Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I securely store encryption keys in java? [closed]

Tags:

I have a java properties object with authentication information for a web service. I need to encrypt that data, but I don't know where I need to store the encryption key for it to remain secure.

What are the best practices around encrypting this data and retrieving it in a secure way?

Is there any advantage to using a keystore?

ws_user=username
ws_password=password
ws_url=https://www.whatever.com/myservice
like image 394
ScArcher2 Avatar asked Dec 02 '11 14:12

ScArcher2

People also ask

What are the best practices for secure password storage in Java?

Currently, the most secure way to store passwords is using Password Based Encryption (PBE), which provides functions (called Key Derivation Functions (KDFs)) that will convert low entropy user passwords into random, unpredictable, and most importantly one-way, irreversible bytes of data.

How do I hide my encryption key?

You cannot, it is impossible. Any attacker who has access to the target machine would be able to disassemble your code to find it, or find the key file on the target machine, etc. The ONLY way to ensure that the encryption key is secure, is to have it typed in manually by the user when it is needed. Save this answer.

Where should you store the encryption?

The encryption key is created and stored on the key management server. The key manager creates the encryption key through the use of a cryptographically secure random bit generator and stores the key, along with all it's attributes, into the key storage database.

2 Answers

Your problem is a common one. In linux, user passwords are stored in a plain text file. Although only the password hashes are stored, if an attacker gets access to that file, he will not take long to discover some password using an offline dictionary attack. In this case, the OS relies on file permissions to deny access to unauthorized users. In your case, it is not much different. You must configure the password file permissions properly and ensure the physical security of the server.

like image 106
dsboger Avatar answered Sep 28 '22 04:09

dsboger

The bottom line is that somewhere needs to have the "root-of-the-chain" password in an unencrypted form. An OS-protected local file, an OS-protected remote file, hardcoded in the source, etc.

The only way around that is to require a human to type the initial password at application start, which obviously isn't possible for applications which need to autostart.

like image 29
dbreaux Avatar answered Sep 28 '22 02:09

dbreaux
Sign in to Comment

Related questions

Why can't I combine [Authorize] and [OutputCache] attributes when using Azure cache (.NET MVC3 app)?
Scala: Case class unapply vs a manual implementation and type erasure
TortoiseSVN 1.7 extremely slow on commit and check modifications on network share
How do I refer to a variable while assigning a value to it, whilst retaining immutability?
Logistic regression - cbind command in glm
Why set prototype's constructor to its constructor function? [duplicate]
How do I pass an array to a constructor?
Make git ignore rename [duplicate]
Java 7 zip file system provider doesn't seem to accept spaces in URI
Packing float into vec4 - how does this code work?
Bluetooth Low Energy - updating a characteristic value repeatedly
Difference between object and instance in python?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!