I have a java properties object with authentication information for a web service. I need to encrypt that data, but I don't know where I need to store the encryption key for it to remain secure.
What are the best practices around encrypting this data and retrieving it in a secure way?
Is there any advantage to using a keystore?
ws_user=username
ws_password=password
ws_url=https://www.whatever.com/myservice
Currently, the most secure way to store passwords is using Password Based Encryption (PBE), which provides functions (called Key Derivation Functions (KDFs)) that will convert low entropy user passwords into random, unpredictable, and most importantly one-way, irreversible bytes of data.
You cannot, it is impossible. Any attacker who has access to the target machine would be able to disassemble your code to find it, or find the key file on the target machine, etc. The ONLY way to ensure that the encryption key is secure, is to have it typed in manually by the user when it is needed. Save this answer.
The encryption key is created and stored on the key management server. The key manager creates the encryption key through the use of a cryptographically secure random bit generator and stores the key, along with all it's attributes, into the key storage database.
Your problem is a common one. In linux, user passwords are stored in a plain text file. Although only the password hashes are stored, if an attacker gets access to that file, he will not take long to discover some password using an offline dictionary attack. In this case, the OS relies on file permissions to deny access to unauthorized users. In your case, it is not much different. You must configure the password file permissions properly and ensure the physical security of the server.
The bottom line is that somewhere needs to have the "root-of-the-chain" password in an unencrypted form. An OS-protected local file, an OS-protected remote file, hardcoded in the source, etc.
The only way around that is to require a human to type the initial password at application start, which obviously isn't possible for applications which need to autostart.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With