Security Woes - Encryption

Slaanesh

Right, where do I begin ...

I am writing a java program that plays mp3's and videos and uses a touch screen interface for selection of these tracks. It will be running on Windows XP professional machine.

Things I would like to do:

1. Secure the java class files so they can't be reverse engineered(obfuscate?)
2. Encrypt the media files on the PC and have them decrypted when called upon for playback. I have written a DES crypto class that works. My concern is that once a track is playing I need to have a decrypted version on the hard drive for it to play. This would allow someone to copy the currently playing track.

I could just take the decrypted byte array and use that as the input, unfortunately the player is at the directshow level so I would probably have to change my current mp3 player implementation.

Where do I store the key I use for decrypting the mp3's? Some security dongle? What stops a person reverse engineering the java code, recompiling and then printing out the key to a file?

From reading on the internet it seems almost impossible to secure java class files other than obfuscate them to bits which can cause other problems down the line.

A colleague and myself have discussed this at depth and can't wrap our heads around it.

Any pointers/help would be much appreciated.

pH

Basically you're putting an encrypted file on a user's PC, and also putting all the information need to decrypt it (algorithm and key) also on the PC.

Until hardware based DRM comes along, all you can do is make it difficult (in terms of time and expertise) to decrypt and save the files. Microsoft's latest DRM has been cracked as has Apple's. You cannot make it impossible, you can just make it harder.

For example even if you managed to have the decryption in memory only (after going to all the hassle of not writing it to disk) I can :
- Scan/read/save memory just as easy.
- Install a directshow filter that saves the file to disk.
- Install an audio driver that copies the digital wav stream.

So you need to ask yourself:

• How hard do I need to make it? - what happens if someone gets unencrypted copies of the files.
• what type of users am I trying to keep out?
• The media I'm securing - are there already easier/cheaper ways to get a copy than debugging my app?

Hobbes

obfuscating the java class should still make the code a good enough mess to stop casual reading. For example converting for loops into static code and turning vars into random characters is good enough to give anyone a headache.

In regards to encrypting. It depends how you are decrypting. Generally the only secure way to do it locally is to encrypt something and then compare against something already encrypted.

decrypting it locally how are the mp3 files being supplied? If its over an network you could create some kind of session key to decrypt.

If you plan to sell this commercially, you could be better off digitally signing the mp3s so that is someone steals them you can source them.

stevenmu

Slaanesh wrote:

From reading on the internet it seems almost impossible to secure java class files other than obfuscate them to bits which can cause other problems down the line.

It pretty much is impossible, whatever you do to your class file it has to readable by the JVM, and whatever the JVM can read a reverse-engineer can too.