Secure Coding mailing list archives
RE: Java keystore password storage
From: "Chris Matthews" <cmatthews () xn com>
Date: Mon, 25 Apr 2005 21:02:27 +0100
1) storing it in the code - obviously not.
I concur :)
2) storing it in a seperate config file is also not secure.
Definitely a possibility. The question now becomes: is this secure "enough"? (filesystem permissions, mitigating the problem to the level of the system administrators).
4) encrypting the password - famous chicken and egg problem (storing
the encryption key) Indeed: this is not a solution, but rather a complication of the process for no real gain (as you've described it).
3) entering the password at runtime is not an option.
This is problably the safest/securest solution. Given how you've worded this, I would suspect that you want the system to be able to start by itself. This implies the system bootstrapping it's own security chain, which to my limited knowledge is not only not secure, but pretty pointless as there are easier methods to achieve the end goal with the exact same security level (for example, storing your keystore unencrypted but with filesystem permissions which do not permit anyone but the application of accessing it). It would also be prudent to point out that most likely any way you will think of to hide/secure/obfusticate the secret needed to access the keystore such that your application can automatically gain access to the keystore, an attacker can mimic this set of operations and gain access to the ketstore at well. Cheers, Chris
Current thread:
- Java keystore password storage john bart (Apr 25)
- Re: Java keystore password storage Blue Boar (Apr 25)
- Re: Java keystore password storage Nash (Apr 25)
- RE: Java keystore password storage Chris Matthews (Apr 25)
- RE: Java keystore password storage David Crocker (Apr 25)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Michael Silk (Apr 26)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Blue Boar (Apr 26)
- Re: Java keystore password storage ljknews (Apr 26)
- RE: Java keystore password storage Chris Matthews (Apr 26)
- Re: Java keystore password storage Nash (Apr 27)
- Re: Java keystore password storage Mark (May 03)
- <Possible follow-ups>
- RE: Java keystore password storage Goertzel Karen (Apr 25)