Alternatives to hardcoding a password into the source code

Discussion in 'Java' started by Gyruss, Jun 19, 2005.

  1. Gyruss

    Gyruss Guest

    Dear all,

    I've written an application that connects to a unix box from windows via
    ssh. I use public/private key authentication to do so.

    The private key is embedded in the application jar file. The private key is
    password protected. The password for the private key is hard coded into the
    source code.

    Is there any sensible alternative to hard-coding the password into the
    source code in this situation?

    Cheers!
     
    Gyruss, Jun 19, 2005
    #1
    1. Advertisements

  2. The only secure way I know is not to hardcode sensible data. The user of
    your app has to enter the password. You cannot prevent anybody from
    decompiling your code. Even an obfuscator does not protect you but only
    makes it a little harder for the bad guy.

    Perhaps a native compiler could help to make it more difficult (but not
    impossible) to decompile your app. But that surely depends on the attacker's
    skills.

    Regards
    Sebastian
     
    Sebastian Scheid, Jun 19, 2005
    #2
    1. Advertisements

  3. Gyruss

    Chris Uppal Guest

    What exactly are you trying to protect ?

    Your description is incomplete, but it sounds odd to me that you should be
    using private/public key encryption for anything and distributing the /private/
    key -- that's exactly what private/public key encryption is designed to avoid.

    -- chris
     
    Chris Uppal, Jun 19, 2005
    #3
  4. Gyruss

    Lucy Guest

    md5
     
    Lucy, Jun 19, 2005
    #4
  5. Gyruss

    Alex Buell Guest

    SHA's vastly preferable.
     
    Alex Buell, Jun 19, 2005
    #5
  6. Gyruss

    Wibble Guest

    The usual pattern is to encode the password and store the encoded
    password. Then check that the supplied plaintext password encodes to
    the same string. You can put the encoded passwords into a file instead
    of hardcoding into your program. The file needs to be read only.
     
    Wibble, Jun 20, 2005
    #6
  7. I think you are misinterpreting what the OP said. He needs a way to unlock
    (decrypt) the private key while the program is running. It sounds like he
    needs to be able to do this without user intervention. Any method of doing
    so is going to have security implications that aren't good.

    The best way to handle this is probably to have someone enter the passphrase
    when the program is started and have the program simply wait until it is
    time to do something. It can run in the background as a daemon.
     
    Kenneth P. Turvey, Jun 20, 2005
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.