22

I have a java properties object with authentication information for a web service. I need to encrypt that data, but I don't know where I need to store the encryption key for it to remain secure.

What are the best practices around encrypting this data and retrieving it in a secure way?

Is there any advantage to using a keystore?

ws_user=username
ws_password=password
ws_url=https://www.whatever.com/myservice
ScArcher2
  • 85,501
  • 44
  • 121
  • 160
  • It seems like if my application needs to have access to the key, there's not a way to "secure" it. If I store it in a keystore is would be more obscure, but it doesn't seem more secure. I hope I'm wrong :) – ScArcher2 Dec 02 '11 at 14:55
  • It sounds ultimately like a bootstrapping problem. At some point in the chain you have to have a key with which to unencrypt something. Even if you use a keystore, you need a password for that keystore. Is there no way you can change your authentication scheme? Also, you might get some pretty knowledgeable responses on http://security.stackexchange.com/ if you ask there. – mcfinnigan Dec 02 '11 at 15:00
  • @mcfinnigan that's what I thought. I just wanted to see if there were any ways around the problem. – ScArcher2 Dec 02 '11 at 15:39
  • Either you're going to be storing an encryption key somewhere (or embed it in the code), or you're going to trust the storage device to be secure. Chicken and egg, as it were. – David R Tribble Dec 02 '11 at 19:13
  • anyone want to put that as an answer and i'll accept it? – ScArcher2 Dec 06 '11 at 16:27
  • 1
    Secure against whom? Secure against the owner of the client PC is impossible. – CodesInChaos Dec 09 '11 at 15:10

4 Answers4

11

Your problem is a common one. In linux, user passwords are stored in a plain text file. Although only the password hashes are stored, if an attacker gets access to that file, he will not take long to discover some password using an offline dictionary attack. In this case, the OS relies on file permissions to deny access to unauthorized users. In your case, it is not much different. You must configure the password file permissions properly and ensure the physical security of the server.

dsboger
  • 496
  • 4
  • 8
  • I ran into a situation where a customer's security policy required the encryption of username / passwords in configuration files. It seemed silly, but I thought I'd check here to see if I was missing something. – ScArcher2 Dec 13 '11 at 22:49
  • May be good enough for Linux, but what about Windows, where unfortunately, it's still common practice to work with admin rights? UAC had to improve a bit this situation, but most Windows users are still not aware of implications of accepting UAC permissions elevation request – Denis Itskovich May 06 '19 at 15:58
7

The bottom line is that somewhere needs to have the "root-of-the-chain" password in an unencrypted form. An OS-protected local file, an OS-protected remote file, hardcoded in the source, etc.

The only way around that is to require a human to type the initial password at application start, which obviously isn't possible for applications which need to autostart.

dbreaux
  • 4,982
  • 1
  • 25
  • 64
  • Question is closed, but it appears still getting some hits, so I wanted to also mention this OWASP project https://owasp.org/www-project-sidekek/ "SideKEK provides inexpensive means to protect cryptographic master keys (key encryption keys, KEKs) in a way that is resistant to some of the most common remote file exfiltration attacks." – dbreaux Mar 23 '23 at 17:58
5

This is a chicken-egg problem.
You will then need to to find where to store the password for the keystore and and so on.....

Depending on your security requirements and needs, you could enrypt the data using symmetric encryption and retrieve the password via a remote server (your server) using client side certificate authentication.

Or you could encrypt the data using symmetric enryption and have the password hardcoded in your jar, which is not safe but requires some effort to find it and you could delegate responsibility to the file system permissions on who can access your files.

Cratylus
  • 52,998
  • 69
  • 209
  • 339
1

I have had success using Jasypt's StringEncrytor to encrypt sensitive information in properties files and some in-house procedures for generating salts and retrieving the password. Since you're using a web service, you could use Jasypt's Web PBE Configuration to manually enter the password at deploy time or even roll your own similar solution.

Go Dan
  • 15,194
  • 6
  • 41
  • 65
  • Hi Dan, have you used the Web PBE Configuration? I think it can solve the chicken-egg problem (always need a master key to encrypt text). How does it have to be set up? I am little bit puzzled. Thanks for the help! V. – Viktor May 08 '15 at 09:18