| Author |
Secure & Open Encrypted String Storage
|
|
| joe.krisch@gmail.com 2006-05-25, 7:06 pm |
| Sorry if I missed a solution already posted but I went through about
200-300 topics and none met my needs.
I am developing an app that accesses an online data source. I need to
store a password in a configuration file. Since the authentication
will be remote I can't get by with just storing hashes. The software
is going to be under the GNU license so assume access to the source.
I have done a similar thing in before but that only worked because the
binary was obfuscated and the source code was unavailable to the
public.
Perhaps someone here knows how the passwords are stored in Mozilla
Thunderbird. I think a similar technique would work for me. And
perhaps Thunderbird and all the rest just rely on security though
obscurity.
Thanks,
Joe Krisch
| |
| Oliver Wong 2006-05-26, 7:07 pm |
|
<joe.krisch@gmail.com> wrote in message
news:1148592602.074717.91710@y43g2000cwc.googlegroups.com...
> Sorry if I missed a solution already posted but I went through about
> 200-300 topics and none met my needs.
>
> I am developing an app that accesses an online data source. I need to
> store a password in a configuration file. Since the authentication
> will be remote I can't get by with just storing hashes. The software
> is going to be under the GNU license so assume access to the source.
>
> I have done a similar thing in before but that only worked because the
> binary was obfuscated and the source code was unavailable to the
> public.
>
> Perhaps someone here knows how the passwords are stored in Mozilla
> Thunderbird. I think a similar technique would work for me. And
> perhaps Thunderbird and all the rest just rely on security though
> obscurity.
You want to hardcode a password into an open source application which
you will distributed to the public. This password is used to access one
specific private server. Is this correct?
If you're distributing the application openly, why are you bothering to
put a password on the server, since you're giving everybody access to the
data there via your app anyway?
- Oliver
| |
| joe.krisch@gmail.com 2006-05-26, 7:07 pm |
| I guess I wasn't clear but I don't control the server. I am writing
the client side portion so I must, at some point in execution, have an
unencrypted use password in memory to access the server. In addition
each user's password is unique (for all I know).
Basically, I have the same needs as an email client that stores a
user's password to a pop server. Is this even possible. I can't seem
to come up with a strategy where by I don't either hard code a key
which I use to encrypt/decrypt the users password or store that key in
plain text somewhere. I was actually hoping java provide some
mechanism for secure key storage.
| |
| Oliver Wong 2006-05-26, 7:07 pm |
|
<joe.krisch@gmail.com> wrote in message
news:1148674742.377370.83940@i39g2000cwa.googlegroups.com...
>I guess I wasn't clear but I don't control the server. I am writing
> the client side portion so I must, at some point in execution, have an
> unencrypted use password in memory to access the server. In addition
> each user's password is unique (for all I know).
>
> Basically, I have the same needs as an email client that stores a
> user's password to a pop server. Is this even possible. I can't seem
> to come up with a strategy where by I don't either hard code a key
> which I use to encrypt/decrypt the users password or store that key in
> plain text somewhere. I was actually hoping java provide some
> mechanism for secure key storage.
I don't think there's anything you can do except obfuscation here.
- Oliver
| |
| joe.krisch@gmail.com 2006-05-26, 7:07 pm |
| That's what I thought. Unfortunatly obfuscation + open source arn't
very compatable.
Thanks for your help.
|
|
|
|