5

I am using JASYPT for encryption decryption of passwords in our Java based software. This is how, we encrypt the password:

        StrongTextEncryptor textEncryptor = new StrongTextEncryptor();
        textEncryptor.setPassword(PASSWORD_ENCRYPTION_KEY);
        String ePasswd = textEncryptor.encrypt(txtPasswd);

Now, where and how should I store this PASSWORD_ENCRYPTION_KEY used in the above code ? What is the most secure or common way of storing and accessing these keys in Java program ?

Thanks, Deep

DG.
  • 553
  • 4
  • 13
  • 21
  • The most secure place would be "not on the user's computer". – millimoose Dec 04 '11 at 16:10
  • 1
    You may want to read http://ronrothman.com/public/leftbraned/password-security-its-not-that-hard-but-you-still-cant-get-it-right/. If your software stores passwords in such a way that you can recover them, then you are doing something wrong, even if you obfuscate them with encryption, and especially if you are storing the encryption key along with the encrypted data. – James Clark Dec 04 '11 at 17:35
  • what type of password are you storing there? if it's a users password, go with salted hashes as James Clark suggested ... if not, it depends on the context of that password – DarkSquirrel42 Dec 04 '11 at 20:51
  • @DarkSquirrel42 - We encrypt the user password and password to encrypt PDF file and then store it in the database. At the time of decryption, we get the encrypted password, decrypt it using the KEY and do other processing. Right now the key is in plain text form in Java code: String PASSWORD_ENCRYPTION_KEY = "deep123"; What I want to do is to hide this key or at least make this not in human readable form. Want to protect it from hackers and freelancers that are involved in our project development. – DG. Dec 05 '11 at 12:45
  • 3
    You can not really do that in the end. You only can store it somewhere else, but even then - if you've got an automatic system - your key will never be safe against use. If you've got enough money/time, you may be able to store it in a SmartCard, TPM or even HSM. That will protect the key data against extraction (*if* the key management is in order) but it still won't protect against usage of the key. It's like locking a safe with a key: where to put the key? In another safe? This is where PKI key management usually comes in play. But that'll take a book to explain. – Maarten Bodewes Dec 05 '11 at 21:30

1 Answers1

2

Nowhere...

you should't store the PASSWORD_ENCRYPTION_KEY in your program as this is the wrong approach. Like owlstead already pointed out: you'd need a Public key infrastructure

Basically you could encrypt the PDF for every user that needs to have access to it, so they'd be able decrypt it with their personal private key. This is done in a matter of encrypting the PDF let's say with AES-256 and then encrypt the used key with the public key from each user. Those personally encrypted keys are safe for storage.

Community
  • 1
  • 1
xmoex
  • 2,602
  • 22
  • 36
  • how would you do that with a headless app that no-one logs into? The only ID I can think of in this case would be the id of the unix user that the app runs as. Where would you keep the private key for that user? Surely that would be in the `/home/user/.ssh/` directory and therefore on the same machine. – Adam Oct 22 '14 at 15:51