 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / June 2005Alternatives to hardcoding a password into the source code
Dear all, I've written an application that connects to a unix box from windows via ssh. I use public/private key authentication to do so. The private key is embedded in the application jar file. The private key is password protected. The password for the private key is hard coded into the source code. Is there any sensible alternative to hard-coding the password into the source code in this situation? Cheers! > Dear all, > [quoted text clipped - 9 lines] > Is there any sensible alternative to hard-coding the password into the > source code in this situation? The only secure way I know is not to hardcode sensible data. The user of your app has to enter the password. You cannot prevent anybody from decompiling your code. Even an obfuscator does not protect you but only makes it a little harder for the bad guy. Perhaps a native compiler could help to make it more difficult (but not impossible) to decompile your app. But that surely depends on the attacker's skills. Regards Sebastian > I've written an application that connects to a unix box from windows via > ssh. I use public/private key authentication to do so. > > The private key is embedded in the application jar file. The private key > is password protected. The password for the private key is hard coded > into the source code. What exactly are you trying to protect ? Your description is incomplete, but it sounds odd to me that you should be using private/public key encryption for anything and distributing the /private/ key -- that's exactly what private/public key encryption is designed to avoid. -- chris > Dear all, > [quoted text clipped - 9 lines] > > Cheers! md5 > md5 SHA's vastly preferable.  Signaturehttp://www.munted.org.uk "Bother!", said Pooh, when his laptop ate his hard disk. > Dear all, > [quoted text clipped - 9 lines] > > Cheers! The usual pattern is to encode the password and store the encoded password. Then check that the supplied plaintext password encodes to the same string. You can put the encoded passwords into a file instead of hardcoding into your program. The file needs to be read only. > The usual pattern is to encode the password and store the encoded > password. Then check that the supplied plaintext password encodes to > the same string. You can put the encoded passwords into a file instead > of hardcoding into your program. The file needs to be read only. I think you are misinterpreting what the OP said. He needs a way to unlock (decrypt) the private key while the program is running. It sounds like he needs to be able to do this without user intervention. Any method of doing so is going to have security implications that aren't good. The best way to handle this is probably to have someone enter the passphrase when the program is started and have the program simply wait until it is time to do something. It can run in the background as a daemon. SignatureKenneth P. Turvey <kt@squeakydolphin.com> Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.