I'm by no means an expert in the field of security and Java, but I believe that
the usual technique is to encode the password that the user types using a 1-way
hashing algorithm, then store (and hide/protect) the encoded version and use
that as the password. If an attacker manages to read the password hash, he still
has to construct a password that will encode to the same value.

There are a number of hashing algorithms available. SHA1 used to be considered
fairly good for this sort of thing, but I understand it has been broken

This technique does make it impossible to recover the password; if the password
is lost, it has to be reset to a new one.

David Crocker, Escher Technologies Ltd.
Consultancy, contracting and tools for dependable software development

-----Original Message-----
Of john bart
Sent: 25 April 2005 08:56
To: SC-L@securecoding.org
Subject: [SC-L] Java keystore password storage

Hello to all the list.
I need some advice on where to store the keystore's password. Right now, i have
something like this in my code:

keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");

the question is, where do i store the password string? all of the possibilities
that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the
encryption key)

Any ideas?

Reply via email to