RE: [SC-L] Java keystore password storage
I'm by no means an expert in the field of security and Java, but I believe that the usual technique is to encode the password that the user types using a 1-way hashing algorithm, then store (and hide/protect) the encoded version and use that as the password. If an attacker manages to read the password hash, he still has to construct a password that will encode to the same value. There are a number of hashing algorithms available. SHA1 used to be considered fairly good for this sort of thing, but I understand it has been broken recently. This technique does make it impossible to recover the password; if the password is lost, it has to be reset to a new one. David Crocker, Escher Technologies Ltd. Consultancy, contracting and tools for dependable software development www.eschertech.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of john bart Sent: 25 April 2005 08:56 To: SC-L@securecoding.org Subject: [SC-L] Java keystore password storage Hello to all the list. I need some advice on where to store the keystore's password. Right now, i have something like this in my code: keystore = KeyStore.getInstance("JKS"); keystore.load(new FileInputStream("keystore.jks"),"PASSWORD"); the question is, where do i store the password string? all of the possibilities that i thought about are not good enough: 1) storing it in the code - obviously not. 2) storing it in a seperate config file is also not secure. 3) entering the password at runtime is not an option. 4) encrypting the password - famous chicken and egg problem (storing the encryption key) Any ideas?
[SC-L] RE: Java keystore password storage
Oh this thorny issue again! On Windows you can call into the Data Protection API (CryptProtectData etc), which uses keys derived from the user's password to protect secret data like this, or uses a machine key if you want to lock the key down to the machine. Mac OSX offers a similar technology called Keychain (SecKeychainAddGenericPassword etc), but these are of course OS specific solutions. I know of no other way that works solely with Java on all platforms... [Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp [Protect Your PC] http://www.microsoft.com/protect [Blog] http://blogs.msdn.com/michael_howard [SDL] http://msdn.microsoft.com/security/sdl -Original Message- From: john bart [mailto:[EMAIL PROTECTED] Sent: Monday, April 25, 2005 12:56 AM To: [EMAIL PROTECTED]; SC-L@securecoding.org; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Java keystore password storage Hello to all the list. I need some advice on where to store the keystore's password. Right now, i have something like this in my code: keystore = KeyStore.getInstance("JKS"); keystore.load(new FileInputStream("keystore.jks"),"PASSWORD"); the question is, where do i store the password string? all of the possibilities that i thought about are not good enough: 1) storing it in the code - obviously not. 2) storing it in a seperate config file is also not secure. 3) entering the password at runtime is not an option. 4) encrypting the password - famous chicken and egg problem (storing the encryption key) Any ideas? _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
RE: [SC-L] Java keystore password storage
A little more information would be helpful. What kind of application are you writing? What is the platform? Is there a secure database or directory available anywhere in the infrastructure to which the application has access? If it's a client, is there a CD reader? If so, you could store the password encrypted on the client hard drive, or on the CD, and store the cryptokey on a read-only CD. Write a software routine that would read the key (and, if stored there, password) from the CD, store it in memory in a Java character array (char) (NOT in a string, which is immutable and thus won't be purged from memory until the garbage collector (GC) is explicitly run). As soon as the key is read from the CD, the software routine would force-eject the CD. You'd also use a char to store the decrypted password (again, not using String due to immutability). The above approach has the advantage of not requring any external system, such as a directory or database. On the other hand, you would have to burn a new CD each time either the key or password was changed, and you would have to write a non-standard software process to manage the CD access and ejection, password decryption, etc. If it's a server-side web application, an alternate approach could be to store the password in a properties file accessible to the application in a properties file OUTSIDE of the WEB-INF directory (do NOT place properties in the web.xml, which is deployed in the web server's WEB-INF directory which represents a frequent, high-value target). Your best bet is to use the java.util.Properties class, because it contains methods to access properties files. The getProperty() method of this class returns a string value, which should be immediately copied over into a char array and all references to the string should be immediately nulled, and GC should be immediatley requested to purge the string from memory. Keep in mind that the Properties class will still have a reference to the password, so the only sure way of removing the password from memory is by calling the remove() method on the java.util.Properties class before garbage collection. This will remove the reference from the hashtable, and allow the GC to purge the string from memory. The objective is to ensure that the immutable string is only used as an ephemeral artifact for moving the password out of the properties into memory: all references to the string must be nulled to ensure the password cannot be read from memory after it is used (the char containing the password will be purged as soon as it is used, so GC won't have to be explicitly invoked to do this). -- Karen Goertzel, CISSP Booz Allen Hamilton 703-902-6981 [EMAIL PROTECTED] > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of john bart > Sent: Monday, April 25, 2005 3:56 AM > To: SC-L@securecoding.org > Subject: [SC-L] Java keystore password storage > > Hello to all the list. > I need some advice on where to store the keystore's password. > Right now, i have something like this in my code: > > keystore = KeyStore.getInstance("JKS"); > keystore.load(new FileInputStream("keystore.jks"),"PASSWORD"); > > the question is, where do i store the password string? all of the > possibilities that i thought about are not good enough: > 1) storing it in the code - obviously not. > 2) storing it in a seperate config file is also not secure. > 3) entering the password at runtime is not an option. > 4) encrypting the password - famous chicken and egg problem > (storing the > encryption key) > > Any ideas? > > _ > Express yourself instantly with MSN Messenger! Download today > it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > >
Re: [SC-L] Java keystore password storage
john bart wrote: > Hello to all the list. > I need some advice on where to store the keystore's password. I don't know the Java functions you're asking about. Looks like it's decrypting a file? It's not possible to securely store the password. If a program can decrypt the file, then a program can decrypt the file. Unless you want to go for a very narrow definition of "securely store". Windows has a facility for "secured storage" that becomes accessible when the user logs in. It's used for storing sensitive information, like other passwords. It's theoretically good for protecting your info when the machine is off, or a different user is logged in. Ryan
Re: [SC-L] Java keystore password storage
Well, you have provided very little useful information about the application and its threat model. So, knowing what to suggest is difficult. Can you say more? FWIW, we used to use the old C function memfrob to obscure passwords in code when we couldn't avoid putting them there. At least that way the strings command didn't find them. Didn't help much if your hackers had read the HHGTTG, though. -nash On Mon, Apr 25, 2005 at 07:55:43AM +, john bart wrote: > Hello to all the list. > I need some advice on where to store the keystore's password. > Right now, i have something like this in my code: > > keystore = KeyStore.getInstance("JKS"); > keystore.load(new FileInputStream("keystore.jks"),"PASSWORD"); > > the question is, where do i store the password string? all of the > possibilities that i thought about are not good enough: > 1) storing it in the code - obviously not. > 2) storing it in a seperate config file is also not secure. > 3) entering the password at runtime is not an option. > 4) encrypting the password - famous chicken and egg problem (storing the > encryption key) > > Any ideas? > > _ > Express yourself instantly with MSN Messenger! Download today it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > -- An ideal world is left as an exercise for the reader. - Paul Graham
[SC-L] Re: Java keystore password storage
Indeed a classic problem, unfortunately there are no platform-independant services for storing things like this. But a config-file with proper access-restrictions goes a long way.. And I guess thats the solution you're leaning against if I read between the lines. 3 is good since it doesn't require storage of the password on disk, otoh it requires human intervention which you probably want to avoid. I'm no expert on LDAP, but could anyone tell if you use a directory service to pull the password from? Regards Fredr!k -Ursprungligt meddelande- Från: john bart Till: [EMAIL PROTECTED]; SC-L@securecoding.org; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Skickat: 2005-04-25 09:55 Ämne: Java keystore password storage Hello to all the list. I need some advice on where to store the keystore's password. Right now, i have something like this in my code: keystore = KeyStore.getInstance("JKS"); keystore.load(new FileInputStream("keystore.jks"),"PASSWORD"); the question is, where do i store the password string? all of the possibilities that i thought about are not good enough: 1) storing it in the code - obviously not. 2) storing it in a seperate config file is also not secure. 3) entering the password at runtime is not an option. 4) encrypting the password - famous chicken and egg problem (storing the encryption key) Any ideas? _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
RE: [SC-L] Java keystore password storage
> 1) storing it in the code - obviously not. I concur :) > 2) storing it in a seperate config file is also not secure. Definitely a possibility. The question now becomes: is this secure "enough"? (filesystem permissions, mitigating the problem to the level of the system administrators). > 4) encrypting the password - famous chicken and egg problem (storing the encryption key) Indeed: this is not a solution, but rather a complication of the process for no real gain (as you've described it). > 3) entering the password at runtime is not an option. This is problably the safest/securest solution. Given how you've worded this, I would suspect that you want the system to be able to start by itself. This implies the system bootstrapping it's own security chain, which to my limited knowledge is not only not secure, but pretty pointless as there are easier methods to achieve the end goal with the exact same security level (for example, storing your keystore unencrypted but with filesystem permissions which do not permit anyone but the application of accessing it). It would also be prudent to point out that most likely any way you will think of to hide/secure/obfusticate the secret needed to access the keystore such that your application can automatically gain access to the keystore, an attacker can mimic this set of operations and gain access to the ketstore at well. Cheers, Chris
[SC-L] Java keystore password storage
Hello to all the list. I need some advice on where to store the keystore's password. Right now, i have something like this in my code: keystore = KeyStore.getInstance("JKS"); keystore.load(new FileInputStream("keystore.jks"),"PASSWORD"); the question is, where do i store the password string? all of the possibilities that i thought about are not good enough: 1) storing it in the code - obviously not. 2) storing it in a seperate config file is also not secure. 3) entering the password at runtime is not an option. 4) encrypting the password - famous chicken and egg problem (storing the encryption key) Any ideas? _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/