Signed Applets

aschulze@de.ibm.com
Thu, 23 Jan 1997 02:52:51 EST

Message-Id: <199701230752.XAA12795@java1.javasoft.com>
Date: Thu, 23 Jan 1997 02:52:51 EST
From: aschulze@de.ibm.com
To: java-security@java
Subject: Signed Applets

Hello,
at the moment we are working on a 3-tier JDBC solution for accessing
a database with an applet.
But we have encountered some serious problems:
we want to ensure that the data our middle-tier gets from the applet
was REALLY sent from OUR applet and not from any other appletU
As far as I understood the new features of the JDK 1.1 you can generate
key pairs to ensure that the data, which was send from the applet is
correct and wasn't modified on the way to the "middle-tier".
And of course in the applet I can check, if the classes were modified
etc.U
But our problem is a little bit v.v.:
We need a mechanism to check the correctness of the client applet
from the server sideU Could this be done in any way?
We mustn't allow that anybody could decompile our applet, modifie it,
recompile and then starts it to send any data he wants to our middle-
tierU By the way: it must be possible that everybody could use the
correct applet, so we mustn't use things like userid/pwds for the users
etc.
If I sign my applet, could you get the signature of the applet on the
client machine with any tools? Because we thought of signing the applet
and sending these sign informations with the rest of our data to the
middle-tier, which checks for the correct signature. Is this possible?
Of course we know that anybody who has an ear on the transmission
protocol could figure out the signature, but with encryption etc. it
could be made a little bit more secureU

Hope you could email me some further information or suggestions

Mit freundlichen Gruessen/Kind regards
Schulze Alexander Tel: 07031/127881
email: aschulze@de.ibm.com intern: 931 Fax: 07031/127143