ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roger Vaughn <rvau...@seaconinc.com>
Subject Re: Password storage (was Re: FTP & JSPC)
Date Wed, 02 Aug 2000 03:09:34 GMT
Peter Donald wrote:

> At 12:54  1/8/00 -0700, you wrote:
> >But if you are paranoid then the java.security.Keystore class is the place
> >to start -except it is a Java1.2 feature (and security changed again in
> >java1.3) . So doing sophisticated password protection is going to be tricky
> >across all ant supported platforms. Also I dont know how well the keystore
> >really encrypts stuff, especially in exported JVMs.
>
> It doesn't really encrypt anything. Most of it can be read via a hex editor
> and the other bit (private keys) are likely protected by same passwd as
> general keystore which can be easily found or alternatively you just do a
> brute forces search and brake it. Should take all of 40 mins in JKS
> .keystore files :/

Well, I also found that KeyStore requests (at least in 1.3) a password parameter
in order to retrieve a key.  And as I said a few posts back, supplying a
password to retrieve a password seems kinda silly....

I'm going ahead with the trivial base64 encoding, and it seems to be working out
well so far.  If you can trust your browser to send your passwords over the net
in this encoding (and it does), it should be fine for local storage.

roger



Mime
View raw message