Newsletter sign-up
View all newsletters

Enterprise Java Newsletter
Stay up to date on the latest tutorials and Java community news posted on JavaWorld

Sponsored Links

Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs

JavaWorld.com > Java Development Tools >

Signed and sealed objects deliver secure serialized content

Protect information with the SignedObject and SealedObject classes

By Todd Sundsted, JavaWorld.com, 11/17/00

  • Print
  • Feedback
.
A developer building an application will encounter many situations in which he or she will want to protect the integrity and/or contents of a serialized object as it is transferred over or stored on untrusted media. Consider a distributed application in which a set of loosely coupled servers must serve a legion of mobile clients -- clients that can connect to and disconnect from any one of the servers at any time. When the servers' state is not synchronized or cannot be kept synchronized, the clients must assist with the state maintenance. If the transactions the clients engage in span more than one connection with more than one server, the client must maintain a state that contains the information necessary to reestablish transaction context with each server. If the clients, their users, or the underlying transmission and storage media cannot preserve the stored state's integrity, the servers must take specific steps to guarantee that the state information they store on the client is protected.

The example above is not unique. Client-side wallet applications, mobile agent applications, and many kinds of mobile computing applications face the same challenges. This month, I will show you how to protect the contents of serialized objects when they traverse or reside on untrusted media. This information will better prepare you for designing and building distributed applications, especially those that use Java serialization to store state information.

The two players

The Java security package java.security and the Java Cryptography Extension (JCE) package javax.crypto contain a pair of classes designed to address these challenges. These classes protect the integrity and/or content of serialized objects that spend time in an untrusted environment. Before delving into the details of usage and implementation, let's take a look at the two classes and the differences between them.

The SignedObject class

Included in the java.security package along with the classes it depends upon, the SignedObject class makes up part of the Java 2 Platform, Standard Edition.

An instance of the SignedObject class acts as a wrapper around an instance of another class. A SignedObject instance contains the serialized representation of the wrapped object, along with the signature information necessary to validate the wrapped object's authenticity and integrity.

Three conditions must be met to create a SignedObject instance:

  1. The wrapped class must be serializable. The SignedObject instance operates by transforming an instance of a class into a serialized byte stream and then signing that byte stream.
  2. The constructor requires the signer's private key. The Signature class presumes the use of a public/private key pair, even in situations in which a shared secret key would suffice for the wrapped object's authentication and verification.
  3. The constructor requires a signature-generation engine, represented by an instance of the Signature class.


With these stipulations satisfied, the programmer creates an instance of the SignedObject class as follows: 

  Serializable serializable = ...
  PrivateKey privatekey = ...
  Signature signature =...
  SignedObject signedobject = new SignedObject(serializable, privatekey, 
signature);


Once a SignedObject instance has been created or reconstituted from a stream of bytes, the verify() method checks the wrapped object's integrity and the purported signer's authenticity, as shown below: 

  boolean bl = signedobject.verify(publickey, signature);


The verify() method requires a signature engine and the public key associated with the private key that signed the object.

The getObject() method retrieves the wrapped object, as this code illustrates: 

  signedobject.getObject()


There is one important caveat. You can obtain the wrapped object without first verifying the sender's authenticity or the message's integrity. If you're concerned about these issues, always remember to verify the wrapped object first.

The SealedObject class

Unlike the SignedObject class, the SealedObject class is not included in the Java 2 Platform. Instead, JCE, one of Sun's standard extensions to the Java Platform, incorporates the class.

Like a SignedObject instance, a SealedObject instance acts as a wrapper around an instance of another class. It contains an encrypted version of the wrapped object's serialized representation. This signifies the most important difference between the two classes. With the SignedObject class, you can recover the contents of the wrapped object without the signer's public key. With the SealedObject class, even that much is impossible. Nothing can tamper with or examine the wrapped object, and you can verify the authenticity of the sender as well.

The following conditions are required to create a SealedObject instance:

  • First, as was the case with the SignedObject class, the class being wrapped must be serializable.
  • Second, the constructor requires a cryptographic cipher to seal the object. An instance of the Cipher object represents the cipher.


Create an instance of the SealedObject class as follows: 

  Serializable serializable = ...
  Cipher cipher = ...
  SealedObject sealedobject = new SealedObject(serializable, cipher);


Once a SealedObject instance has been created or reconstituted from a stream of bytes, the getObject() method retrieves the wrapped object: 

  // Any one of the following will work.  Note the additional
  //  Cipher or Key parameter.
  sealedobject.getObject(cipher);
  sealedobject.getObject(key);
  sealedobject.getObject(key, provider);


To summarize, the SignedObject class simply signs the contents of the wrapped object. The signature allows others to authenticate the purported sender's identity and to verify the contents' integrity. The SealedObject class goes one step further and actually encrypts the sealed contents to protect its meaning from prying eyes. However, to use it, you must move beyond the borders of the J2SE and install (and require all users to install) the JCE.

The code

The following examples demonstrate how to use these two classes in their native environment.

  • Print
  • Feedback