RE: [SC-L] Java keystore password storage
I'm by no means an expert in the field of security and Java, but I believe that
the usual technique is to encode the password that the user types using a 1-way
hashing algorithm, then store (and hide/protect) the encoded version and use
that as the password. If an attacker manages to read the password hash, he still
has to construct a password that will encode to the same value.
There are a number of hashing algorithms available. SHA1 used to be considered
fairly good for this sort of thing, but I understand it has been broken
recently.
This technique does make it impossible to recover the password; if the password
is lost, it has to be reset to a new one.
David Crocker, Escher Technologies Ltd.
Consultancy, contracting and tools for dependable software development
www.eschertech.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of john bart
Sent: 25 April 2005 08:56
To: SC-L@securecoding.org
Subject: [SC-L] Java keystore password storage
Hello to all the list.
I need some advice on where to store the keystore's password. Right now, i have
something like this in my code:
keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");
the question is, where do i store the password string? all of the possibilities
that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the
encryption key)
Any ideas?
[SC-L] RE: Java keystore password storage
Oh this thorny issue again!
On Windows you can call into the Data Protection API (CryptProtectData
etc), which uses keys derived from the user's password to protect secret
data like this, or uses a machine key if you want to lock the key down
to the machine. Mac OSX offers a similar technology called Keychain
(SecKeychainAddGenericPassword etc), but these are of course OS specific
solutions.
I know of no other way that works solely with Java on all platforms...
[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect
[Blog] http://blogs.msdn.com/michael_howard
[SDL] http://msdn.microsoft.com/security/sdl
-Original Message-
From: john bart [mailto:[EMAIL PROTECTED]
Sent: Monday, April 25, 2005 12:56 AM
To: [EMAIL PROTECTED]; SC-L@securecoding.org;
[EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Java keystore password storage
Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:
keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");
the question is, where do i store the password string? all of the
possibilities that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the
encryption key)
Any ideas?
_
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
RE: [SC-L] Java keystore password storage
A little more information would be helpful. What kind of application are
you writing? What is the platform? Is there a secure database or
directory available anywhere in the infrastructure to which the
application has access?
If it's a client, is there a CD reader? If so, you could store the
password encrypted on the client hard drive, or on the CD, and store the
cryptokey on a read-only CD. Write a software routine that would read
the key (and, if stored there, password) from the CD, store it in memory
in a Java character array (char) (NOT in a string, which is immutable
and thus won't be purged from memory until the garbage collector (GC) is
explicitly run). As soon as the key is read from the CD, the software
routine would force-eject the CD. You'd also use a char to store the
decrypted password (again, not using String due to immutability).
The above approach has the advantage of not requring any external
system, such as a directory or database. On the other hand, you would
have to burn a new CD each time either the key or password was changed,
and you would have to write a non-standard software process to manage
the CD access and ejection, password decryption, etc.
If it's a server-side web application, an alternate approach could be to
store the password in a properties file accessible to the application in
a properties file OUTSIDE of the WEB-INF directory (do NOT place
properties in the web.xml, which is deployed in the web server's WEB-INF
directory which represents a frequent, high-value target). Your best
bet is to use the java.util.Properties class, because it contains
methods to access properties files. The getProperty() method of this
class returns a string value, which should be immediately copied over
into a char array and all references to the string should be immediately
nulled, and GC should be immediatley requested to purge the string from
memory.
Keep in mind that the Properties class will still have a reference to
the password, so the only sure way of removing the password from memory
is by calling the remove() method on the java.util.Properties class
before garbage collection. This will remove the reference from the
hashtable, and allow the GC to purge the string from memory. The
objective is to ensure that the immutable string is only used as an
ephemeral artifact for moving the password out of the properties into
memory: all references to the string must be nulled to ensure the
password cannot be read from memory after it is used (the char
containing the password will be purged as soon as it is used, so GC
won't have to be explicitly invoked to do this).
--
Karen Goertzel, CISSP
Booz Allen Hamilton
703-902-6981
[EMAIL PROTECTED]
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of john bart
> Sent: Monday, April 25, 2005 3:56 AM
> To: SC-L@securecoding.org
> Subject: [SC-L] Java keystore password storage
>
> Hello to all the list.
> I need some advice on where to store the keystore's password.
> Right now, i have something like this in my code:
>
> keystore = KeyStore.getInstance("JKS");
> keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");
>
> the question is, where do i store the password string? all of the
> possibilities that i thought about are not good enough:
> 1) storing it in the code - obviously not.
> 2) storing it in a seperate config file is also not secure.
> 3) entering the password at runtime is not an option.
> 4) encrypting the password - famous chicken and egg problem
> (storing the
> encryption key)
>
> Any ideas?
>
> _
> Express yourself instantly with MSN Messenger! Download today
> it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>
>
Re: [SC-L] Java keystore password storage
john bart wrote: > Hello to all the list. > I need some advice on where to store the keystore's password. I don't know the Java functions you're asking about. Looks like it's decrypting a file? It's not possible to securely store the password. If a program can decrypt the file, then a program can decrypt the file. Unless you want to go for a very narrow definition of "securely store". Windows has a facility for "secured storage" that becomes accessible when the user logs in. It's used for storing sensitive information, like other passwords. It's theoretically good for protecting your info when the machine is off, or a different user is logged in. Ryan
Re: [SC-L] Java keystore password storage
Well, you have provided very little useful information about the
application and its threat model. So, knowing what to suggest is
difficult. Can you say more?
FWIW, we used to use the old C function memfrob to obscure passwords
in code when we couldn't avoid putting them there. At least that way
the strings command didn't find them. Didn't help much if your hackers
had read the HHGTTG, though.
-nash
On Mon, Apr 25, 2005 at 07:55:43AM +, john bart wrote:
> Hello to all the list.
> I need some advice on where to store the keystore's password.
> Right now, i have something like this in my code:
>
> keystore = KeyStore.getInstance("JKS");
> keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");
>
> the question is, where do i store the password string? all of the
> possibilities that i thought about are not good enough:
> 1) storing it in the code - obviously not.
> 2) storing it in a seperate config file is also not secure.
> 3) entering the password at runtime is not an option.
> 4) encrypting the password - famous chicken and egg problem (storing the
> encryption key)
>
> Any ideas?
>
> _
> Express yourself instantly with MSN Messenger! Download today it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
--
An ideal world is left as an exercise for the reader.
- Paul Graham
[SC-L] Re: Java keystore password storage
Indeed a classic problem, unfortunately there are
no platform-independant services for storing things like this.
But a config-file with proper access-restrictions goes a long way..
And I guess thats the solution you're leaning against if I read
between the lines.
3 is good since it doesn't require storage of the password on
disk, otoh it requires human intervention which you probably
want to avoid.
I'm no expert on LDAP, but could anyone tell if you use a
directory service to pull the password from?
Regards
Fredr!k
-Ursprungligt meddelande-
Från: john bart
Till: [EMAIL PROTECTED]; SC-L@securecoding.org;
[EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Skickat: 2005-04-25 09:55
Ämne: Java keystore password storage
Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:
keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");
the question is, where do i store the password string? all of the
possibilities that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the
encryption key)
Any ideas?
_
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
RE: [SC-L] Java keystore password storage
> 1) storing it in the code - obviously not. I concur :) > 2) storing it in a seperate config file is also not secure. Definitely a possibility. The question now becomes: is this secure "enough"? (filesystem permissions, mitigating the problem to the level of the system administrators). > 4) encrypting the password - famous chicken and egg problem (storing the encryption key) Indeed: this is not a solution, but rather a complication of the process for no real gain (as you've described it). > 3) entering the password at runtime is not an option. This is problably the safest/securest solution. Given how you've worded this, I would suspect that you want the system to be able to start by itself. This implies the system bootstrapping it's own security chain, which to my limited knowledge is not only not secure, but pretty pointless as there are easier methods to achieve the end goal with the exact same security level (for example, storing your keystore unencrypted but with filesystem permissions which do not permit anyone but the application of accessing it). It would also be prudent to point out that most likely any way you will think of to hide/secure/obfusticate the secret needed to access the keystore such that your application can automatically gain access to the keystore, an attacker can mimic this set of operations and gain access to the ketstore at well. Cheers, Chris
[SC-L] Java keystore password storage
Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:
keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");
the question is, where do i store the password string? all of the
possibilities that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the
encryption key)
Any ideas?
_
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
