[SC-L] RE: Java keystore password storage

2005-04-26 Thread john bart
Is there something like window's DPAPI in the Unix world (solaris, linux, 
etc..)?

From: Michael Howard [EMAIL PROTECTED]
To: john bart 
[EMAIL PROTECTED],[EMAIL PROTECTED],SC-L@securecoding.org,[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]
Subject: RE: Java keystore password storage
Date: Mon, 25 Apr 2005 10:52:49 -0700

Oh this thorny issue again!
On Windows you can call into the Data Protection API (CryptProtectData
etc), which uses keys derived from the user's password to protect secret
data like this, or uses a machine key if you want to lock the key down
to the machine. Mac OSX offers a similar technology called Keychain
(SecKeychainAddGenericPassword etc), but these are of course OS specific
solutions.
I know of no other way that works solely with Java on all platforms...
[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect
[Blog] http://blogs.msdn.com/michael_howard
[SDL] http://msdn.microsoft.com/security/sdl
-Original Message-
From: john bart [mailto:[EMAIL PROTECTED]
Sent: Monday, April 25, 2005 12:56 AM
To: [EMAIL PROTECTED]; SC-L@securecoding.org;
[EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Java keystore password storage
Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:
keystore = KeyStore.getInstance(JKS);
keystore.load(new FileInputStream(keystore.jks),PASSWORD);
the question is, where do i store the password string? all of the
possibilities that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the
encryption key)
Any ideas?
_
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
_
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/




RE: [SC-L] Java keystore password storage

2005-04-26 Thread Chris Matthews
David Crocker wrote:

I'm by no means an expert in the field of security and Java, but I
believe that
the usual technique is to encode the password that the user types using
a 1-way
hashing algorithm, then store (and hide/protect) the encoded version
and use
that as the password. If an attacker manages to read the password hash,
he still
has to construct a password that will encode to the same value.

At issue is not the mechanical method of storing the password; it is the
fundamental insecurity of storing a password such that an automated
process may recover/use said password.  If an automated process can
recover the password, chances are very good an attacker can, and no
cryptographical algorithim will solve that issue.  The system is weak,
not the individual components.

Cheers,
Chris