Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Java keystore password storage

From: Nash <nash () solace net>
Date: Wed, 27 Apr 2005 15:27:47 +0100
On Tue, Apr 26, 2005 at 11:28:46AM -0400, Chris Matthews wrote:

David Crocker wrote:

At issue is not the mechanical method of storing the password; it is the
fundamental insecurity of storing a password such that an automated
process may recover/use said password.  If an automated process can
recover the password, chances are very good an attacker can, and no
cryptographical algorithim will solve that issue.  The system is weak,
not the individual components.



This isn't a "fundamental insecurity." Its just built-in risk. Maybe
that's what you mean, but calling it "insecurity" sounds highly 
categorical.  Running programs have to identify themselves and there are
a variety of ways they might do that, but not all of them can involve
user interaction.

That doesn't make "fundamentally insecure and it doesn't mean that "chances
are very good" attackers can compromise the credentials. 

Not all identities have to be perfectly defended. 

-nash

-- 

An ideal world is left as an exercise for the reader.

        - Paul Graham
Previous By Date Next
Previous By Thread Next

Current thread: