Protecting Code

By Paladion

November 15, 2005

Our applet implements an algorithm that's proprietary and a trade secret. How do I protect the algorithm from getting stolen at the browser?

  1. Digitally sign the applet
  2. Encrypt the applet using RSA
  3. Use Code Obfuscation
  4. None of the above

The correct answer to the quiz is 3. Use Code Obfuscation.

Digitally signing an applet proves the authenticity of an applet. It enables a user to check whether an applet has been tampered since it was created by the developer. It also allows the user to determine who developed the applet. Neither of the above are, however, protections against reverse engineering the applet and the proprietary algorithm.

If an applet is encrypted in such a way that it cannot be decrypted, then it is impossible to execute it on the browser also. The encrypted applet needs to be decryptable at the browser if the browser is to execute it. That requires the key for decrypting it to be sent to the browser. Now, the same key may be used by an adversary to decrypt the applet and then study the algorithm.

Code Obfuscation makes reverse engineering code very difficult. It changes function names, modifies data structures and generally makes code unreadable but yet logically equivalent to the original source code. This is a good way to protect intellectual property in source code. We discussed Code Obfuscation in this 3-part tutorial.

Tags: Quiz