RE: Java keystore password storage

["Goertzel Karen" <goertzel_karen () bah com>]

A little more information would be helpful. What kind of application are
you writing? What is the platform? Is there a secure database or
directory available anywhere in the infrastructure to which the
application has access?

If it's a client, is there a CD reader? If so, you could store the
password encrypted on the client hard drive, or on the CD, and store the
cryptokey on a read-only CD. Write a software routine that would read
the key (and, if stored there, password) from the CD, store it in memory
in a Java character array (char) (NOT in a string, which is immutable
and thus won't be purged from memory until the garbage collector (GC) is
explicitly run). As soon as the key is read from the CD, the software
routine would force-eject the CD. You'd also use a char to store the
decrypted password (again, not using String due to immutability).

The above approach has the advantage of not requring any external
system, such as a directory or database. On the other hand, you would
have to burn a new CD each time either the key or password was changed,
and you would have to write a non-standard software process to manage
the CD access and ejection, password decryption, etc.

If it's a server-side web application, an alternate approach could be to
store the password in a properties file accessible to the application in
a properties file OUTSIDE of the WEB-INF directory (do NOT place
properties in the web.xml, which is deployed in the web server's WEB-INF
directory which represents a frequent, high-value target).  Your best
bet is to use the java.util.Properties class, because it contains
methods to access properties files. The getProperty() method of this
class returns a string value, which should be immediately copied over
into a char array and all references to the string should be immediately
nulled, and GC should be immediatley requested to purge the string from
memory. 

Keep in mind that the Properties class will still have a reference to
the password, so the only sure way of removing the password from memory
is by calling the remove() method on the java.util.Properties class
before garbage collection. This will remove the reference from the
hashtable, and allow the GC to purge the string from memory. The
objective is to ensure that the immutable string is only used as an
ephemeral artifact for moving the password out of the properties into
memory: all references to the string must be nulled to ensure the
password cannot be read from memory after it is used (the char
containing the password will be purged as soon as it is used, so GC
won't have to be explicitly invoked to do this).

--
Karen Goertzel, CISSP
Booz Allen Hamilton
703-902-6981
[EMAIL PROTECTED]  

> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of john bart
> Sent: Monday, April 25, 2005 3:56 AM
> To: [EMAIL PROTECTED]
> Subject: [SC-L] Java keystore password storage
>
> Hello to all the list.
> I need some advice on where to store the keystore's password.
> Right now, i have something like this in my code:
>
> keystore = KeyStore.getInstance("JKS");
> keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");
>
> the question is, where do i store the password string? all of the
> possibilities that i thought about are not good enough:
> 1) storing it in the code - obviously not.
> 2) storing it in a seperate config file is also not secure.
> 3) entering the password at runtime is not an option.
> 4) encrypting the password - famous chicken and egg problem 
> (storing the
> encryption key)
>
> Any ideas?
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today 
> it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/