Scribd
Upload
3 views4 pages

Assignment ASHUTOSH

The document presents an insecure Java program that hard-codes user credentials and lacks proper input protection, followed by a secure version that hashes passwords, separates authentication logic, and emphasizes input validation. It also outlines a cryptography modeling approach for secure software engineering, detailing steps such as requirement analysis, technique selection, key management, and secure data transmission. The secure practices aim to enhance data confidentiality, integrity, and authenticity in software systems.

Uploaded by

tushar.for.walks
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3 views4 pages

Assignment ASHUTOSH

The document presents an insecure Java program that hard-codes user credentials and lacks proper input protection, followed by a secure version that hashes passwords, separates authentication logic, and emphasizes input validation. It also outlines a cryptography modeling approach for secure software engineering, detailing steps such as requirement analysis, technique selection, key management, and secure data transmission. The secure practices aim to enhance data confidentiality, integrity, and authenticity in software systems.

Uploaded by

tushar.for.walks
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

1.

Write an Insecure Java Program and then develop a secure


version of the program. Provide relevant details to support your
answer.

Insecure Java Program :


import java.util.Scanner;

public class InsecureSignInAuthentication {

public static void main(String[] args) {

Scanner scanner = new Scanner(System.in);

System.out.print("Enter your UserID: ");

String inputUserID = scanner.nextLine();

System.out.print("Enter your passcode: ");

String inputPasscode = scanner.nextLine();

if (UserID.equals("user") && Passcode.equals("passcode000")) {

System.out.println("Authentication successful.Welcome,user");

} else {

System.out.println("Authentication failed. Retry SigningIn.");

® In above given insecure java program, the UserID & Passcode is hard-
coded in the source code, which is a security vulnerability.

®Additionally ,sensitive information is being read from the console input directly without
any encryption or protection.

Secure Java Program:

import java.util.Scanner;
public class SecureSignInAuthentication {

public static void main(String[] args) {

Scanner scanner = new Scanner(System.in);

System.out.print("Enter your userID: ");

String inputUserID = scanner.nextLine();

System.out.print("Enter your passcode: ");

String inputPasscode = scanner.nextLine();

if (authenticateUser(inputUserID, inputPasscode)) {

System.out.println("Authentication successful. Welcome, " + inputUserID + "!");

} else {

System.out.println("Authentication failed. Retry SigningIn.");

private static boolean authenticateUser(String username, String password) {

// In a real application, fetch user data from a secure database

// and perform proper password hashing for comparison.

// For this example, we'll just compare against hardcoded values.

String storedUsername = "user";

String storedPasscodeHash = "c8f6e2a79fd9a7c4d37b6f6ca253a03e"; // Example hash, not real


security.

String inputPasscodeHash = hashPasscode(passcode); // Hash the input passcode for


comparison.

return userID.equals(storedUserID) && inputPasscodeHash.equals(storedPasscodeHash);

private static String hashPassword(String password) {


// In a real application, use a strong password hashing algorithm like bcrypt.

// For this example, we'll use a simple MD5 hash (for illustrative purposes only).

// MD5 is not secure for password hashing in practice.

// DO NOT use MD5 for actual password hashing.

return MD5HashFunction.hash(password);

private static class MD5HashFunction {

// Simulate MD5 hashing (for example purposes only).

public static String hash(String input) {

// In a real scenario, use a secure hashing library.

// This is not a secure implementation.

// DO NOT use MD5 for actual password hashing.

// Use libraries like Java's MessageDigest or BouncyCastle

return org.apache.commons.codec.digest.DigestUtils.md5Hex(input);

Secure Aspects :

Passcodes are hashed :


Plain text passcodes are used in insecure version of java program. But only hashed passcodes are
used in secure version of java program.

Concerns are separated:


Authentication logic is moved to a separate method which helps to make the code modular and
maintain the code easily.

Sanitization and Validation of Inputs:


In any real application user needs to implement proper validation and sanitation technics to prevent
the attacks like code injection and SQL injection.

Dynamic Credentials:
The dynamically compared values takes place of hard-coded credentials. All of this would be fetched
from a secure database in a real application.
2. How to model cryptography in Secure Software Engineering
perspective?

Cryptography means the better protection of information which needs to be


transmitted. Cryptography modelling contains designing and integration of
cryptographic technics to ensure the secrecy or confidentiality with authenticity of
data and integrity in any software system. Steps of cryptography modelling is given
below in following points:

1.Analisis of Requirement: This contains about the security requirements of the software and
identification of protective data. Level of desired security such as – data encryption, authentication
and digital signature also determined in this step.

2.Selection of suitable Techniques for cryptography: Select cryptographic algorithms and protocols
which aligns with the standards of security requirements. For example- AES for encryption ,HMAC for
integrity of messages.

3.Key management: In this step of modelling cryptography we need to develop a key management
strategy for generating , storing , distributing and revoking the cryptographic keys securely.

4.Secure Design of Architecture: In this step user need to follow layered architecture approach to
separate security concerns from application logic.

5.Secure data transmission: Important thing is to secure data transmitted over networks using
encryption protocols like TLS/SSL. Here one also maintain the implementation of proper
management of certificate and validation processes.

6.Store The Data securely: In this step one needs to encrypt the data before storing it on the disk or
in any database. Access control and authorization mechanism will be used to ensure that only
authorized persons can access the encrypted data.

7.Message Integrity: Use cryptographic techniques like- Hash based Message Authentication code
(HMAC) to ensure the integrity of message and tampering detection.

8.Digital Signatures: Implement digital signature in the cryptography modelling which helps to
provide data authenticity. Asymmetric cryptography will generate and verify the digital signatures.

9.Secure code practices: Secure coding practices will be followed to avoid vulnerabilities like – timing
attacks and side channel attacks.

10.Security testing & Validation: Use tools to identify security vulnerabilities and analyse the codes.

11.Continuos Review And maintenance monitoring: It is most important to keep the cryptography
well and secured by taking a time to time monitoring and review and if required maintain
accordingly.

12.Documentation: Document all the inclusive approaches like – design decisions, security measures
and key management procedures in place for any possible future reference and auditing.

You might also like