tags:

views:

75

answers:

3
+1  Q: 

Java - store sensitive data

Hello. I develop application with Java. I need to store some initial configuration data in some kind of file.

I want my app to be able to read this data, but I don't want user to do so.

Example : application loads IP from encrypted file. User sees like "dsda@#21da@" so he won't bother doing anything :)

How should I do such a thing? Thanx!

+1  A: 

Are we talking about standard users or IT-savvy users?

For standard users i'd recommend to store the string base64 encoded. Or Just in an undefined binary format.

Otherwise... encryption with a hardcoded key?

lajuette  2010-03-21 18:03:50
well password for database user will be there - so "quite" hot data. What do you think?
Mike  2010-03-21 18:25:10
i can't think of a way to store such information in a really secure manner.What abbout wrapping all requrired services/databases with another layer of services, that control access to the underlying layer?i wouldn't deploy an application, that contains sensitive information like passwords or direct access to sensitive systems.
lajuette  2010-03-21 19:49:02
I am afraid it is too small for such a thing, but thanks
Mike  2010-03-21 20:59:43
A: 

If (as you say) you manage user passwords, you should not store them at all. Clear text, static keys, custom keys, it doesn't matter - someone with access to the data store and your program will always be able to retrieve them. What you do instead is use salt and a good hash function and store/compare only the hash values.

Kilian Foth  2010-03-22 07:43:41
well the thing is:1. you connect to application as application user - entering username and password (there are lot of application users)2. application user automatically connects to database as database user - and this password needs to be stored
Mike  2010-03-22 10:19:47
A: 

Possibly OT, but since you mentioned it is configuration data; I know I'd be a little peeved to have gibberish shown to me by an application. Either allow the users to see the data, and modify it at their risk ... or do not allow the configuration to be visible at all.

As a rule of thumb, if it is sensitive data ... don't store it in your application.

Everyone  2010-03-22 09:57:50

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java