Classfile encrypt/decrypt

Fri Apr 28 19:52:23 UTC 2023

This reminds me Bruce Schneier's quote:

"Anyone, from the most clueless amateur to the best cryptographer, can
create an algorithm that he himself can't break."

You can encrypt a class, but a) your private key will be somewhere
obfuscated in your code and b) once decrypted, you can dump it from memory.

Maybe in the future, the Panama project will facilitate running certain
tasks within, for instance, an SGX enclave or other TEE environments.

--
@apr <http://twitter.com/apr>

On Fri, Apr 28, 2023 at 10:32 AM Raffaello Giulietti <
raffaello.giulietti at oracle.com> wrote:

> Hi,
>
> IIUC, the decryption key is distributed in some form with the desktop
> application.
> What is unclear to me is how the key is protected in turn.
>
>
> Greetings
> Raffaello
>
>
>
> On 2023-04-28 07:12, Henrik Buestad wrote:
> > Hi
> >
> > I don't know if this is the right place to post this, so have me excused.
> >
> > This might be naive, or a good idea?
> >
> > I have an issue with .class files in a desktop application. They can be
> > reverse enginered. Using GraalVM is unfortunately not an option since we
> > need to be able to load custom classes runtime.
> >
> > I thought of an idea to be able to encrypt .class files using RSA and
> > then have a custom JDK VM with a natively compiled decrypter with a
> > private key. (The private key could be a configure option). I then just
> > need to tap into the code where the .class file is read from disk and
> > check if it starts with CAFEBABE. If not run it through the decrypter.
> >
> > Can somebody point me to which source file(s) I should start to mess
> > around in? I mean where is the classloader reading the .class file from
> > disk?
> >
> > As I said, this might be naive😅
> >
> > Best regards,
> > Henrik Buestad
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/jdk-dev/attachments/20230428/e4b0820f/attachment.htm>