[Esapi-user] store encyrptor.masterkey encrypted

Chris Schmidt chrisisbeef at gmail.com
Sat Jan 30 21:32:49 EST 2010

If the security of your filesystem is questionable, or you want a secure
means of retrieving the configuration, the best thing I can come up with is
to have create a keypair, and install it to the java keymanager, then store
your master private key in a keylocker somewhere. You could then create your
own implementation of the SecurityConfiguration Interface that stores an
encypted properties file on disk, then use the key loaded into your JVM's
keymanager to decrypt the properties file and load it into memory.

Kevin might have some better ideas, but this is the first thing that comes
to mind.

On Sat, Jan 30, 2010 at 6:57 PM, Yi Li <yi.li26 at gmail.com> wrote:

> Kevin, chris:
>   thanks for the great reply. I am using ESAPI 2.0.
>   If I fetch the master key from a database, then the application would
> need to be able to connect to a database, which would require a login
> password.
>   it seems that I have to store the username/password to the database in a
> clear text conf file so that the application could load and connect to
> database?
>   it seems to introduce another weakness.
>   this is a question on how we could use ESAPI and in the mean time have a
> secure key management.
>   it would be great if you could share your insight.
>   thanks.
> On Fri, Jan 29, 2010 at 4:56 PM, Kevin W. Wall <kevin.w.wall at gmail.com>wrote:
>> Yi Li wrote:
>> > greetings, all:
>> >     will appreciate if anyone could provide insight here.
>> >     I would like to store the master encryption key
>> > (encryptor.masterkey) with some sort of protection, instead of keeping
>> > it clear text in the properities file even though i can place access
>> > control via the file system.
>> >    i am thinking to either store the encryption key either in a database
>> > or in a flat file but encrypted (where to store the master's master key
>> > become another problem to solve).
>> >    will appreciate if anyone could point me to an implementation that
>> > will support this or point me the way to write my own implementation to
>> > implement this.
>> Yi,
>> How you do this depends greatly on whether you are using ESAPI 1.4 or
>> 2.0.
>> If you are using 2.0 and concerned about it, your best course of action
>> would be to retrieve it from wherever you wish to store it (e.g., TPM,
>> HSM, database, etc.) and then use the encrypt / decrypt methods that
>> take a secret key, i.e.,
>>        public interface Encryptor {
>>                ...
>>                CipherText encrypt(SecretKey key, Plaintext plaintext)
>>                        throws EncryptionException;
>>                PlainText decrypt(SecretKey key, CipherText ciphertext)
>>                        throws EncryptionException;
>>                ...
>>        }
>> The way you calculate this SecretKey value, given the Encryptor.MasterKey
>> value, is quite simple:
>>    String masterKey = ... retrieve from some secure storage ...;
>>    byte[] skey = ESAPI.encoder().decodeFromBase64( masterKey );
>>    String encryptAlgorithm =
>>        ESAPI.securityConfiguration().getEncryptionAlgorithm();
>>    SecretKeySpec secretKeySpec = new SecretKeySpec(skey,
>> encryptAlgorithm);
>> and then use secretKeySpec for the SecretKey parameter on the above
>> encrypt / decrypt methods.
>> OTOH, if you are using ESAPI 1.4.x, then I'm afraid that this is going
>> to be much harder. It does not have such encrypt / decrypt methods so it
>> can only use the single key. The value of this property is retrieved and
>> base64-decoded by the reference encrypt/decrypt Encryptor implementation
>> using ESAPI.securityConfiguration().getMasterKey(), so you would need
>> to write your SecurityConfiguration implementation and change
>> getMasterKey()
>> to retrieve the master key from whatever secure data store you wish
>> to keep it in. You would then have to call
>> ESAPI.setSecurityConfiguration(new MySecurityConfigurationImpl())
>> before you encrypt/decrypt with this. You could write your own
>> SecurityConfiguration implementation by either wrapping (delegation)
>> or extending DefaultSecurityConfiguration and then change getMasterKey()
>> to act differently.
>> I might be missing some of the details, which I' sure others will
>> correct, but I think this is the guts of it.
>> HTH,
>> -kevin
>> --
>> Kevin W. Wall
>> "The most likely way for the world to be destroyed, most experts agree,
>> is by accident. That's where we come in; we're computer professionals.
>> We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user

Chris Schmidt


Check out OWASP ESAPI for Java

OWASP ESAPI for JavaScript

Yet Another Developers Blog

Bio and Resume
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100130/754ba2bc/attachment.html 

More information about the Esapi-user mailing list