Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: secure storage of sensitive data in J2EE
From: Alexander Klimov (alserkliinbox.ru)
Date: Tue Jan 25 2005 - 10:33:07 CST
On Tue, 25 Jan 2005, chaim moshe wrote:
> where can I store sensitive data like encryption keys, passwords,
> etc. in J2EE? surely, you can save it in the keystore, but the catch
> is where do you store the keystore password to protect it from
> external access? storing the keystore password in code or in config
> files is not secured enough.
Well, there is no way to make the following things simultaneously
without additional input for legitimate user:
-- a legitimate user is able to recover information
-- an attacker is unable to recover information
> In the .NET environment you have DPAPI that was designed exactly for this
> kind of problem, the sensitive data is encrypted at the OS level with the
> user/machine password and is decrypted at runtime.
This is a solution: the legitimate user needs to enter password which
is cached by the system. I really doubt that J2EE can have similiar
things since many OSes do not cache user passwords.
> What is the solution in the J2EE environment ?
You can ask the user to enter the password. An alternative solution is
to use non-owner-read-protected files.