-1

I was working on TLS implementations and found out that you can use any keystore or truststore without providing any password in java client or server. How does it prevent the server identity theft where someone can just copy the keystore from server and use that as their identity. If password would have been used then we might had some level of security on the keystore from unauthorized access.

One detailed description is provided in below link:

Do you not need a password to access a truststore (made with the java keytool)?

Community
  • 1
  • 1
smallarv
  • 57
  • 1
  • 2
  • 12
  • If someone can get to your key store you have bigger problems to worry about as they can access a lot more important things too – Peter Gelderbloem Oct 22 '16 at 13:36
  • That's true but in case it happens what are the provisions to keep the key store secure. We always have option to revoke the cert and replace it by new one – smallarv Oct 22 '16 at 14:02
  • You can add a password to the keystore – Peter Gelderbloem Oct 22 '16 at 14:09
  • That's the thing that anyone can use my keystore without using password. Although they cannot modify the keystore without password but still they can use it without making any modification.its like everyone has read access not write access to keystore files – smallarv Oct 22 '16 at 14:32

3 Answers3

1

I got the answer for this. Basically you can access the keystore or trustore without password but that is applicable only for accessing the certificates. If you want to access the private key from keystore without password you cannot do that because the private keys are kept in encrypted format in the keystore and keystore password is the key for that.

That's how the private keys are kept secret in keystore files.

smallarv
  • 57
  • 1
  • 2
  • 12
  • But the private key is required for certificate to function. How does it achieve it without decrypting the private key? So it is possible to decrypt private key easily. ??? – Evren Yurtesen Jan 29 '20 at 11:46
0

In general you have to keep your certificates secured. A file (and the password) can be copied easily. You can use cryptographic hardware to store certificates and perform signatures avoiding anybody could steal them.

For SSL certificates, note that they have been issued to a domain name or IP address. So anybody who steals your certificatecan not use it because he has not own your DNS. If he tries to use the certificate from other domain, the browser will reject the connection

pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • That's true for ssl certificates but what about the client or device certificates which are not checked for the host name during ssl handshake? – smallarv Oct 22 '16 at 14:01
  • On client devices are not instlled the site certificates. Only the root of the certificate chain. If the root of a trusted certificate issuer is hacked, the attacker could generate valid certificates for any site. Thus, those certificates are well-protected. They have been generate into cryptographic hardware, which are stored in a safety box, and the password is divided into parts shared by two or more people. If you use a SSL self-signed certificate and install it in a browser, the hostame check would fail if its found in a strange site.Nobody could replace your site without hacking also DNS – pedrofb Oct 23 '16 at 07:39
  • I was referring to the client certificates used in 2 way ssl – smallarv Oct 23 '16 at 10:16
  • In fact, in a Java application with client certificates, the keystore can be duplicated. You can use a password protected PKCS # 12 keystore (content is encrypted) instead of JKS and also set password for the certificate. I would be a good solution to use the Operative System keystore, but with Java it is not possible – pedrofb Oct 23 '16 at 14:45
0

I was working on TLS implementations and found out that you can use any keystore or truststore without providing any password in java client or server.

This is incorrect. A Java KeyStore can contain three types of entries: trusted; private key; and secret key entries.

The integrity of trusted entries is protected by the key store password. However, the key store can be loaded and the trusted entries used without checking the integrity of the key stores. Doing so creates a vulnerability.

The confidentiality of private key and secret key entries is protected by password-based encryption. Unlike trusted entries, these confidential entries cannot be accessed without the password. You can see this yourself by trying to recover a private key without a password, or with the wrong password.

erickson
  • 265,237
  • 58
  • 395
  • 493