None that I'm aware of. [Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp [Protect Your PC] http://www.microsoft.com/protect [Blog] http://blogs.msdn.com/michael_howard [SDL] http://msdn.microsoft.com/security/sdl
-----Original Message----- From: john bart [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 10:46 AM To: Michael Howard; [EMAIL PROTECTED]; [email protected]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Java keystore password storage Is there something like window's DPAPI in the Unix world (solaris, linux, etc..)? >From: "Michael Howard" <[EMAIL PROTECTED]> >To: "john bart" ><[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,<SC-L >@securecoding.org>,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED] >com>,<[EMAIL PROTECTED]> >Subject: RE: Java keystore password storage >Date: Mon, 25 Apr 2005 10:52:49 -0700 > >Oh this thorny issue again! > >On Windows you can call into the Data Protection API (CryptProtectData >etc), which uses keys derived from the user's password to protect >secret data like this, or uses a machine key if you want to lock the >key down to the machine. Mac OSX offers a similar technology called >Keychain (SecKeychainAddGenericPassword etc), but these are of course >OS specific solutions. > >I know of no other way that works solely with Java on all platforms... > > >[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp >[Protect Your PC] http://www.microsoft.com/protect [Blog] >http://blogs.msdn.com/michael_howard >[SDL] http://msdn.microsoft.com/security/sdl > >-----Original Message----- >From: john bart [mailto:[EMAIL PROTECTED] >Sent: Monday, April 25, 2005 12:56 AM >To: [EMAIL PROTECTED]; [email protected]; >[EMAIL PROTECTED]; [EMAIL PROTECTED]; >[EMAIL PROTECTED] >Subject: Java keystore password storage > >Hello to all the list. >I need some advice on where to store the keystore's password. >Right now, i have something like this in my code: > >keystore = KeyStore.getInstance("JKS"); keystore.load(new >FileInputStream("keystore.jks"),"PASSWORD"); > >the question is, where do i store the password string? all of the >possibilities that i thought about are not good enough: >1) storing it in the code - obviously not. >2) storing it in a seperate config file is also not secure. >3) entering the password at runtime is not an option. >4) encrypting the password - famous chicken and egg problem (storing >the encryption key) > >Any ideas? > >_________________________________________________________________ >Express yourself instantly with MSN Messenger! Download today it's FREE! > >http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
