Well, you have provided very little useful information about the
application and its threat model. So, knowing what to suggest is
difficult. Can you say more?
FWIW, we used to use the old C function memfrob to obscure passwords
in code when we couldn't avoid putting them there. At least that way
the strings command didn't find them. Didn't help much if your hackers
had read the HHGTTG, though.
-nash
On Mon, Apr 25, 2005 at 07:55:43AM +0000, john bart wrote:
> Hello to all the list.
> I need some advice on where to store the keystore's password.
> Right now, i have something like this in my code:
>
> keystore = KeyStore.getInstance("JKS");
> keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");
>
> the question is, where do i store the password string? all of the
> possibilities that i thought about are not good enough:
> 1) storing it in the code - obviously not.
> 2) storing it in a seperate config file is also not secure.
> 3) entering the password at runtime is not an option.
> 4) encrypting the password - famous chicken and egg problem (storing the
> encryption key)
>
> Any ideas?
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
--
An ideal world is left as an exercise for the reader.
- Paul Graham
