aspose file tools*
The moose likes Java in General and the fly likes Storing string(key) securely in a file Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Java in General
Bookmark "Storing string(key) securely in a file " Watch "Storing string(key) securely in a file " New topic
Author

Storing string(key) securely in a file

vishwamitra hegde
Greenhorn

Joined: Feb 09, 2012
Posts: 7

Hi,

I have a scenario where i have to store a string (key) in a file securely, and retrive it for creating message digest.
I tried importing the string into a KeyStore. But KeyStore can only store Key objects, and i dont know any way to store String in KeyStore.
Please suggest if there any way to store String in KeyStore or any alternate methods to store String securely in a file.

Thanks!!

"Experience is what you get when you didn't get what you wanted" -- Randy Pausch
Jeff Verdegan
Bartender

Joined: Jan 03, 2004
Posts: 6109
    
    6

vishwamitra hegde wrote:Hi,

I have a scenario where i have to store a string (key) in a file securely,


Then you have to encrypt that file. And when it's time to read that file, a human user who knows the decryption key for the file has to enter it.
Winston Gutkowski
Bartender

Joined: Mar 17, 2011
Posts: 8230
    
  23

Jeff Verdegan wrote:Then you have to encrypt that file. And when it's time to read that file, a human user who knows the decryption key for the file has to enter it.

It's also better if that file isn't called 'password' or 'keystore'.

Winston


Isn't it funny how there's always time and money enough to do it WRONG?
Articles by Winston can be found here
Jeff Verdegan
Bartender

Joined: Jan 03, 2004
Posts: 6109
    
    6

Winston Gutkowski wrote:
Jeff Verdegan wrote:Then you have to encrypt that file. And when it's time to read that file, a human user who knows the decryption key for the file has to enter it.

It's also better if that file isn't called 'password' or 'keystore'.

Winston


Meh. Security through obscurity is overrated.

The real problem, I suspect, is that the OP wants to store a password, say, for a DB or web service, so that his app can run without human intervention. But he's missing the point that if his app can decrypt the "key file", then so can anybody who can read his app's classes and resources. It's turtles all the way down, as they say.
Winston Gutkowski
Bartender

Joined: Mar 17, 2011
Posts: 8230
    
  23

Jeff Verdegan wrote:But he's missing the point that if his app can decrypt the "key file", then so can anybody who can read his app's classes and resources...

ie, security is recursive.

Winston
vishwamitra hegde
Greenhorn

Joined: Feb 09, 2012
Posts: 7

Jeff Verdegan wrote:
Winston Gutkowski wrote:
Jeff Verdegan wrote:Then you have to encrypt that file. And when it's time to read that file, a human user who knows the decryption key for the file has to enter it.

It's also better if that file isn't called 'password' or 'keystore'.

Winston


Meh. Security through obscurity is overrated.

The real problem, I suspect, is that the OP wants to store a password, say, for a DB or web service, so that his app can run without human intervention. But he's missing the point that if his app can decrypt the "key file", then so can anybody who can read his app's classes and resources. It's turtles all the way down, as they say.


I am not storing a password. Its just a String which i am using to generate message digest, which is sent to another server for user authentication, and I want to store that String in some way that should not be accessible.
Jesper de Jong
Java Cowboy
Saloon Keeper

Joined: Aug 16, 2005
Posts: 14348
    
  22

vishwamitra hegde wrote:I am not storing a password. Its just a String which i am using to generate message digest, which is sent to another server for user authentication, and I want to store that String in some way that should not be accessible.

What Jeff explained is this: if your program can get the string out of the secure storage, then so can (in principle) the user, bypassing your program. There is no way that you can securely store something in such a way that only your program can read it and nobody else ever can. A hacker can disassemble your program and find out how it works, and discover how it gets the string out of the secure storage.

In other words, if you rely only on a keystore file on a local computer, it is impossible to make this 100% safe.

What you could do is encrypt the string with a secret key, which is protected by a password. However, you can't store that password anywhere (not even hard-coded in your program) because somebody might find it. The only thing you could do is what Jeff says:
Jeff Verdegan wrote:And when it's time to read that file, a human user who knows the decryption key for the file has to enter it.


Java Beginners FAQ - JavaRanch SCJP FAQ - The Java Tutorial - Java SE 8 API documentation
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Storing string(key) securely in a file