What exactly is the sense behind a Keystore password, eg on JKS/BKS keystores?
It is obviously NOT for security, because i can open the file with an editor and copy all entries into new files without passwordcheck. Data inside a passwordprotected Keystore is not encrypted!
what does this password protect? It seems to be just for anoying developers oO...
If we need to manage keys and certificates in Java, we need a keystore, which is simply a secure collection of aliased entries of keys and certificates.
Besides, iPhone will require your passcode once you restart the device, update the iOS version, erase iPhone, etc.
Keystore is a binary file that contains a set of private keys. Private key represents the entity to be identified with the app, such as a person or a company. So Keystore password is used to open a keystore and simple password is password of private entity stored in keystore file..!!
let's say you saved a string called "this is my sentence" in the keystore, and when you open it by notepad, you saw cipher-text "blabla", and you copied the "blabla" to another file and claim you findout the plain-text, and it is "blabla", that is obvious incorrect, you still don't know the original pliant-ext until recover it by password.
==EDIT==
for JKS keystore, the keystore password is used to verify integrity, src
636 if (password != null) {
637 md = getPreKeyedHash(password);
638 dis = new DataInputStream(new DigestInputStream(stream, md));
639 }
the DigestInputStream generate a signature and compare it to acutal one to see if is modified.
BouncyCastle keystore UBER is more secure, the entire keystore is encrypted with a PBE based on SHA1 and Twofish (PBEWithSHAAndTwofish-CBC)
Cipher cipher = this.makePBECipher(cipherAlg, Cipher.DECRYPT_MODE, password, salt, iterationCount);
CipherInputStream cIn = new CipherInputStream(dIn, cipher);
Digest dig = new SHA1Digest();
DigestInputStream dgIn = new DigestInputStream(cIn, dig);
this.loadStore(dgIn);
On a JKS or BKS keystore the password is not pointless, but it doesn't do what you might assume, either.
It doesn't encrypt the data in the keystore or in any way prevent access to it, but it does verify the integrity of the keystore. Without knowing the password, it is not possible to make changes to a keystore without the normal user of it finding out (typically due to their tools telling them "Keystore was tampered with, or password was incorrect")
In some other keystore types (such as Keystore.BouncyCastle) the keystore password protects against inspection as well as tampering.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With