RE: Java keystore password storage

["Chris Matthews" <cmatthews () xn com>]

> 1) storing it in the code - obviously not.

I concur :)

> 2) storing it in a seperate config file is also not secure.

Definitely a possibility.  The question now becomes: is this secure
"enough"? (filesystem permissions, mitigating the problem to the level
of the system administrators).

> 4) encrypting the password - famous chicken and egg problem (storing
the
encryption key)

Indeed: this is not a solution, but rather a complication of the process
for no real gain (as you've described it).

> 3) entering the password at runtime is not an option.

This is problably the safest/securest solution.  Given how you've worded
this, I would suspect that you want the system to be able to start by
itself.  This implies the system bootstrapping it's own security chain,
which to my limited knowledge is not only not secure, but pretty
pointless as there are easier methods to achieve the end goal with the
exact same security level (for example, storing your keystore
unencrypted but with filesystem permissions which do not permit anyone
but the application of accessing it).

It would also be prudent to point out that most likely any way you will
think of to hide/secure/obfusticate the secret needed to access the
keystore such that your application can automatically gain access to the
keystore, an attacker can mimic this set of operations and gain access
to the ketstore at well.

Cheers,
Chris