Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Java keystore password storage

from [Scott, Richard] Network Security [Permanent Link]
Subject: RE: Java keystore password storage
Date: Thu, 23 Jun 2005 13:31:18 -0500 
I have seen some architectures where machine certificates are used to gain 
access to a directory service to access resource information such as passwords 
to a keystore.

The different solutions to the same core problem doesn't really give a lot of 
protection, but each has their benefits.  If the server is rooted, then the 
malicious user may well have access to such credentials/resources, if they have 
time to pay around.

Using an indexing to obtain the password such as LDAP et al allows for greater 
ease of maintenance if one has a large scale of machines to manage.  On the 
other hand, storing passwords in property files, with correct ACL's makes 
system maintenance pretty easy - but the attack could quite easily grep this 
information.

IMHO - the best solution depends on your threat models.

Cheers,
R.

-----Original Message-----
From: Fredrik Hesse [mailto:fredrik.hesse@nexus.se] 
Sent: Monday, April 25, 2005 12:53 PM
To: 'john bart '; 'comp.lang.java.security@news2mail.com '; 
'SC-L@securecoding.org '; 'secprog@securityfocus.com '; 
'vuln-dev@securityfocus.com '; 'webappsec@securityfocus.com '
Subject: Re: Java keystore password storage

Indeed a classic problem, unfortunately there are no platform-independant 
services for storing things like this.
But a config-file with proper access-restrictions goes a long way..
And I guess thats the solution you're leaning against if I read between the 
lines.
3 is good since it doesn't require storage of the password on disk, otoh it 
requires human intervention which you probably want to avoid.

I'm no expert on LDAP, but could anyone tell if you use a directory service to 
pull the password from?

Regards
Fredr!k
 

-----Ursprungligt meddelande-----
Från: john bart
Till: comp.lang.java.security@news2mail.com; SC-L@securecoding.org; 
secprog@securityfocus.com; vuln-dev@securityfocus.com; 
webappsec@securityfocus.com
Skickat: 2005-04-25 09:55
Ämne: Java keystore password storage

Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:

keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");

the question is, where do i store the password string? all of the possibilities 
that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the

encryption key)

Any ideas?

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!

http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: Java keystore password storage, Scott, Richard <=
Previous by Date:  Top Ten Principles for Building Secure Software, Mark Curphey
Next by Date:  Re: [summary] Re: Should login pages be protected by SSL?, Devdas Bhagat
Previous by Thread:  Top Ten Principles for Building Secure Software, Mark Curphey
Next by Thread:  Administrivia: Follow up to survey responses, Andrew van der Stock
Indexes:  [Date] [Thread] [Top] [All Lists]