Till now, i have been creating a file (txt/excel) using buffered Writer for creating a text file and JExcel API for creating a Excel file. These files i have been creating using Java only.
Now i want to make the file password protected in both the cases, that to something like, the file can be accessed by number of people, but only selected may access it using there own login ids/password.
Is it possible to do so?..
Thanks
The answer completely depends on what way you want to open your protected files.
If it is opened by your (java) program or an application, then you can simply simply encrypt it with a password upon saving, and decrypt it with something the user provides,
and use some checksum or header to see if the result is valid - or some garbage due to bad password,
some crypto APIs will do it for you right out of the box.
Second option - if you meant encrypting files with a program (like a notepad file, or something), and you expect windows or notepad to ask you for the password, then it depends on the format of the file you use. Some can be password protected, some can not -like text files usually associated with notepad). In this case password protection works as described in the format's own documentation, and you have to research a bit, I guess it will be too much work
we can do password protection of zip files with the core Java API.
Yes, it is possible to do that, you would have to write your own encryption and decryption tool or write a plugin for excel to do the decryption.
Usually the best approach is to use the security of the OS and specify which users can read or read/write the document. This is transparent to the user and doesn't require a encryption/decryption tool.
yes it is possible. You can use either AES or DES encryption. password is nothing but the key using which the file can be be encrypted or decrypted. you can create your own listener which will prompt you for password. If you enter the password then it will take the password and try to decrypt the file
Related
In my application, users can upload any kind of files.
I would like to store them (or their data, byte[]) encrypted in the file-system, and when the user wants to re-download them, de-crypt them on the fly, transparently for the user.
The files must not be user-private, as they can be shared between groups of users.
Someone with only file-system access should not be able to get the file data.
What would be the best practice to achieve this kind of encryption requirement ?
Security should be the most important consideration.
Edit
As ideal I would see an api which I can pass the file-data as byte[] which takes care of en/decryption. This way the java.io.File would not need to know about the encryption at all.
A salt could maybe be provided from the file's metatada, while the key could e.g. be provided on application startup.
Edit 2
The comment from #Jared points to an article which kind of sovles my requirement:
http://www.codejava.net/coding/file-encryption-and-decryption-simple-example
The application runs under a system account so encrypt a folder for only that account.
Store the uploaded files in that encrypted folder.
Don't give anyone the password for that account.
Windows has this built in and there are many ways to achieve this on *NIX.
This meets all of your requirements.
When you compile a .java file into a .class file, if you had a line like
String s = "This is a String"
If you open up the .class file in a text editor, you will see
This is a String
Somewhere in the file amidst the gobblety gook.
Which is fine and dandy for most stuff, but not when dealing with sensitive information like API keys.
Of course, one alternative is to read the API key in from another file, but that just makes it EASIER to find the key, as now the person can just open "key.txt" when they open the .jar file.
So how do you encrypt a string literal in your .class file?
When you send code to a 3rd party, you loose all control over it. Even if you where to embed the API key as an encrypted string, an attacker could still try, and potentially succeed in breaking it, which would make all your encryption/decryption efforts in vain.
The best solution, in my opinion, would be to not provide any sensitive information within the application, but rather provide it with an ID of some sort. Any sensitive values which it needs would be then pulled through the use of a secure connection.
If you use a key to access a 3rd party API there is no way to protect that key from the end-user IF you ship it with your code / application or you want your application to be able to access the 3rd party API without a middleman.
The end-user could just read all data send from your app to the end-point and know the API key. Regardless of any measures you took to encrypt it you will need to send it atleast once decrypted to the 3rd party.
The safe way to do this is to require your user to log in to a service provided by you, send a request to YOUR service and then YOUR service (which is presumably not located on the machine of your end-user) sends a request to the API with the key. So the end-user never knows of the key.
If you store the information in the class file, the decryption key should come from outside of the class. You can crypt the data, but if you have all the information within the class file, you are lost.
You should store API keys in config files. You have a different API keys for development and for the live, right?
Other possible solution is to use KeyStore, which allows you to store sensitive information in publicly accessible format. Only the holder of the secret key can decrypt the sensitive data.
Even if you keep that information encrypted in your class, a hacker can find the mechanism to decrypt that from your code only. So IMHO it's better to keep that encrypted information in some other file, and read that file. Also, restrict the access to that file using OS security mechanisms.
I’m creating an Excel file and it should be read-only. To do this I use:
(sheetName).getSettings().setProtected(true);
for every new sheet added.
Only someone with admin rights can get full access to the file, so after confirming a user has admin rights I do:
(workbookName).getSheet(0).getSettings().setProtected(false);
After someone with admin rights opens the file, it is not read-only anymore, until an ordinary user adds some more content to it – .getSettings().setProtected(true); again. In other words, someone can change the file after admin accesses it and before non-admin does so. I don’t have a clue how to go around it, maybe you could help me out?
--EDIT--
Users are adding data to the excel file, filling cells with information file - read workbook, copy, add some info, write and close workbook. Non-admin users can open it directly to see if what they added is there, or to see what other users added, but they should NOT be able to change anything in the file.
It is a wizard-like app that asks users for data and then adds cells to the file. One of the methods for adding data is here. The file gathers personal information from the users. The app is used only to add data, not to access it. Users can access the file only directly by double-clicking the output, and only to view the data. Admins can change the file, other users should not be able to do so.
If you're willing to pay for commercial software, the latest version of ExtenXLS has full read and write support for all the encryption formats supported by Excel. Just construct an EncryptedWorkBookHandle instead of the normal WorkBookHandle. That will use the strongest possible cipher supported by an unmodified JRE, RC4 for XLS and 128-bit AES for XLSX. If you want to use 256-bit AES with OOXML and you've installed the JCE unlimited policy you can do so with the MSOfficeEncrypter class.
JExcelAPI, a popular open-source Java spreadsheet API, does not appear to support encryption at all. Aspose.Cells, a commercial offering, supports stong encryption. The documentation for Actuate's e.Spreadsheet seems to have disappeared from the 'net, so I can't tell whether it supports encryption or not.
Since none of the freely available Java spreadsheet APIs seems to support writing encrypted spreadsheets, if you're not willing to use commercial software you'll need to come up with a workaround. You could, for example, write the spreadsheet into an encrypted ZIP file. java.util.zip doesn't support encryption, but it looks like Zip4j does.
Here's the thing since you told that users can simply edit it when and administrator removes protection there seem to be no standard alternative. However if this file is in use then no one else can modify it outside right? So simply just protect it again when administer exit the excel file, and remove protection when an administrator logs in. Like Tim said. You can create separate functions to edit the excel file and then do
disable protection
write modifications
enable protection
in all those functions. If this is feasible you can use something like AspectJ to simplify the
disable protection and enable protection
parts;
The app I am working on gets all the files from the sdcard but these files are really important and the app should maintain a security issue .So is there a way that the folder or directory that contains the file may be encrypted or locked with a key and only be used by my app?
Please help I am newbie and stuck at this point.
On Android, anything stored on the SD card is not protected by permissions and can be accessed by any application that has permission to touch the SD card (and by anything/anyone that can pull the card out and read it elsewhere). Basically, you need to assume that if you put resources there, they can be accessed by anyone. So, you are correct, you want to encrypt these resources so that even with that access, no one can access them.
Android includes plenty of support for well-known cryptography. In this case, you'll want to use symmetric encryption. The current best practice here is to use AES with 256-bit keys, all of which are natively supported in the Android class libraries. There are plenty of resources on how to do this in the developer documentation online and there is a complete rundown of all the issues you need to think about, and code examples of the entire process, in Application Security for the Android Platform (disclaimer: I'm the author of this book).
You do need a key to encrypt this data, and you need to keep that key secret (anyone that knows it can decrypt the data). You have two options...(1) ask the user for a password every time they use the application and then derive the key from that password, or (2) store the password in your application. (2) is dangerous as Android applications can be readily reverse engineered, where an attacker can simply look into your application and find the key. (1) is preferred as then there is no key stored for an attacker to recover...the tradeoff is that your users need to type in a password to use your application. What you should do here is a function of the risk analysis...how important is this data? Do you need it protected in a strong manner, or are you protecting it to just make things harder for an attacker? Only you can answer that, based on your use cases and the sensitivity/risk of your data.
Have a look at those resources:
http://source.android.com/tech/encryption/android_crypto_implementation.html
http://developer.android.com/reference/javax/crypto/package-summary.html
You should be aware that of course you shouldn't store the key to the encrypted data in cleartext but rather encrypt that itself with a password a user can choose or similar.
This is how to make a new folder:
String SaveFolder = "/Save";
String extStorageDirectory = Environment.getExternalStorageDirectory().toString();
File mySaveFolder = new File(extStorageDirectory + SaveFolder);
mySaveFolder.mkdir();
Got this code in the public void onCreate
Now it makes a folder with the name "Save".
Edit:
I looked there is not a way to set a password or something.
Though I read here http://developer.android.com/guide/topics/data/data-storage.html#filesInternal it is possible to save files in the internal memory, where users can't get acces too, but I never used that, so I can't help you with that.
I am trying to make a multi user login system for my java program, at the moment i am compairing the username and password to md5 hashes stored in a text file. I would like to be able to geive different users different access wrights to the program, using the system i am using at the moment the accesablility would be easy to change if the text file was opend. Is there a way I could encrypt the text in the file and then unencrypt it when the user loggs in??? Thanks
You can take a look at this comprehensive Java Cryptography guide. However, I think that you would be better off with a database to store the username and password since a text file could be easily deleted or modified. Encrypting it only makes it tougher to read.
Please take a look here and here to learn about JDBC. If you want a more robust framework, you can use and ORM like hibernate. The links I have posted refer to MySQL. It is a very popular Database server and integrates well with Java. You shouldn't have any problems finding tutorials or any kind of help with MySQL.
Also have a look at JAAS to restrict access to your services (e.g. based on roles).
Md5 is a one way hash algorithmic you cant decrypt it back , best way is to compare the encrypted string to validate things
Does this help:
Java - encrypt / decrypt user name and password from a configuration file