stackoom
  简体   繁体   中英

How do I securely store encryption keys in java?

 原文  2011-12-02 14:32:30       java/ encryption/ keystore

Question

I have a java properties object with authentication information for a web service. I need to encrypt that data, but I don't know where I need to store the encryption key for it to remain secure.

What are the best practices around encrypting this data and retrieving it in a secure way?

Is there any advantage to using a keystore? 

ws_user=username
ws_password=password
ws_url=https://www.whatever.com/myservice

4 answers

solution1
 8 ACCPTED  2011-12-08 12:55:18

Your problem is a common one. In linux, user passwords are stored in a plain text file. Although only the password hashes are stored, if an attacker gets access to that file, he will not take long to discover some password using an offline dictionary attack. In this case, the OS relies on file permissions to deny access to unauthorized users. In your case, it is not much different. You must configure the password file permissions properly and ensure the physical security of the server.

solution2
 4  2011-12-08 13:08:45

This is a chicken-egg problem.
You will then need to to find where to store the password for the keystore and and so on.....

Depending on your security requirements and needs, you could enrypt the data using symmetric encryption and retrieve the password via a remote server (your server) using client side certificate authentication.

Or you could encrypt the data using symmetric enryption and have the password hardcoded in your jar, which is not safe but requires some effort to find it and you could delegate responsibility to the file system permissions on who can access your files.

solution3
 4  2011-12-09 15:07:11

The bottom line is that somewhere needs to have the "root-of-the-chain" password in an unencrypted form. An OS-protected local file, an OS-protected remote file, hardcoded in the source, etc.

The only way around that is to require a human to type the initial password at application start, which obviously isn't possible for applications which need to autostart.

solution4
 0  2011-12-08 13:21:16

I have had success using Jasypt 's StringEncrytor to encrypt sensitive information in properties files and some in-house procedures for generating salts and retrieving the password. Since you're using a web service, you could use Jasypt's Web PBE Configuration to manually enter the password at deploy time or even roll your own similar solution.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question how to securely store encryption keys in android? How do I store SOAP responses in the database securely? How do I securely handle passwords in a Java Servlet Filter? How do I integrate HSM encryption with JAVA? How Can I Securely Store a SecretKey? How Do I Store Words as Keys in a TreeMap? Java asymmetric encryption: preferred way to store public/private keys How do I store and read PGP public keys as strings using Bouncycastle Java? How can I securely store store sensitive date on an Android? Where can I store saved password locally but securely in Java?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM