• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Rob Spoor
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Henry Wong
  • Liutauras Vilda
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Tim Holloway
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Mikalai Zaikin
  • Piet Souris

Storing string(key) securely in a file

 
Greenhorn
Posts: 7
Eclipse IDE Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I have a scenario where i have to store a string (key) in a file securely, and retrive it for creating message digest.
I tried importing the string into a KeyStore. But KeyStore can only store Key objects, and i dont know any way to store String in KeyStore.
Please suggest if there any way to store String in KeyStore or any alternate methods to store String securely in a file.

Thanks!!
 
Bartender
Posts: 6109
6
Android IntelliJ IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

vishwamitra hegde wrote:Hi,

I have a scenario where i have to store a string (key) in a file securely,



Then you have to encrypt that file. And when it's time to read that file, a human user who knows the decryption key for the file has to enter it.
 
Bartender
Posts: 10780
71
Hibernate Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Jeff Verdegan wrote:Then you have to encrypt that file. And when it's time to read that file, a human user who knows the decryption key for the file has to enter it.


It's also better if that file isn't called 'password' or 'keystore'.

Winston
 
Jeff Verdegan
Bartender
Posts: 6109
6
Android IntelliJ IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Winston Gutkowski wrote:

Jeff Verdegan wrote:Then you have to encrypt that file. And when it's time to read that file, a human user who knows the decryption key for the file has to enter it.


It's also better if that file isn't called 'password' or 'keystore'.

Winston



Meh. Security through obscurity is overrated.

The real problem, I suspect, is that the OP wants to store a password, say, for a DB or web service, so that his app can run without human intervention. But he's missing the point that if his app can decrypt the "key file", then so can anybody who can read his app's classes and resources. It's turtles all the way down, as they say.
 
Winston Gutkowski
Bartender
Posts: 10780
71
Hibernate Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Jeff Verdegan wrote:But he's missing the point that if his app can decrypt the "key file", then so can anybody who can read his app's classes and resources...


ie, security is recursive.

Winston
 
vishwamitra hegde
Greenhorn
Posts: 7
Eclipse IDE Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Jeff Verdegan wrote:

Winston Gutkowski wrote:

Jeff Verdegan wrote:Then you have to encrypt that file. And when it's time to read that file, a human user who knows the decryption key for the file has to enter it.


It's also better if that file isn't called 'password' or 'keystore'.

Winston



Meh. Security through obscurity is overrated.

The real problem, I suspect, is that the OP wants to store a password, say, for a DB or web service, so that his app can run without human intervention. But he's missing the point that if his app can decrypt the "key file", then so can anybody who can read his app's classes and resources. It's turtles all the way down, as they say.



I am not storing a password. Its just a String which i am using to generate message digest, which is sent to another server for user authentication, and I want to store that String in some way that should not be accessible.
 
Java Cowboy
Posts: 16084
88
Android Scala IntelliJ IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

vishwamitra hegde wrote:I am not storing a password. Its just a String which i am using to generate message digest, which is sent to another server for user authentication, and I want to store that String in some way that should not be accessible.


What Jeff explained is this: if your program can get the string out of the secure storage, then so can (in principle) the user, bypassing your program. There is no way that you can securely store something in such a way that only your program can read it and nobody else ever can. A hacker can disassemble your program and find out how it works, and discover how it gets the string out of the secure storage.

In other words, if you rely only on a keystore file on a local computer, it is impossible to make this 100% safe.

What you could do is encrypt the string with a secret key, which is protected by a password. However, you can't store that password anywhere (not even hard-coded in your program) because somebody might find it. The only thing you could do is what Jeff says:

Jeff Verdegan wrote:And when it's time to read that file, a human user who knows the decryption key for the file has to enter it.


 
reply
    Bookmark Topic Watch Topic
  • New Topic