Mailing-List: contact ant-dev-help@jakarta.apache.org; run by ezmlm
Message-Id: <3.0.5.32.20000802104148.008c9360@latcs2.cs.latrobe.edu.au>
Date: Wed, 02 Aug 2000 10:41:48 +1000
To: ant-dev@jakarta.apache.org
From: Peter Donald <donaldp@mad.scientist.com>
Subject: Re: Password storage (was Re: FTP & JSPC)
In-Reply-To: <01a601bffbf2$431525a0$d0d6000f@cvwls095>
References: <2561BD1655ADD2119E230008C75D96A904527703@emily.barclaycard.co.uk>
 <3.0.5.32.20000801235935.008ff1f0@latcs2.cs.latrobe.edu.au>
 <3986DDDD.B41B2278@seaconinc.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"

At 12:54  1/8/00 -0700, you wrote:
>But if you are paranoid then the java.security.Keystore class is the place
>to start -except it is a Java1.2 feature (and security changed again in
>java1.3) . So doing sophisticated password protection is going to be tricky
>across all ant supported platforms. Also I dont know how well the keystore
>really encrypts stuff, especially in exported JVMs.

It doesn't really encrypt anything. Most of it can be read via a hex editor
and the other bit (private keys) are likely protected by same passwd as
general keystore which can be easily found or alternatively you just do a
brute forces search and brake it. Should take all of 40 mins in JKS
.keystore files :/


Cheers,

Pete

*------------------------------------------------------*
| "Nearly all men can stand adversity, but if you want |
| to test a man's character, give him power."          |
|       -Abraham Lincoln                               |
*------------------------------------------------------*