Secure Coding mailing list archives
Re: Java keystore password storage
From: Nash <nash () solace net>
Date: Mon, 25 Apr 2005 20:47:36 +0100
Well, you have provided very little useful information about the application and its threat model. So, knowing what to suggest is difficult. Can you say more? FWIW, we used to use the old C function memfrob to obscure passwords in code when we couldn't avoid putting them there. At least that way the strings command didn't find them. Didn't help much if your hackers had read the HHGTTG, though. -nash On Mon, Apr 25, 2005 at 07:55:43AM +0000, john bart wrote:
Hello to all the list. I need some advice on where to store the keystore's password. Right now, i have something like this in my code: keystore = KeyStore.getInstance("JKS"); keystore.load(new FileInputStream("keystore.jks"),"PASSWORD"); the question is, where do i store the password string? all of the possibilities that i thought about are not good enough: 1) storing it in the code - obviously not. 2) storing it in a seperate config file is also not secure. 3) entering the password at runtime is not an option. 4) encrypting the password - famous chicken and egg problem (storing the encryption key) Any ideas? _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
-- An ideal world is left as an exercise for the reader. - Paul Graham
Current thread:
- Java keystore password storage john bart (Apr 25)
- Re: Java keystore password storage Blue Boar (Apr 25)
- Re: Java keystore password storage Nash (Apr 25)
- RE: Java keystore password storage Chris Matthews (Apr 25)
- RE: Java keystore password storage David Crocker (Apr 25)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Michael Silk (Apr 26)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Blue Boar (Apr 26)
- Re: Java keystore password storage ljknews (Apr 26)
- RE: Java keystore password storage Chris Matthews (Apr 26)
- Re: Java keystore password storage Nash (Apr 27)
- Re: Java keystore password storage Mark (May 03)