RE: [SC-L] Java keystore password storage

2005-04-26 Thread Chris Matthews
David Crocker wrote:

I'm by no means an expert in the field of security and Java, but I
believe that
the usual technique is to encode the password that the user types using
a 1-way
hashing algorithm, then store (and hide/protect) the encoded version
and use
that as the password. If an attacker manages to read the password hash,
he still
has to construct a password that will encode to the same value.

At issue is not the mechanical method of storing the password; it is the
fundamental insecurity of storing a password such that an automated
process may recover/use said password.  If an automated process can
recover the password, chances are very good an attacker can, and no
cryptographical algorithim will solve that issue.  The system is weak,
not the individual components.

Cheers,
Chris




RE: [SC-L] Java keystore password storage

2005-04-25 Thread David Crocker
I'm by no means an expert in the field of security and Java, but I believe that
the usual technique is to encode the password that the user types using a 1-way
hashing algorithm, then store (and hide/protect) the encoded version and use
that as the password. If an attacker manages to read the password hash, he still
has to construct a password that will encode to the same value.

There are a number of hashing algorithms available. SHA1 used to be considered
fairly good for this sort of thing, but I understand it has been broken
recently.

This technique does make it impossible to recover the password; if the password
is lost, it has to be reset to a new one.

David Crocker, Escher Technologies Ltd.
Consultancy, contracting and tools for dependable software development
www.eschertech.com



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of john bart
Sent: 25 April 2005 08:56
To: SC-L@securecoding.org
Subject: [SC-L] Java keystore password storage


Hello to all the list.
I need some advice on where to store the keystore's password. Right now, i have
something like this in my code:

keystore = KeyStore.getInstance(JKS);
keystore.load(new FileInputStream(keystore.jks),PASSWORD);

the question is, where do i store the password string? all of the possibilities
that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the
encryption key)

Any ideas?