
    gimbal2 Guru
    Currently Being Moderated
    Nuno Miguel Santos wrote:
    EJP, so I could just read it from a file (in case the server changes address) and use a security manager? That would be enough?
    Perhaps you could use some weak encryption on the file just so the host name is not plain text. Creating grand protection schemes is futile so don't waste your time there, but at least do the minimal effort to hide your stuff :)
  • 5. Re: Secure way to obtain host address
    EJP Guru
    Currently Being Moderated
    If you want security, use SSL with client authentication. It's secure. Self-invented schemes aren't, almost by definition.
  • 6. Re: Secure way to obtain host address
    937672 Newbie
    Currently Being Moderated
    Thank you for your help :)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points