Secure Coding mailing list archives
RE: Java keystore password storage
From: "Goertzel Karen" <goertzel_karen () bah com>
Date: Mon, 25 Apr 2005 20:42:54 +0100
A little more information would be helpful. What kind of application are you writing? What is the platform? Is there a secure database or directory available anywhere in the infrastructure to which the application has access? If it's a client, is there a CD reader? If so, you could store the password encrypted on the client hard drive, or on the CD, and store the cryptokey on a read-only CD. Write a software routine that would read the key (and, if stored there, password) from the CD, store it in memory in a Java character array (char) (NOT in a string, which is immutable and thus won't be purged from memory until the garbage collector (GC) is explicitly run). As soon as the key is read from the CD, the software routine would force-eject the CD. You'd also use a char to store the decrypted password (again, not using String due to immutability). The above approach has the advantage of not requring any external system, such as a directory or database. On the other hand, you would have to burn a new CD each time either the key or password was changed, and you would have to write a non-standard software process to manage the CD access and ejection, password decryption, etc. If it's a server-side web application, an alternate approach could be to store the password in a properties file accessible to the application in a properties file OUTSIDE of the WEB-INF directory (do NOT place properties in the web.xml, which is deployed in the web server's WEB-INF directory which represents a frequent, high-value target). Your best bet is to use the java.util.Properties class, because it contains methods to access properties files. The getProperty() method of this class returns a string value, which should be immediately copied over into a char array and all references to the string should be immediately nulled, and GC should be immediatley requested to purge the string from memory. Keep in mind that the Properties class will still have a reference to the password, so the only sure way of removing the password from memory is by calling the remove() method on the java.util.Properties class before garbage collection. This will remove the reference from the hashtable, and allow the GC to purge the string from memory. The objective is to ensure that the immutable string is only used as an ephemeral artifact for moving the password out of the properties into memory: all references to the string must be nulled to ensure the password cannot be read from memory after it is used (the char containing the password will be purged as soon as it is used, so GC won't have to be explicitly invoked to do this). -- Karen Goertzel, CISSP Booz Allen Hamilton 703-902-6981 [EMAIL PROTECTED]
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of john bart Sent: Monday, April 25, 2005 3:56 AM To: [EMAIL PROTECTED] Subject: [SC-L] Java keystore password storage Hello to all the list. I need some advice on where to store the keystore's password. Right now, i have something like this in my code: keystore = KeyStore.getInstance("JKS"); keystore.load(new FileInputStream("keystore.jks"),"PASSWORD"); the question is, where do i store the password string? all of the possibilities that i thought about are not good enough: 1) storing it in the code - obviously not. 2) storing it in a seperate config file is also not secure. 3) entering the password at runtime is not an option. 4) encrypting the password - famous chicken and egg problem (storing the encryption key) Any ideas? _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Current thread:
- RE: Java keystore password storage, (continued)
- RE: Java keystore password storage Chris Matthews (Apr 25)
- RE: Java keystore password storage David Crocker (Apr 25)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Michael Silk (Apr 26)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Blue Boar (Apr 26)
- Re: Java keystore password storage ljknews (Apr 26)
- RE: Java keystore password storage Chris Matthews (Apr 26)
- Re: Java keystore password storage Nash (Apr 27)
- Re: Java keystore password storage Mark (May 03)
- RE: Java keystore password storage Goertzel Karen (Apr 25)
- Re: Java keystore password storage Fredrik Hesse (Apr 25)
- RE: Java keystore password storage Michael Howard (Apr 25)
- RE: Java keystore password storage john bart (Apr 26)
- RE: Java keystore password storage Michael Howard (Apr 26)
- RE: Java keystore password storage Scott, Richard (May 18)
- RE: Java keystore password storage Scott, Richard (Jun 24)