Alternatives to hardcoding a password into the source code

[Gyruss]

Dear all,

I've written an application that connects to a unix box from windows via
ssh. I use public/private key authentication to do so.

The private key is embedded in the application jar file. The private key is
password protected. The password for the private key is hard coded into the
source code.

Is there any sensible alternative to hard-coding the password into the
source code in this situation?

Cheers!

 

[Sebastian Scheid]

Dear all,

I've written an application that connects to a unix box from windows via
ssh. I use public/private key authentication to do so.

The private key is embedded in the application jar file. The private key
is
password protected. The password for the private key is hard coded into
the
source code.

Is there any sensible alternative to hard-coding the password into the
source code in this situation?

The only secure way I know is not to hardcode sensible data. The user of
your app has to enter the password. You cannot prevent anybody from
decompiling your code. Even an obfuscator does not protect you but only
makes it a little harder for the bad guy.

Perhaps a native compiler could help to make it more difficult (but not
impossible) to decompile your app. But that surely depends on the attacker's
skills.

Regards
Sebastian

 

[Chris Uppal]

I've written an application that connects to a unix box from windows via
ssh. I use public/private key authentication to do so.

The private key is embedded in the application jar file. The private key
is password protected. The password for the private key is hard coded
into the source code.

What exactly are you trying to protect ?

Your description is incomplete, but it sounds odd to me that you should be
using private/public key encryption for anything and distributing the /private/
key -- that's exactly what private/public key encryption is designed to avoid.

-- chris

 

[Lucy]

Dear all,

I've written an application that connects to a unix box from windows via
ssh. I use public/private key authentication to do so.

The private key is embedded in the application jar file. The private key is
password protected. The password for the private key is hard coded into the
source code.

Is there any sensible alternative to hard-coding the password into the
source code in this situation?

Cheers!

md5

 

[Alex Buell]

md5

SHA's vastly preferable.

 

[Wibble]

Dear all,

I've written an application that connects to a unix box from windows via
ssh. I use public/private key authentication to do so.

The private key is embedded in the application jar file. The private key is
password protected. The password for the private key is hard coded into the
source code.

Is there any sensible alternative to hard-coding the password into the
source code in this situation?

Cheers!

The usual pattern is to encode the password and store the encoded
password. Then check that the supplied plaintext password encodes to
the same string. You can put the encoded passwords into a file instead
of hardcoding into your program. The file needs to be read only.

 

[Kenneth P. Turvey]

The usual pattern is to encode the password and store the encoded
password. Then check that the supplied plaintext password encodes to
the same string. You can put the encoded passwords into a file instead
of hardcoding into your program. The file needs to be read only.

I think you are misinterpreting what the OP said. He needs a way to unlock
(decrypt) the private key while the program is running. It sounds like he
needs to be able to do this without user intervention. Any method of doing
so is going to have security implications that aren't good.

The best way to handle this is probably to have someone enter the passphrase
when the program is started and have the program simply wait until it is
time to do something. It can run in the background as a daemon.