I have a problem when attempting to implement AES/RSA encryption on J2ME,
that problem being that bouncycastle (a library that supports java and specially J2ME) is too big for implementation on a mobile phone solution (about 860 classes in total without the test and example classes).
I've googled around and the only alternative I can really find is JCE... which in itself is also too big.
Does anyone here know a way to implement it in a very small solution? Or a "tiny" library that I can use? (like for instance for TEA: http://www.winterwell.com/software/TEA.php)
If you are willing to do a little work you should be able to take the Bouncycastle J2ME source code as a starting point and with judicious use of copy and paste implement just RSA and AES very compactly.
UPDATE:
Just as an exercise I tried this myself. It took about 45 minutes of copying and light editing to produce 27 Bouncycastle classes that completely implemented AESEngine and RSAEngine exactly as they are in Bouncycastle J2ME sources. But I did no testing of them at all, namely because I don't really understand what to do with my Netbeans J2ME project that I created them in.
How about you try the lightweight API version? Go to Bouncy Castle's latest release page and download the J2ME build. Its just about 7MB - much lighter in size.
Related
I have some C# code that relies on doing really basic graphic operations such as getting and setting pixels, and drawing texts over images. This uses the System.Drawing package which Microsoft has dropped the ball on.
Microsoft says this: Migrate to one of the following libraries: ImageSharp, SkiaSharp, Microsoft.Maui.Graphics. The latter appears to be ill-documented and unstable.
Could anyone with experience with these packages suggest an easy and simple way forward?
I am even wondering if it might pay to write my own library for the Windows bitmap format (which is sufficient for my purposes).
Yours frustratingly...
It depends on which platform you are building your app, but SkiaSharp 2.80.2 or 2.80.3 can be a good choice. There are quite a bit problems in newer packages, so you need to be careful which version you install so that you do not run into performance problems or bugs.
My company develops mobile apps that require encryption in their functionality for multiple platforms - iPhone, BlackBerry, J2ME, WinMobile, and probably Android in the near future. I've been trying to find ways to develop our apps such that all the app logic can be developed in a single code-base with a different UI wrapper for each platform, and PhoneGap seems like a promising solution.
What I want to ask is, would it be possible for an app developed in PhoneGap to use encryption like 3DES, AES, MD5, SHA256 etc? Since as far as I understand a PhoneGap app would be written with web dev technologies like Javascript/CSS, and I'm not too sure about the encryption functionalities they provide. (I'm more of an app developer than a web developer)
I thought of making my own helper classes to do this, but am not sure if those classes will be portable across all platforms. For example, if I make those classes using Java, will they be usable on an iPhone? And how?
Or if anybody knows of an even better way to do this, please share it. Thanks!
-Quinn
The major smartphone APIs are all very different from each other (iPhone: objC, Android: modern Java, Blackberry: old J2ME Java).
When you drop out of Phonegap to go native you'll almost certainly need code specific to each platform.
You can do it all in JavaScript - because the JS is compiled into phonegap you don't need to worry about its integrity, plus you can code in your public key allowing your private key to be picked up later.
see http://www.ohdave.com/rsa/ which looks like an RSA implementation (which is asymetric if thats what your after). For symettric, try implementing AES - its only a dozen lines or so of C so shouldn't be too hard to port?.
Generally, you should be looking for entirely-javascript implementations of the various relevant protocols.
Generally, I only look for the industry standard encryption and hashing plus very open licensing (sometimes the GPL does not work for clients)
Currently I will be trying SlowAES for AES and jsSHA2 for SHA-512
I will report back on my results with these.
We need a paid for supported Encryption / Decryption API for a project - AES >256?
I dont want the developers coding their own encryption / decryption even using the built in stuff. To many chances to go wrong.
Links to sites much valued.
UPDATE
Due to the fact as many have said - Its hard to understand if you are not familar with encryption, and get a small thing wrong and its busted...
I have seen answers and will be getting our own encryption/decryption from the builtin - but all the team will need to peer review.
For information BlowFish.Net is good, and performs faster than the builtin crypto routines, which when you start to look at encrypting/decrpyting data into a database can have some massive perf issues ...
http://www.codinghorror.com/blog/archives/001268.html
"even using the built in stuff"
The reason that it's built in is so that people have tested, reliable algorithms available to use that implement standards, not black box third party APIs that might not. What are the "chances to go wrong"?
Maybe you need to switch to Java, you can always opt to use third party JSSE providers there if you're paranoid about the built-in provider.
Bouncy Castle is a well respected and well developed .NET encryption library that is usually recommend for these sorts of questions. But what's wrong with using the System.Security.Cryptography Namespace? - it is extremely secure, very fast and doesn't require any external libraries. Here's an example of how to implement it.
Oh, and "using the built in stuff" will mean it is less likely to go wrong. Your developers won't be coding their own classes, just using the interfaces available which are easy to use and have been very rigorously tested.. Also, the "built in stuff" will be well supported by Microsoft, so if you want to upgrade to C# 4.0 (or C# 5.0 in the future?) you probably won't need to change your code at all.
If you were to use a 3rd party library you would most likely still run into the same issues, which basically boil down to not understanding the pitfalls of encryption.
Without a decent understanding you'll most probably make mistakes with key management, or using bad initialisation vectors or keys. These are issues you'll need to understand to tackle regardless of whether you use the inbuilt libraries (which are fine), or a 3rd party library.
If its something you feel worried about enough, the best recommendation is probably to bring in someone, or better yet - train up people to understand encryption.
Use the builtin 'stuff'. But make sure you use it in the correct mode.
Is there any alternative image manipulation library for .net? I would prefer something that is managed and open source.
I ask this because of two reasons:
I have encountered hard to debug GDI+ errors with System.Drawing in the past
I have read that using System.Drawing in asp.net web applications is not 100% supported.
Thanks!
edit: clarification, I know that System.Drawing can work asp.net web apps - I have used it in the past. I really just wonder if there are any managed image manipulation libraries for .net :)
You should look into the WPF Imaging libraries shipped with .NET 3.0. They're optimized and robust (used to run Aero, so you know they're efficient). They don't depend on the WPF dispatcher, are easily extensible, and officially supported. What more could you want?
I don't know of any fully-managed 2D drawing libraries that are either free or open-source (there appears to be a few commercially available, but OSS is the way to go). However, you might look into the Mono bindings to Cairo.
Cairo is a platform independent 2D drawing API. You can find more information about it at the Cairo homepage. The Cairo Wikipedia page also has some good info.
Cairo is also used fairly widely in the Open Source world, which to me says something about its robustness. Mozilla, Webkit, and Mono all use it, among others. Ironically, Mono actually uses it to back their System.Drawing implementation... go figure.
There might also be a way to use Mono's System.Drawing implementation as a drop-in replacement for the Microsoft implementation, though I'm not sure how or if that would even work. I would probably start by replacing the System.Drawing.dll reference with Mono's version, and then try to deal with any errors.
Anecdotal evidence #1: I have used GDI+ for on-the-fly image creation within ASP.NET with no problems. I'm not sure what the problems would even be.
With respect to (1), most of the hard to debug errors are due to not closing open handles (Dispose() in managed-land). I'm curious where you heard (2).
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I've written (most of) an application in Flex and I am concerned with protecting the source code. I fired up a demo of Trillix swf decompiler and opened up the swf file that was installed to my Program Files directory. I saw that all of the actionscript packages I wrote were there. I'm not too concerned with the packages, even though there is a substantial amount of code, because it still seems pretty unusable without the mxml files. I think they are converted to actionscript, or atleast I hope. However, I would still like to explore obfuscation.
Does anyone have any experience with Flash / Actionscript 3 / Flex obfuscators? Can you recommend a good product?
The procedure suggested by maclema will not really stop any attacker from obtaining the source - the "wrapper application" will need to be unencrypted so the attacker will be able to find out that you use AES (or any other algorithm) and he will obtain the decryption key in a similar way (because it needs to be in plaintext somewhere). Once he has this, he will be able to decrypt your SWF file easily.
The only reliable solution (well...) is some kind of obfuscator - we use Amayeta which works for Flex in the latest version - please see http://www.amayeta.com/software/swfencrypt/ .
Here's what I would do.
Compile your application to a SWF file. Then encrypt the SWF using AES.
Make a "wrapper" application that loads the encrypted SWF into a ByteArray using URLLoader
Use the as3crypto library to decrypt the swf at runtime.
Once decrypted, use Loader.loadBytes to load the decrypted swf into the wrapper application.
This will make it a lot harder to get your code. Not impossible, but harder.
For AIR applications you could leave the SWF encrypted when delivering the application to the end-user. Then you could provide a registration key that contains the key used to decrypt the SWF.
Also, here is a link to an AS3 obfuscator. I am not sure how well it works though.
http://www.ambiera.com/irrfuscator/index.html
Well, in my opinion, the easiest and safest solution is a mix of maclema and Borek answer:
Obfuscating code can be a big headach if you did not include it in your process from the start and if your aplplication is quite big: it's likely that obfuscation make your application corrupted if you used remote packages (and did not declare this to the obfuscator) if you used to many unTyped variables in Objects or dynamic classes ....
So: if you do maclema's solution on your big application and use obfuscation on your wrapper (which is a small app likely to be very easy to obfuscate) you're code will be the safest and the hasle the least.
Only a very angry pirate would take the time to reverse engineer the obfuscation to then decrypt the package .... Well if someone wants your application code soo bad it's either CIA related or you're already very rich (or both)
thank you all for your answers
I recently released an iOS and Android game using Flash. I looked around the internet for a good free program to protect the source code in my SWF and couldn't find anything so I wrote one. It's still in development and it's "use at your own risk" but it worked for me.
It's released on github. Check it out and let me know what you think.
https://github.com/Teesquared/flasturbate
I uploaded a windows binary but I recommend you follow the instructions to build it yourself if you want to give it a try.
This obfuscator works directly on the SWF file. It currently only renames symbols but it is built on a framework that could support altering bytecodes in the future.