Back to list
RE: Java keystore password storage
Apr 25 2005 05:52PM
Michael Howard (mikehow microsoft com)
Re: Java keystore password storage
Apr 25 2005 06:54PM
black love (black love83 gmail com)
On 4/25/05, Michael Howard <mikehow (at) microsoft (dot) com [email concealed]> wrote:
> Oh this thorny issue again!
> On Windows you can call into the Data Protection API (CryptProtectData
> etc), which uses keys derived from the user's password to protect secret
> data like this, or uses a machine key if you want to lock the key down
> to the machine. Mac OSX offers a similar technology called Keychain
> (SecKeychainAddGenericPassword etc), but these are of course OS specific
> I know of no other way that works solely with Java on all platforms...
> [Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
> [Protect Your PC] http://www.microsoft.com/protect
> [Blog] http://blogs.msdn.com/michael_howard
> [SDL] http://msdn.microsoft.com/security/sdl
> -----Original Message-----
> From: john bart [mailto:sysadmin256 (at) hotmail (dot) com [email concealed]]
> Sent: Monday, April 25, 2005 12:56 AM
> To: comp.lang.java.security (at) news2mail (dot) com [email concealed]; SC-L (at) securecoding (dot) org [email concealed];
> secprog (at) securityfocus (dot) com [email concealed]; vuln-dev (at) securityfocus (dot) com [email concealed];
> webappsec (at) securityfocus (dot) com [email concealed]
> Subject: Java keystore password storage
> Hello to all the list.
> I need some advice on where to store the keystore's password.
> Right now, i have something like this in my code:
> keystore = KeyStore.getInstance("JKS");
> keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");
> the question is, where do i store the password string? all of the
> possibilities that i thought about are not good enough:
> 1) storing it in the code - obviously not.
> 2) storing it in a seperate config file is also not secure.
> 3) entering the password at runtime is not an option.
> 4) encrypting the password - famous chicken and egg problem (storing the
> encryption key)
> Any ideas?
> Express yourself instantly with MSN Messenger! Download today it's FREE!
[ reply ]
Copyright 2010, SecurityFocus