3

How can I secure the serialized object if I send the serialized object over the network? I doubt that hackers may interrupt/hack my data.

can anyone tell in detail about how to implement this?

user1514499
  • 742
  • 7
  • 26
  • 61

7 Answers7

6

This presentation give ideas on how effectively attackers can tamper a Java serialized stream:

  1. https://www.owasp.org/images/e/eb/OWASP_IL_2008_Shai_Chen_PT_to_Java_Client_Server_Apps.ppt

    There is also the risk of injecting unsuspected behavior and inject code in case a vulnerable class exists on the server's classpath. See this article:

[Look-ahead Java deserialization][3]

Rajesh Lohar
  • 68
  • 6
Pierre Ernst
  • 514
  • 3
  • 7
4

java.crypto.SealedObject is what you are looking for.

user207421
  • 298,294
  • 41
  • 291
  • 462
2

You can encrypt or hash it, but java serialization format is a poot choice for sending over network - better solution would be JSON / XML ( encrypted or signed with some cryptographic algorythm)

nobalG
  • 4,609
  • 3
  • 34
  • 69
Konstantin Pribluda
  • 12,178
  • 1
  • 28
  • 35
1

Look into encryption as said before, but more specifically look at hte SSL/TLS libraries for network communication in java.

http://juliusdavies.ca/commons-ssl/ssl.html

No need to try and implement secure encryption communication when there is a very powerful library built into Java.

sean
  • 3,965
  • 20
  • 28
  • In my webapplication I am using https:// to access the application. Is this enough? – user1514499 Jul 10 '12 at 16:03
  • It may be, can you give more context? – sean Jul 10 '12 at 16:06
  • In Glassfish server, I have network configuration as given in the below url. Is this configuration enough to secure my data? http://javadude.wordpress.com/2010/04/06/getting-started-with-glassfish-v3-and-ssl/ – user1514499 Jul 10 '12 at 16:14
  • That should be fine for your needs. If you are accessing your data over a https:// connection then it should be encrypted. But, if you need to add communication within your system then you can use the SSL/TLS libs to perform the encryption for you. – sean Jul 10 '12 at 16:16
  • Can you please confirm the above given configuration(in Glassfish) will secure my data when I send the send the data after serialisation – user1514499 Jul 10 '12 at 16:23
  • I believe it will be fine for server to client communication security, but remember that there is still data security that should be kept in mind outside of the communication channel. – sean Jul 10 '12 at 17:40
1

In my opinion, you can use either use SSLSocket or SealedObject. However, it will make things a bit heavy for you. However, one of the option is described in this article as well. http://www.ibm.com/developerworks/library/j-5things1/

Ashley
  • 589
  • 3
  • 5
  • 16
1

You can use the signed object and sealed object to secure the serialisation object

Musaddique
  • 1,435
  • 2
  • 13
  • 30
0

I add a useful resource to the thread here, Oracle's Secure Coding Guidelines for Java SE (particularly, in this case section 8 in the guidelines, "Serialization and Deserialization"):

https://www.oracle.com/java/technologies/javase/seccodeguide.html#8

Dharman
  • 26,923
  • 21
  • 73
  • 125
Gerardo Roza
  • 1,718
  • 1
  • 21
  • 22