Secure Programming
Re: Java keystore password storage Apr 25 2005 05:52PM
Fredrik Hesse (fredrik hesse nexus se)
Indeed a classic problem, unfortunately there are
no platform-independant services for storing things like this.
But a config-file with proper access-restrictions goes a long way..
And I guess thats the solution you're leaning against if I read
between the lines.
3 is good since it doesn't require storage of the password on
disk, otoh it requires human intervention which you probably
want to avoid.

I'm no expert on LDAP, but could anyone tell if you use a
directory service to pull the password from?


-----Ursprungligt meddelande-----
Från: john bart
Till: (at) news2mail (dot) com [email concealed]; SC-L (at) securecoding (dot) org [email concealed];
secprog (at) securityfocus (dot) com [email concealed]; vuln-dev (at) securityfocus (dot) com [email concealed];
webappsec (at) securityfocus (dot) com [email concealed]
Skickat: 2005-04-25 09:55
Ämne: Java keystore password storage

Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:

keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");

the question is, where do i store the password string? all of the
possibilities that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the

encryption key)

Any ideas?

Express yourself instantly with MSN Messenger! Download today it's FREE!

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus