Secure Coding mailing list archives

RE: Java keystore password storage

From: "Michael Howard" <mikehow () microsoft com>
Date: Tue, 26 Apr 2005 22:02:30 +0100

None that I'm aware of. 

[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect
[Blog] http://blogs.msdn.com/michael_howard
[SDL] http://msdn.microsoft.com/security/sdl

-----Original Message-----
From: john bart [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 26, 2005 10:46 AM
To: Michael Howard; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Java keystore password storage

Is there something like window's DPAPI in the Unix world (solaris,
linux, etc..)?

From: "Michael Howard" <[EMAIL PROTECTED]>
To: "john bart" 
<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,<SC-L
@securecoding.org>,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]
com>,<[EMAIL PROTECTED]>
Subject: RE: Java keystore password storage
Date: Mon, 25 Apr 2005 10:52:49 -0700

Oh this thorny issue again!

On Windows you can call into the Data Protection API (CryptProtectData 
etc), which uses keys derived from the user's password to protect 
secret data like this, or uses a machine key if you want to lock the 
key down to the machine. Mac OSX offers a similar technology called 
Keychain (SecKeychainAddGenericPassword etc), but these are of course 
OS specific solutions.

I know of no other way that works solely with Java on all platforms...

[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect [Blog] 
http://blogs.msdn.com/michael_howard
[SDL] http://msdn.microsoft.com/security/sdl

-----Original Message-----
From: john bart [mailto:[EMAIL PROTECTED]
Sent: Monday, April 25, 2005 12:56 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; 
[EMAIL PROTECTED]; [EMAIL PROTECTED]; 
[EMAIL PROTECTED]
Subject: Java keystore password storage

Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:

keystore = KeyStore.getInstance("JKS"); keystore.load(new 
FileInputStream("keystore.jks"),"PASSWORD");

the question is, where do i store the password string? all of the 
possibilities that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing 
the encryption key)

Any ideas?

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's

FREE!


http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!

http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Current thread:

Re: Java keystore password storage, (continued)
- - - Re: Java keystore password storage Edgar Danielyan (Apr 26)
  - Re: Java keystore password storage Blue Boar (Apr 26)
    - Re: Java keystore password storage ljknews (Apr 26)
  - RE: Java keystore password storage Chris Matthews (Apr 26)
    - Re: Java keystore password storage Nash (Apr 27)
- Re: Java keystore password storage Mark (May 03)
- RE: Java keystore password storage Goertzel Karen (Apr 25)
- Re: Java keystore password storage Fredrik Hesse (Apr 25)
- RE: Java keystore password storage Michael Howard (Apr 25)
  - RE: Java keystore password storage john bart (Apr 26)
- RE: Java keystore password storage Michael Howard (Apr 26)
- RE: Java keystore password storage Scott, Richard (May 18)
- RE: Java keystore password storage Scott, Richard (Jun 24)