I am not sure what shall i put as Title for this Question, But I am here looking for help.
I work in a company which makes desktop based application on CORE JAVA Platform.
We provide an ACTIVATION CODE to activate our software.
The concept of activation is -
User enters the Activation code --> software hits our server and download all the required files --> activation completed.
Once in a day, our software hits our server to check if the activation code has been expired.
Problem-
We have a new client which doesn't have a regular internet connection. Somehow they agreed to provide internet connection for one time-
User enters the Activation code --> software hits our server and download all the required files --> activation completed.
but after that no internet connection. I can stop the software to check with server about expiry Date of activation code.
But the problem with me is-
1) How do I check whether the Activation code has actually expired? ( Activation code is valid for 1 year only)
2) If after expiry If user enters a new Activation code, how do I check this is a valid activation code with 1 year validity?
1) you can store the registration date and compare it against the system date. of course then users can temper with the date. I used to have some software that always stored the last date it had seen, and if one moved the date to the past, it complained and insta-expired. you could do something like this but of course it's never as safe as talking to a server.
2) create a format for your activation key that contains a new key as well as the previous key. so the first key is, say, A, which is good for talking to a server and checking if A is okay. A new key might look like AB meaning "I replace A, add another year of activation, and am called B, so in a year, we'll need a key like BC". You'll have to think a bit about how to encode this securely, but I'm pretty confident it can work (for example, you can encrypt B with A, then B can only be used on a machine with activation code A).
Related
I have a rather unusual question, but I still don't understand much in programming to understand if it is possible to do what I want. So I feel like I need a little story. My name is Nick, I live in Ukraine and am currently studying as a student in one of the IT firms. Now is the middle of my studies and, if everything goes good, they will give me a chance to get a job in 2 months. But not only me, but 300 more students from all over the country, since the training is online, and the company in which we will get one of the largest in the CIS.
This is where I come closer to the task. To complete the course, we have to complete 8 practical sessions with 5-6 tasks in each. Upon their implementation, we upload the code to the git lab. For this, the company has opened an account for each of us. Then the electronic program for checking assignments - E-Mentor compiles our code, provides input data to fill each class and checks the task. In case of an error, it creates log, which often does not provide complete information. Since some of the test data is always hidden. At the end, the program sets progress points for us. And we all want to get 100%)
**Task: Get input data from the E-Mentor server in the form of a file and automatically push it from the server side to my Git Lab account.**
I am not asking for the complete code, but I am asking you to help me write pseudo code so that I can implement it in full.
I represent it like this:
The server clones my code
Compiles it
Runs tests
At this time, a file is created that copies all incoming information from tests
Somehow the created file is being pushed to my gitlab
For example:
GitBash is started on the server and logs into the gitlab under my login. In this case, it is restricted to rewrite the password and login used by the server itself, as it will be immediately noticed.
This is the coolest challenge that I want to try to do and share it with all students)
I am trying to license my product(java app) with a simple technique by comparing two dates.I want to know how should I increment the date when I give the app to my client.I need to increment the date everyday,so that when it expires it doesnt work.
I dont want to use the system date,cause there are chances the client might change that.So could anyone provide me any suggestions.
Since the java app is going to be running on your client, you have basically two options (simplistically speaking).
Option1. Use a (possibly) encrypted file on your client's filesystem to store the date you want to store and compare against your expire date.
Option2. Upon registering, register to a server. Now the server knows when you registered, so it should be able to determine when you expire. Each time the application starts, make a call to the server asking if it has expired. This way, you have transferred part of the expiry logic to the server.
Keep in mind that both approaches in their simplistic form can be easily circumvented but that is most of the time the case when you have an app running on clients' computers.
One way i can think of is
Use webservice to get current date in your client
earthtools.org provides a free web service to get the time zone from a city here:
http://www.earthtools.org/webservices.htm#timezone
You just pass in the long/lat values like this: (This is for New York)
http://www.earthtools.org/timezone-1.1/40.71417/-74.00639
Use java Rest client to get date in your code
http://www.mkyong.com/webservices/jax-rs/restfull-java-client-with-java-net-url/
I want to count the number of logons and logoffs on users of their computers. I take the information for logons/logoffs from the Windows event logs (from Win32_NTLogEvent WMI class). For example with following query:
select * from Win32_NtLogEvent
where EventCode = 4648 and TimeGenerated > '20120224000000.000000-***'
But when the computer has been restarted or started it counts 3 logons, when the user has clicked logoff or lock (from start menu) and then logon it counts 1 logon. The user authenticates via Windows Active Directory. Does it influence on the number of logons? Can I count only the number of logons using explicit credentials on users?
I found EventCode: 4608 and 4609 for starting up and shutting down of Windows but I need also the number of logons when the user has logoffed or locked the computer.
I found this solution here:
strComputer = "."
Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("SELECT * FROM Win32_NTLogEvent WHERE LogFile = 'Security' AND " & _
"EventCode = 528 AND User = 'fabrikam\\kmyer'")
Wscript.Echo colEvents.Count
Simply replace the values with the ones you want.
Now this isn't a Java but VB code... However it apparently uses the WMI interface that you could use from your Java program. Or you could do something ugly and invoke a batch script from Java (or scheduled task) and read its output, or use a binding.
This is of course assuming that you want to check this on the user's computer, as your question hinted. If you want to count logons at a more global level and from different machines, then you need to query the Active Directory (or other mechanism the networked infrastructure is using); the linked thread offers solutions for this as well.
Update:
You can have a look at Eric Fitzgerald's blog post on Tracking User Logon Activity Using Logon Events, where you have the corresponding codes (as well as complete formulas for accurate time tracking).
Apparently you want event codes 4624 (LOGON) and 4634 (LOGOFF), plus other ones listed there if you plan on using Fitzgerald's formulas to calculate the exact activity time.
A better approach would be to use a system service.
The HandlerEx callback function, defined by RegisterServiceCtrlHandlerEx, can be configured to receive session change notifications including logon, logoff, lock and unlock events.
I'm not entirely certain whether the logoff events received by HandlerEx are reliable or if they exhibit the same problems as the event log. As a backup, SetConsoleCtrlHandler allows you to define a callback function to receive logoff notifications. These notifications are reliable.
The remote desktop services API functions, such as WTSEnumerateSessions, may also be useful, allowing you to list the currently logged-on users at any given time, or get additional information about a given session. Only a subset of these functions are available on workstations, but they're the ones you need.
I need to develop a feature in the system which allows unregistered users to get one-off system access via URL token that is generated/sent by an authenticated user.
For example, a user logs in and wants to share a piece of information so the system generates a URL like http://host/page?token=jkb345k4b5234k54kh5345kb34kb34. Then this URL is sent to an unregistered user who would follow the URL to get some limited access to normally protected data.
First question - are there any standards (RFC? IETF? others?) that would be defining URL generation? The only ones I was able to find are RFC2289 and OpenToken, but none of these are directly related to what I need to do and the latter is only in a second draft state.
There is another design consideration: whether to use one way crypto hash functions and store the payload in a local data store VS using private-public key pairs and encode all necessary payload in the unique string itself.
At the moment I am heavily leaning towards one way hash as it would give me much more freedom (no dependency between payload size and generated string) and less potential problems in the future (e.g. what if I decide to add more payload - how to ensure backwards compatibility). Last but not least, accidental exposure of server-side private key would require massive efforts in key regeneration, update of all live instances, etc. None of these problems are relevant if choosing one-way hash option, but maybe there's something I overlook? RFC2289 prefers one way crypto function whereas OpenToken chooses the key pair option.
And finally, is anybody aware of any Java library for generating these?
Thanks in advance.
Also have a look at http://en.wikipedia.org/wiki/Universally_unique_identifier and RFC4122. Inside the backend you would need to attach the generated uuid to your entity so verification based on the UUID can be done later.
Apart from that most often the token could include some data (e.g. versioning+userdata) and then a secure MD5-hash is used to 'obfuscate/anonymize' it. Later then the data is concatenated by server and the hash-values are compared again.
Regarding java-lib and uuid have a look at UUID-javadoc.
Generate random strings and store them in a database with credentials.
The codes generated need to have two properties: complexity and uniqueness. Complexity ensures that they cannot be guessed and uniqueness ensures that the same code can never be generated twice. Beyond this, the specific method doesn't matter.
Generate token strings with two parts to them. The first part is time-dependent, where the key will increment and change in a predictable way with each millisecond. The second part is completely random. Combined, this will give you a long string that is unique and complex.
When you generate the token, store it in the database with the credentials that are granted when this token is used. It's important that these credentials are not encoded into the string, since this ensures that the strings cannot be hacked.
When the user click on the link with the token, mark that token as used in the database. Even better is to set a timestamp for the use, so that it can be expired, perhaps, 24 hours after the first click. This approach gives you the flexibility to implement this specific part of the requirement as necessary for your project.
I've used this solution before in many different cases for not only one-off system access, but also for ticket admission codes, gift certificate codes, and anything that's one-time use. It doesn't matter so much what you use to generate the token, so much as you can guarantee its complexity and uniqueness.
Here's how I would have done it:
Create a token (you could use a UUID for this) and add it to your database along with creation time and what resource the token should grant access to
Send an email to the user with the url http://www.myserver.com/page?token=
When the user navigates to the url, create a new session with the desired timeout and mark that session as authorized to view whatever the database says the user should be able to see (If the token isn't too old. Check the creation time against current time)
Either delete the token from the database, or mark it as expired
You only need a token when a user shares one piece of information. So, can't you just generate a random token, and associate this with the piece of information (e.g. a database field)? It's a lot simpler than doing any crypto stuff...
I have a project to build a voting desktop application for a class in Java. While security isn't the focus of the project, I would like to be as realistic as I can. What are some of the primary tools to integrate security into a Java application.
Edit: I'm not primarily worried about physical security, we are simply building an application not a whole system. I want to ensure votes are recorded correctly and not able to be changed or read by someone else.
It really depends on what kind of security you are looking to integrate. Do you want security to ensure that the user isn't running any debuggers or such to flip bits in your application to change the votes? Do you want to ensure that the user doesn't install logging software to keep track of who voted for who? Do you want to ensure that the person who is supposed to be voting is actually voting? Security is a very broad subject, and it's hard to give an answer without knowing what exactly you are looking for.
My company did lately app with very strong security. Maybe it helps.
Our app
It was java EE app.
Architecture is following:
Client computer has a cryptography package.
Dirty serwer that stores encrypted user input and output
Clean serwer that is not accesible from outside that stores keys and decrypted data.
Users are issued cryptography cards (you may want to use something less safe - eg. pgp), and are required by jsp pages to encrypt with them all input. Page contains component that connects to cryctography app, asks user for key passphrase, encrypts it with server public key and signs it with user private key, then submits.
Data is stored in external server then transferred to internal server, where it is decrypted and signature is verified, then data is processed and reencrypted, then it is sent to dirty server, and then user may get it.
So even if someone cracked the dirty server (even get hold of database) he would get mostly useless data.
Your app
I'd send encrypted and signed votes to server. It would assert two things:
You know who sent the vote
Noone wil be able to know what the vote was.
Then get data from server, assert that everyone voted at most once count the votes, voila!
If you're looking for a "higher-level" explanation of this stuff (as in, not code), Applied Cryptography has quite a few relevant examples (and I believe a section on "secure elections" that covers some voting strategies).
I'm not primarily worried about physical security, we are simply building an application not a whole system. I want to ensure votes are recorded correctly and not able to be changed or read by someone else.
Putting to one side questions of protecting against physical tampering (e.g. of the underlying database), since you've stipulated that physical security is not the present concern...
I think the primary consideration is how to ensure that a given voter votes only once. At a paper poll, each registered voter is restricted to a particular booth/location and verification is done by name+SSN and a signature.
You might need a high resolution digital signature capture and therefore a touchscreen capture peripheral or a touch screen terminal. A more sophisticated approach would be a biometric scanner, but that would require government records of thumb/finger prints or retinal scan - I can already see the privacy advocates lining up at the lawyer's offices.
Another approach would be for the voter "registrar office" to issue digital keys to each voter prior to the election - a (relatively) short (cryptographically strong) random alpha/numeric key that is entered with the voter's name and/or SSN into the application. Knowledge of that key is required for that particular voter in that particular election. These keys would be issued by post in tamper-evident envelopes, like those used by banks for postal confirmation of wire transfers and delivery of PIN numbers. The key must include checksum data so that the user can have the entry of it immediately validated and it should be in groups of 4, so something like XXXX-XXXX-XXXX-CCCC.
Any other "secret" knowledge, such as SSN, is likely too easily discovered for a large percentage of the population (though we don't seem to be able to make credit-granting organizations understand this), and therefore is unsuitable for authentication.
Vote counting can be done by generating a public key encrypted data file which is transferred (by sneaker net?) to the central system. This must include the "voting booth" identity information and a record for each voter including their SSN and the digital key (or signature, or biometric data). Votes with invalid keys are eliminated. Multiple votes with the same key and same votes are treated as a single vote for that candidate. Multiple votes with the same key and different votes are flagged for fraud investigation (with the constituent contacted by phone, issued a new key, and directed to revote).
Your problem is that you need to identify the user reliably, so that you can prevent them from re-voting and accessing each others votes.
This is not any different from any other desktop application that requires authentication (and potentially authorization). If your voters are a closed group on a network with user accounts, you could integrate with the directory and require users to log in.
If voters do not have network user accounts, this is where it gets interesting. Each user will still need to authenticate with the application. You could generate accounts with passwords in the application and distribute this information securely prior to voting. Your application could ask users to select a password when the access the application for the first time.
Without knowing the specifics, it is hard give a more specific answer.
You are aware that electronic voting is an unsolved research problem? Large scale fraud should take a large effort.
I believe that physical security is more important for voting booth system rather than you know, code security.
These machine by their very nature shouldn't be connected to any kind of public networks, especially not the the internet. But having a good physical security to prevent any sort of physical tampering is very important.