Secure Coding mailing list archives

RE: Java keystore password storage

From: "Scott, Richard" <Richard.Scott () bestbuy com>
Date: Wed, 18 May 2005 16:45:23 +0100

You could of course store it in LDAP but then you are faced with how do you limit access to the
LDAP tree.  You could
of course use a machine cert, and base access on certs to the LDAP tree.
I have seen implementations that on start up the credentials are obtained from LDAP and cached. 
Access it limited to
machine level certificates.  This prevents some one access LDAP from unauthorized machines but may
put extra emphasis
on securing access to the server storing the machine certificate.  Such a set up is also dependant
on your
server/application criticality and being able to depend on LDAP from an operational perspective.

If you protect the LDAP information using a password you walk the same path that lead you on this
journey.

Cheers,
R.

-----Original Message-----
From: Fredrik Hesse [mailto:[EMAIL PROTECTED]
Sent: Monday, April 25, 2005 12:53 PM
To: 'john bart '; '[EMAIL PROTECTED] '; '[EMAIL PROTECTED] ';
'[EMAIL PROTECTED] ';
'[EMAIL PROTECTED] '; '[EMAIL PROTECTED] '
Subject: Re: Java keystore password storage

Indeed a classic problem, unfortunately there are no platform-independant services for storing
things like this.
But a config-file with proper access-restrictions goes a long way..
And I guess thats the solution you're leaning against if I read between the lines.
3 is good since it doesn't require storage of the password on disk, otoh it requires human
intervention which you
probably want to avoid.

I'm no expert on LDAP, but could anyone tell if you use a directory service to pull the password
from?

Regards
Fredr!k


-----Ursprungligt meddelande-----
FrÃ¥n: john bart
Till: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Skickat: 2005-04-25 09:55
Ãmne: Java keystore password storage

Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:

keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");

the question is, where do i store the password string? all of the possibilities that i thought
about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the

encryption key)

Any ideas?

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!

http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Current thread:

Re: Java keystore password storage, (continued)
- - Re: Java keystore password storage Blue Boar (Apr 26)
    - Re: Java keystore password storage ljknews (Apr 26)
  - RE: Java keystore password storage Chris Matthews (Apr 26)
    - Re: Java keystore password storage Nash (Apr 27)
- Re: Java keystore password storage Mark (May 03)
- RE: Java keystore password storage Goertzel Karen (Apr 25)
- Re: Java keystore password storage Fredrik Hesse (Apr 25)
- RE: Java keystore password storage Michael Howard (Apr 25)
  - RE: Java keystore password storage john bart (Apr 26)
- RE: Java keystore password storage Michael Howard (Apr 26)
- RE: Java keystore password storage Scott, Richard (May 18)
- RE: Java keystore password storage Scott, Richard (Jun 24)