Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Java keystore password storage

From: ljknews <ljknews () mac com>
Date: Tue, 26 Apr 2005 22:05:39 +0100
At 7:20 PM -0700 4/25/05, Blue Boar wrote:

David Crocker wrote:

I'm by no means an expert in the field of security and Java, but I believe that
the usual technique is to encode the password that the user types using a 1-way
hashing algorithm, then store (and hide/protect) the encoded version and use
that as the password. If an attacker manages to read the password hash, he still
has to construct a password that will encode to the same value.


That only works if you're the "server", or more accurately, the process
that needs to verify the password.  If you're the "client", or the
process that needs to supply the password, that doesn't help you.


At the client, a password should be entered by a human.  Two factor
identification would involve an RSA signature made by a portable
device (e.g. Smartcard) which is enabled by a password known only
to the user.  Obviously the channel from the human to the device
must be secure, typically by using a keypad on the device independent
of the programmable computer system.
-- 
Larry Kilgallen
Previous By Date Next
Previous By Thread Next

Current thread: