This week's book giveaway is in the Programmer Certification forum.
We're giving away four copies of OCP Oracle Certified Professional Java SE 11 Programmer I Study Guide: Exam 1Z0-815 and have Jeanne Boyarsky & Scott Selikoff on-line!
See this thread for details.
Win a copy of OCP Oracle Certified Professional Java SE 11 Programmer I Study Guide: Exam 1Z0-815 this week in the Programmer Certification forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Junilu Lacar
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • Devaka Cooray
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Ron McLeod
  • Carey Brown
Bartenders:
  • Paweł Baczyński
  • Piet Souris
  • Vijitha Kumara

Ideas for simple way to protect information stored in java code?

 
Ranch Hand
Posts: 36
1
Python Java Linux Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am providing my solution in the form of a java project, including the source (not just a compiled program).
There's no particular security concern here, since the whole product and my project (which does some additional stuff
with the product), as well as the infrastructure it's deployed on, will be made public for anyone to use.

Still, I think I should protect as much data as I can, and when things become public, we can look into un-protecting
anything we want.
Also, from a personal point of view, I am fascinated by the opportunity to do things this way. Definitely useful for
future projects!

The source makes use of some protected files and information:
- p12 keystore files (I need to deliver those with my solution)
- keystore passwords
- passwords to private keys inside the keystores

I am already aware of Hashicorp Vault and have used that successfully, but I don't think we deploy this into our
platforms and my needs are much more simple.

What I am currently doing:
-Dexecpass=myPassword

And this already provides pretty decent protection: All keystores are protected with the same password, which is
given to users via a secure channel and hopefully they don't stick a post-it note with it on their screen!

However, I am still not happy:
- Passwords to Private keys that are inside the protected keystores are hard-coded in an enum
- I am going to have a lot of keystores, private keys, etc...
- I am also thinking about issuing different passwords to users, to enable some form of repudiation

I want to avoid: -Dexecpass=myPassword -Dprvkpass1=myPrvKpass1, -Dpkrvpass2=myPrvKpass2, ...

I was thinking something like an encrypted file with all the passwords and ONE -Dexecpass=... will open everything.

What are some simple ways to write some java code that decrypts a file that I can distribute freely?
 
Todor Kolev
Ranch Hand
Posts: 36
1
Python Java Linux Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Considering this one so far:
https://www.codejava.net/coding/file-encryption-and-decryption-simple-example

Will start this weekend. But if you have a better idea, would love to hear
 
Saloon Keeper
Posts: 10783
230
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So why not just store all the private keys with the same password as the keystore? Then you have one password per customer. It's effectively just as secure as having one master password that unlocks a file of other passwords.

Todor Kolev wrote:- I am also thinking about issuing different passwords to users, to enable some form of repudiation


How do you figure? While issuing different passwords is a good idea, I don't see how it would have any effect on repudiation.

Considering this one so far:
https://www.codejava.net/coding/file-encryption-and-decryption-simple-example


For encrypting the master password file? If you really want to go that route, then definitely don't use the code presented on the page you linked to. It's full of security holes.

Search our security forum for authenticated encryption. I wrote several examples of how to encrypt files properly. But I don't think that will help you here. A master password file is not going to make your application more secure, and it's just another moving part waiting to break.
 
Ranch Foreman
Posts: 53
2
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Maybe I didn't got the overall background - but sharing private keys sounds a very bad idea.
Private keys should, as thier name implies, be kept private to the one created them and never shared. When you want to use a-symmetric cryptography as some way of authentication or to exchange data, you should do it the PKI way: each party creates a key pair, let a trusted third party cofirm that a public key belongs to it's creator by issue a certificate and use these certificates to exchange a pre-master secret of wich the derived master secret then be used to exchange data securely.
Sharing private keys always comes with the negative that each signature is already broken and each crypto can be decrypted - that's not what a-symmetric crypto should used for.
Also: distributing encypted data along with the key is the same as distribute the data in plain.

I guess I really don't get what OP's asking - maybe OP / someone can lighten me up?
 
Todor Kolev
Ranch Hand
Posts: 36
1
Python Java Linux Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry for the late reply. I've amazingly managed to solve a really complex unrelated SSL issue (so proud!).
I've made pretty decent progress on this issue as well.

Just to clarify the context: The application being shared is a client. I want the client to work for all the intended recipients, therefore, I want to provide them the private keys which are used in client-side authentication.
Of course, I want to protect the private keys if the application somehow reaches an unintended recipient.
At this point, I should add that recipients are very trustworthy. They are not supposed to store that main password anywhere or provide it to someone else onwards. I guess that's still a possibility but, in the end, every vault is as secure as the people who can access it and therefore, every secret is liable to be made public.
Like, we can make a medical record be super tightly secured but a doctor has to read it at some point and they might choose to tell their husband about it and so on... I am just providing some protection here in case the laptop is stolen, etc...

As for storing everything in the same keystore - that's actually the first thought I had but there are a few complications:
A. As I was designing the class structure, I had the feeling that storing secrets in the keystore may incur added complications.
One feeling that I had is that you cannot refer to specific secrets in the keystore. I am still not sure how, if you store several certificates in the same keystore, you could refer to just one of them.
For example, when you are creating a socket using a keystore and the private key of a certificate in that keystore, you don't point to the exact certificate but just supply a password:

I imagine that what it is doing must be like: "try this password on all certificates and pop the first certificate that is deciphered correctly with this password.

B. My application has a use case for keeping several keystores with different certificates in each. I would not like certificates from one environment to be provided in the same keystore as certificates from another environment.
I realize this isn't how keystores and truststores work naturally.
For example, I know that I have ONE truststore for my browsing and when I want to authenticate a server, the browser will traverse all the CA certificates rather than have an exact path to the specific certificate...
 
Todor Kolev
Ranch Hand
Posts: 36
1
Python Java Linux Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Anyway, I will be done this weekend and I will show my code for the poor fellow who might just have a use case like mine!
 
Stephan van Hulst
Saloon Keeper
Posts: 10783
230
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As Kristina pointed out, handing out private keys is just a really bad idea.

The usual way you would do this is by letting a client generate their own private keys, and only use them to establish a secure connection. Then the client authenticates itself by sending a secret. This secret has nothing to do with private keys. You may distribute a key store with secret keys with your client, but I really question the wisdom of distributing private keys.
 
Todor Kolev
Ranch Hand
Posts: 36
1
Python Java Linux Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Stephen, would the security mechanism that you suggest (each client generates their own private key) involve the client having to publish the matching public key, which will have to be installed on the server?

Also, isn't a private key relatively secure if it's encrypted by AES 256 bits?

I would like to point that I definitely agree about private keys being... private
But this client has zero abuse potential. Security here is more about preventing someone asking silly question before proper documentation is published.

The client will be published without any internal crypto. The server in question is a public server that anyone with $4.99 can request a valid client certificate for.
The API that the server exposes is read-only.
The resources that are being read are WHOIS data, which is available for free by any WHOIS site...

Just wanted to put things in the right context.
But also some really interesting discussion here that I take to heart!
 
I can't renounce my name. It's on all my stationery! And hinted in this tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!