Security implications of storing the keystore in a public repo

views:

answers:

Security implications of storing the keystore in a public repo

What are the security implications of storing the keystore in a public repo, along with the source code?

The reason for storing it in the repo is convenience. There are no dependencies when you do a 'git pull or clone' and build on your local machine (for e.g. with sbt sign-release): you just provide the password when prompted and a signed application gets created.

Say I protect it with 20 character password (letters, numbers, special chars etc) obtained from a password-generating program. I think that it would be computationally infeasible for an attacker to mount an attack and get access to the private key in the keystore. I would like security/cryptography experts' opinion on whether it is safe to store keystore in a public repo.

Thanks

Hide keyring and Code belongs to "Security through Obscurity" Principals. In theory security should be far from this concept, but in that kind of scenario, the answer could be that exposing sensitive data on a public repository could expose you to attacks that work onto specific vulnerability of the keyrings or the implementation of the secure algorithm and so on.

I mean that all the algorithm you use sure are 100% secure and Keyrings too, but the version of keyrings could contain a specific vulnerability or bug or a bad implementation of the secure algorithm.

So exposing that data on a public repository could expose you to hacker who only want to prove their skill.

robob 2010-10-22 05:39:29

robob, security thru obscurity doesn't apply here. It applies where you depend on the attacker not knowing what the crypto algo is. This is not the case here. The algorithm is well known.

Babu Srinivasan 2010-10-22 16:05:46

I do not agree with you or with this restricted concept of "Sec through Obsc". I do not show you the plan for a military attack or I do not tell you where is the key, for me is "Sec Through Obsc" :-)

robob 2010-10-22 16:17:19

Anyway the problem is another, the problem is that moving this keyrings to a public place could expose these data to a lot of attacks..

robob 2010-10-22 16:18:10

robob, I understand that by allowing the public to access the keystore, I am exposing the private key to offline attacks. My question was whether it was computationally feasible for the attacker to succeed.

Babu Srinivasan 2010-10-23 20:49:26

No it's not feasible fro the attacker if you choos e what you said before. But it's very rare a brute force attack! Good Luck :-)

robob 2010-10-24 06:41:49

I did some research. I found info on JKS algo in http://stackoverflow.com/questions/1955612/how-does-keytool-protect-keys and http://stackoverflow.com/questions/174131/jks-protection (http://metastatic.org/source/JKS.html).

Based on this I am answering my own question: I have come to the conclusion that with my 20 character randomly generated password, use of random salt of length 20 bytes and chained SHA1(password, salt) to get a random stream of length equal to key length of 2048, which is XORed with the private key, that it is computationally infeasible for the foreseeable future to extract the private key.

Babu Srinivasan 2010-10-23 20:52:43

ansaurus

tags:

views:

answers:

Security implications of storing the keystore in a public repo

related questions