Discussion:
Java keystore password storage
john bart
2005-04-25 07:55:43 UTC
Permalink
Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:

keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");

the question is, where do i store the password string? all of the
possibilities that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the
encryption key)

Any ideas?

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Fredrik Hesse
2005-04-25 17:52:46 UTC
Permalink
Indeed a classic problem, unfortunately there are
no platform-independant services for storing things like this.
But a config-file with proper access-restrictions goes a long way..
And I guess thats the solution you're leaning against if I read
between the lines.
3 is good since it doesn't require storage of the password on
disk, otoh it requires human intervention which you probably
want to avoid.

I'm no expert on LDAP, but could anyone tell if you use a
directory service to pull the password from?

Regards
Fredr!k


-----Ursprungligt meddelande-----
Från: john bart
Till: ***@news2mail.com; SC-***@securecoding.org;
***@securityfocus.com; vuln-***@securityfocus.com;
***@securityfocus.com
Skickat: 2005-04-25 09:55
Ämne: Java keystore password storage

Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:

keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");

the question is, where do i store the password string? all of the
possibilities that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the

encryption key)

Any ideas?

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!

http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Michael Howard
2005-04-25 17:52:49 UTC
Permalink
Oh this thorny issue again!

On Windows you can call into the Data Protection API (CryptProtectData
etc), which uses keys derived from the user's password to protect secret
data like this, or uses a machine key if you want to lock the key down
to the machine. Mac OSX offers a similar technology called Keychain
(SecKeychainAddGenericPassword etc), but these are of course OS specific
solutions.

I know of no other way that works solely with Java on all platforms...


[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect
[Blog] http://blogs.msdn.com/michael_howard
[SDL] http://msdn.microsoft.com/security/sdl

-----Original Message-----
From: john bart [mailto:***@hotmail.com]
Sent: Monday, April 25, 2005 12:56 AM
To: ***@news2mail.com; SC-***@securecoding.org;
***@securityfocus.com; vuln-***@securityfocus.com;
***@securityfocus.com
Subject: Java keystore password storage

Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:

keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");

the question is, where do i store the password string? all of the
possibilities that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the
encryption key)

Any ideas?

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!

http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
black love
2005-04-25 18:54:49 UTC
Permalink
Post by Michael Howard
Oh this thorny issue again!
On Windows you can call into the Data Protection API (CryptProtectData
etc), which uses keys derived from the user's password to protect secret
data like this, or uses a machine key if you want to lock the key down
to the machine. Mac OSX offers a similar technology called Keychain
(SecKeychainAddGenericPassword etc), but these are of course OS specific
solutions.
I know of no other way that works solely with Java on all platforms...
[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect
[Blog] http://blogs.msdn.com/michael_howard
[SDL] http://msdn.microsoft.com/security/sdl
-----Original Message-----
Sent: Monday, April 25, 2005 12:56 AM
Subject: Java keystore password storage
Hello to all the list.
I need some advice on where to store the keystore's password.
keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");
the question is, where do i store the password string? all of the
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the
encryption key)
Any ideas?
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Loading...