RE: Java keystore password storage

["Scott, Richard" <Richard.Scott () bestbuy com>]

I have seen some architectures where machine certificates are used to gain access to a directory service to access 
resource information such as passwords to a keystore.

The different solutions to the same core problem doesn't really give a lot of protection, but each has their benefits.  
If the server is rooted, then the malicious user may well have access to such credentials/resources, if they have time 
to pay around.

Using an indexing to obtain the password such as LDAP et al allows for greater ease of maintenance if one has a large 
scale of machines to manage.  On the other hand, storing passwords in property files, with correct ACL's makes system 
maintenance pretty easy - but the attack could quite easily grep this information.

IMHO - the best solution depends on your threat models.

Cheers,
R.

-----Original Message-----
From: Fredrik Hesse [mailto:fredrik.hesse () nexus se] 
Sent: Monday, April 25, 2005 12:53 PM
To: 'john bart '; 'comp.lang.java.security () news2mail com '; 'SC-L () securecoding org '; 'secprog () securityfocus 
com '; 'vuln-dev () securityfocus com '; 'webappsec () securityfocus com '
Subject: Re: Java keystore password storage

Indeed a classic problem, unfortunately there are no platform-independant services for storing things like this.
But a config-file with proper access-restrictions goes a long way..
And I guess thats the solution you're leaning against if I read between the lines.
3 is good since it doesn't require storage of the password on disk, otoh it requires human intervention which you 
probably want to avoid.

I'm no expert on LDAP, but could anyone tell if you use a directory service to pull the password from?

Regards
Fredr!k
 

-----Ursprungligt meddelande-----
Från: john bart
Till: comp.lang.java.security () news2mail com; SC-L () securecoding org; secprog () securityfocus com; vuln-dev () 
securityfocus com; webappsec () securityfocus com
Skickat: 2005-04-25 09:55
Ämne: Java keystore password storage

Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:

keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");

the question is, where do i store the password string? all of the possibilities that i thought about are not good 
enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the

encryption key)

Any ideas?

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!

http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/