3

I'm writing a Java class that connects to a server and reads messages in a given queue.

I would like to protect the username and password, which, right now, appear as plain text in the source code.

What I'm wondering, is, what is a good way to do this? If I encrypt the username and password in a text file, won't I need to store the key, in plain text, in any source code that accesses this file? And then anyone else who decides to use my class will be able to gain access to these fields.

There is no prompt where someone can enter the key, either, as this class will autonomously be used by the system.

EDIT: this will become a java lib file. But those can easily be decompiled and thus are basically the original class files anyway, right? And the people this is being protected from are fellow developers of other systems who will gain access to this lib file.

My End Goal: is to have the username and password strings not appear as plain text anywhere, and for them to be as difficult as possible to crack.

CrazyPenguin
  • 619
  • 2
  • 10
  • 29
  • If this is going to be distributed to the general public, you can pretty much forget about securing this information. No matter how you try to protect it, it will be reverse-engineered within a day. – cdhowie Nov 30 '10 at 18:09
  • It's not PUBLIC public, as in general public. But it will be distributed to other people in the office. And my boss suggested encrypting the username and password in a separate file, but I don't see the point if I need to then store the key. – CrazyPenguin Nov 30 '10 at 18:13
  • Are username and password client specific? Can you shift the problem off to sysadmins, or do you not want your users to know what they are? – nmichaels Nov 30 '10 at 18:13
  • No, it's just one username and password for the given queue that this is being written for. So I don't think anyone who uses this thing I'm making overly needs to know the credentials. – CrazyPenguin Nov 30 '10 at 18:19
  • EDIT: no, I don't want them to know what they are – CrazyPenguin Nov 30 '10 at 18:29
  • What is the expected life-cycle of the app? – Jake Kurzer Nov 30 '10 at 19:22

5 Answers5

5

It is not possible to do this. Even if you encrypt the login/password and store it somewhere (may it be your class or an external file) you'd still need to save the encryption key somewhere in plain text. This is actually just marginally better than saving username/password in plain text, in fact I would avoid doing so as it creates a false sense of security.

So I'd suggest that your class takes username/password as a parameter and that the system which is using your class will have to care about protecting the credentials. It could do so by asking an end user to enter the credentials or store them into an external file which is only readable to the operating system user that your process is running as.

Edit: You might also think about using mechanisms such as OAuth which use tokens instead of passwords. Tokens have a limited life time and are tied to a certain purpose so they pose a good alternative to access credentials. So your end users could get an access token with their,say, Windows credentials, which is then used inside your class to call the protected service.

Jan Thomä
  • 13,296
  • 6
  • 55
  • 83
  • +1 for parameterizing it and putting it outside the class. You probably can't avoid having the pw on disk somewhere, but at least you don't need to have it in your source tree. – David Gelhar Nov 30 '10 at 18:15
  • The thing about parametrization, I was thinking, is that the parameters will always be the same username and password. And then the other developers that use this will HAVE to know what the username and password are. And they are who this is being (attempted to be) protected from. – CrazyPenguin Nov 30 '10 at 18:27
  • 3
    In that case this sounds like you want to solve a social problem with a technical solution. It's like you want your car repaired but you don't trust the mechanic enough to give him the key to your car. Maybe you could shell out limited access credentials which allow your developers only to do the things they are supposed to do with the target resource (e.g read-only access), or change them to something else once the developers have finished their work. – Jan Thomä Nov 30 '10 at 18:34
1

This is a classic authentication issue, except that here, Eve can wear Bob's skin like a suit. Is that stretching the metaphor? I'm not sure.

The short answer is that there is no true answer, because what you want is something that basically violates information theory, in that anything transmittable is copyable and thus anything accessible can be viewed as no-longer-unique. Even if you had a magic box, they could just yank out the magic box with some serious JVM hacking.

The long answer is that there are a few solutions that are almost pretty okay, by making it really quite darn hard. I suggest you read the article linked, acquaint yourself with the ideas behind SRP, the vulnerabilities the spec entails, and try to figure out how to get the right to use and implement it. The problem is still there though. It's that you want a system that ensures Bob can never become a flesh-chariot, or fall to the dark side.

Fundamentally, you're breaking the tenth law. I agree with Kork, there's no solution that really does what you want, because you're trying to solve a social problem with a technical feat, one that is quite nearly provably impossible.

Jake Kurzer
  • 1,532
  • 4
  • 16
  • 25
0

I know this question is long since abandoned, but I want to point out that of course you can do this by requiring typed credentials at runtime but only storing a hash of the password. Of course, it needs to be a really good hash. Use a standard one, don't make up your own. The whole point of a hash is that even if you plain text the hashed result, no one else will be able to come up with a string that yields that hash, even if they know how the hash is computed.

Of course users can try a brute force attack, and since they know the result they want they can run it fast, so you need to use a highly secure password.

0

There are a few ways of handling this problem. The challenge as you've noted is associating an account with this automated process. So, here are some of the possibilities (from least secure to more secure):

  1. Encrypt the username and password with a calculated key.
    • The calculated key is based on something both the client and the server can infer (like machine name and IP address)
  2. Associate an authentication token with the client (OAuth style).
    • The token is negotiated by a one time user interaction to set up the client
    • The negotiated token is used for all future requests
    • The negotiated token is only valid for that client on that machine using that user account (server uses socket info to determine the match)
  3. Use multiple forms of authentication
    • OAuth style token
    • Calculated token based on time + secondary id (requires clients and servers to be synched to the same time server)

It is important to note that your security measures should be more restrictive than it is worth to crack. In short, if all the potential bad guy is only going to be able to get your food preferences of the day you might not need to be as vigilent as protecting something more high profile like a bank account. User names and paswords are not the only means of authentication.

Berin Loritsch
  • 11,400
  • 4
  • 30
  • 57
0

It's not clear which code has to know the user name & password. Are these credentials just for the queue being read? If so, only the server code would need to know them. In that case, you could store them in a server file whose permissions allow only the server code to read them. The file permissions would then be enforced by the server operating system, which presuambly is much better at security than most programmers will ever be.

aksarben
  • 588
  • 3
  • 7