Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Java keystore password storage

From: Nash <nash () solace net>
Date: Mon, 25 Apr 2005 20:47:36 +0100

Well, you have provided very little useful information about the
application and its threat model. So, knowing what to suggest is
difficult. Can you say more?

FWIW, we used to use the old C function memfrob to obscure passwords
in code when we couldn't avoid putting them there. At least that way
the strings command didn't find them. Didn't help much if your hackers
had read the HHGTTG, though.

-nash

On Mon, Apr 25, 2005 at 07:55:43AM +0000, john bart wrote:

Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:

keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");

the question is, where do i store the password string? all of the
possibilities that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the
encryption key)

Any ideas?

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/



-- 

An ideal world is left as an exercise for the reader.

        - Paul Graham
Previous By Date Next
Previous By Thread Next

Current thread: