WebApp Sec: Re: secure storage of sensitive data in J2EE

[Alexander Klimov <alserkli () inbox ru>]

On Tue, 25 Jan 2005, chaim moshe wrote:
> where can I store sensitive data like encryption keys, passwords,
> etc. in J2EE? surely, you can save it in the keystore, but the catch
> is where do you store the keystore password to protect it from
> external access? storing the keystore password in code or in config
> files is not secured enough.
Well, there is no way to make the following things simultaneously
without additional input for legitimate user:
-- a legitimate user is able to recover information
-- an attacker is unable to recover information

> In the .NET environment you have DPAPI that was designed exactly for this
> kind of problem, the sensitive data is encrypted at the OS level with the
> user/machine password and is decrypted at runtime.
This is a solution: the legitimate user needs to enter password which
is cached by the system. I really doubt that J2EE can have similiar
things since many OSes do not cache user passwords.

> What is the solution in the J2EE environment ?
You can ask the user to enter the password. An alternative solution is
to use non-owner-read-protected files.

-- 
Regards,
ASK