Oh this thorny issue again!
On Windows you can call into the Data Protection API (CryptProtectData
etc), which uses keys derived from the user's password to protect secret
data like this, or uses a machine key if you want to lock the key down
to the machine. Mac OSX offers a similar technology called Keychain
(SecKeychainAddGenericPassword etc), but these are of course OS specific
solutions.
I know of no other way that works solely with Java on all platforms...
[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect
[Blog] http://blogs.msdn.com/michael_howard
[SDL] http://msdn.microsoft.com/security/sdl
-----Original Message-----
From: john bart [mailto:sysadmin256@hotmail.com]
Sent: Monday, April 25, 2005 12:56 AM
To: comp.lang.java.security@news2mail.com; SC-L@securecoding.org;
secprog@securityfocus.com; vuln-dev@securityfocus.com;
webappsec@securityfocus.com
Subject: Java keystore password storage
Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:
keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");
the question is, where do i store the password string? all of the
possibilities that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the
encryption key)
Any ideas?
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
