6 Replies Latest reply: May 30, 2012 8:19 AM by 937672 RSS

    Secure way to obtain host address

    937672
      I'm doing a simple RMI project that guarantees a secure communication between a server and client residing on different computers.

      So, for communication, I thought of using RMISocketFactory, with an SSLSocket.

      My problem resides in obtaining the host address, I don't want it hard-coded in my program.

      What secure ways do I have for obtaining an host address?

      Encrypt in a text file and read from it?

      Regards, Nuno.
        • 1. Re: Secure way to obtain host address
          796440
          >
          What secure ways do I have for obtaining an host address?

          Encrypt in a text file and read from it?
          Yes, but only if a person has to provide the password to decrypt the file every time the program starts. Otherwise, you have to hardcode the password in the app, and if you're going to do that, you might as well just hardcode the password.

          Another alternative would be to put the address in a plain text file, but make that file readable only by the user id that runs the app.

          It's impossible to know whether any particular solution is viable for you however, without knowing the details of your requirements and constraints.
          • 2. Re: Secure way to obtain host address
            EJP
            There's not much to be lost by leaking the host address. I assume you are talking about the server host adress here. An attacker would still need:

            1. The RMI Registry lookup name
            2. Your remote interface .class, and all the classes it depends on, recursively to closure, with matching serialVersionUIDs in the case of the Serializable objects
            3. To know how to call it and in what sequence
            4. If you use a security manager at the server, a client host address for which a SocketPermission 'accept' exists in the server's security policy, and
            5. If you use client authentication, a client certificate that is acceptable to the server.
            • 3. Re: Secure way to obtain host address
              937672
              Hi,

              Sorry for not being precise enough.

              My problem resides on the client side and how he gets the server's address, the one he uses for lookup.

              EJP, so I could just read it from a file (in case the server changes address) and use a security manager? That would be enough?

              Thanks!

              Edited by: Nuno Miguel Santos on 30/Mai/2012 1:39
              • 4. Re: Secure way to obtain host address
                gimbal2
                Nuno Miguel Santos wrote:
                EJP, so I could just read it from a file (in case the server changes address) and use a security manager? That would be enough?
                Perhaps you could use some weak encryption on the file just so the host name is not plain text. Creating grand protection schemes is futile so don't waste your time there, but at least do the minimal effort to hide your stuff :)
                • 5. Re: Secure way to obtain host address
                  EJP
                  If you want security, use SSL with client authentication. It's secure. Self-invented schemes aren't, almost by definition.
                  • 6. Re: Secure way to obtain host address
                    937672
                    Thank you for your help :)