Secure Programming
RE: Java keystore password storage Apr 25 2005 05:52PM
Michael Howard (mikehow microsoft com) (1 replies)
Re: Java keystore password storage Apr 25 2005 06:54PM
black love (black love83 gmail com)
On 4/25/05, Michael Howard <mikehow (at) microsoft (dot) com [email concealed]> wrote:
> Oh this thorny issue again!
> On Windows you can call into the Data Protection API (CryptProtectData
> etc), which uses keys derived from the user's password to protect secret
> data like this, or uses a machine key if you want to lock the key down
> to the machine. Mac OSX offers a similar technology called Keychain
> (SecKeychainAddGenericPassword etc), but these are of course OS specific
> solutions.
> I know of no other way that works solely with Java on all platforms...
> [Writing Secure Code]
> [Protect Your PC]
> [Blog]
> [SDL]
> -----Original Message-----
> From: john bart [mailto:sysadmin256 (at) hotmail (dot) com [email concealed]]
> Sent: Monday, April 25, 2005 12:56 AM
> To: (at) news2mail (dot) com [email concealed]; SC-L (at) securecoding (dot) org [email concealed];
> secprog (at) securityfocus (dot) com [email concealed]; vuln-dev (at) securityfocus (dot) com [email concealed];
> webappsec (at) securityfocus (dot) com [email concealed]
> Subject: Java keystore password storage
> Hello to all the list.
> I need some advice on where to store the keystore's password.
> Right now, i have something like this in my code:
> keystore = KeyStore.getInstance("JKS");
> keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");
> the question is, where do i store the password string? all of the
> possibilities that i thought about are not good enough:
> 1) storing it in the code - obviously not.
> 2) storing it in a seperate config file is also not secure.
> 3) entering the password at runtime is not an option.
> 4) encrypting the password - famous chicken and egg problem (storing the
> encryption key)
> Any ideas?
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's FREE!

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus