Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Storing string(key) securely in a file

 
vishwamitra hegde
Greenhorn
Posts: 7
Eclipse IDE Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have a scenario where i have to store a string (key) in a file securely, and retrive it for creating message digest.
I tried importing the string into a KeyStore. But KeyStore can only store Key objects, and i dont know any way to store String in KeyStore.
Please suggest if there any way to store String in KeyStore or any alternate methods to store String securely in a file.

Thanks!!
 
Jeff Verdegan
Bartender
Posts: 6109
6
Android IntelliJ IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
vishwamitra hegde wrote:Hi,

I have a scenario where i have to store a string (key) in a file securely,


Then you have to encrypt that file. And when it's time to read that file, a human user who knows the decryption key for the file has to enter it.
 
Winston Gutkowski
Bartender
Pie
Posts: 10427
63
Eclipse IDE Hibernate Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jeff Verdegan wrote:Then you have to encrypt that file. And when it's time to read that file, a human user who knows the decryption key for the file has to enter it.

It's also better if that file isn't called 'password' or 'keystore'.

Winston
 
Jeff Verdegan
Bartender
Posts: 6109
6
Android IntelliJ IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Winston Gutkowski wrote:
Jeff Verdegan wrote:Then you have to encrypt that file. And when it's time to read that file, a human user who knows the decryption key for the file has to enter it.

It's also better if that file isn't called 'password' or 'keystore'.

Winston


Meh. Security through obscurity is overrated.

The real problem, I suspect, is that the OP wants to store a password, say, for a DB or web service, so that his app can run without human intervention. But he's missing the point that if his app can decrypt the "key file", then so can anybody who can read his app's classes and resources. It's turtles all the way down, as they say.
 
Winston Gutkowski
Bartender
Pie
Posts: 10427
63
Eclipse IDE Hibernate Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jeff Verdegan wrote:But he's missing the point that if his app can decrypt the "key file", then so can anybody who can read his app's classes and resources...

ie, security is recursive.

Winston
 
vishwamitra hegde
Greenhorn
Posts: 7
Eclipse IDE Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jeff Verdegan wrote:
Winston Gutkowski wrote:
Jeff Verdegan wrote:Then you have to encrypt that file. And when it's time to read that file, a human user who knows the decryption key for the file has to enter it.

It's also better if that file isn't called 'password' or 'keystore'.

Winston


Meh. Security through obscurity is overrated.

The real problem, I suspect, is that the OP wants to store a password, say, for a DB or web service, so that his app can run without human intervention. But he's missing the point that if his app can decrypt the "key file", then so can anybody who can read his app's classes and resources. It's turtles all the way down, as they say.


I am not storing a password. Its just a String which i am using to generate message digest, which is sent to another server for user authentication, and I want to store that String in some way that should not be accessible.
 
Jesper de Jong
Java Cowboy
Saloon Keeper
Pie
Posts: 15364
40
Android IntelliJ IDE Java Scala Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
vishwamitra hegde wrote:I am not storing a password. Its just a String which i am using to generate message digest, which is sent to another server for user authentication, and I want to store that String in some way that should not be accessible.

What Jeff explained is this: if your program can get the string out of the secure storage, then so can (in principle) the user, bypassing your program. There is no way that you can securely store something in such a way that only your program can read it and nobody else ever can. A hacker can disassemble your program and find out how it works, and discover how it gets the string out of the secure storage.

In other words, if you rely only on a keystore file on a local computer, it is impossible to make this 100% safe.

What you could do is encrypt the string with a secret key, which is protected by a password. However, you can't store that password anywhere (not even hard-coded in your program) because somebody might find it. The only thing you could do is what Jeff says:
Jeff Verdegan wrote:And when it's time to read that file, a human user who knows the decryption key for the file has to enter it.

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic