19

What exactly is the sense behind a Keystore password, eg on JKS/BKS keystores?

It is obviously NOT for security, because i can open the file with an editor and copy all entries into new files without passwordcheck. Data inside a passwordprotected Keystore is not encrypted!

what does this password protect? It seems to be just for anoying developers oO...

billdoor
  • 1,999
  • 4
  • 28
  • 54
  • There's no real way to securely store passwords locally and have access to them, unless you rely on security-by-obscurity, or request the user a passphrase to unlock the password store. – WhyNotHugo Aug 22 '12 at 13:43
  • yea, but what do you want to say? My Privatekey is safe, because it is encrypted and protectedf by the KEYPAIRpassword. all other contents can be read in clear text, no matter if there is a keystorepassword or not. – billdoor Aug 22 '12 at 13:47
  • 1
    Indeed, but you need to provide a password in order to access it; that's my point. The same applies to password stores; you still need a master passphrase. – WhyNotHugo Aug 22 '12 at 15:49

3 Answers3

9

let's say you saved a string called "this is my sentence" in the keystore, and when you open it by notepad, you saw cipher-text "blabla", and you copied the "blabla" to another file and claim you findout the plain-text, and it is "blabla", that is obvious incorrect, you still don't know the original pliant-ext until recover it by password.

==EDIT==

for JKS keystore, the keystore password is used to verify integrity, src

636   if (password != null) {
637       md = getPreKeyedHash(password);
638       dis = new DataInputStream(new DigestInputStream(stream, md));
639   }

the DigestInputStream generate a signature and compare it to acutal one to see if is modified.

BouncyCastle keystore UBER is more secure, the entire keystore is encrypted with a PBE based on SHA1 and Twofish (PBEWithSHAAndTwofish-CBC)

        Cipher cipher = this.makePBECipher(cipherAlg, Cipher.DECRYPT_MODE, password, salt, iterationCount);
        CipherInputStream cIn = new CipherInputStream(dIn, cipher);

        Digest dig = new SHA1Digest();
        DigestInputStream  dgIn = new DigestInputStream(cIn, dig);

        this.loadStore(dgIn);
Ted Shaw
  • 2,298
  • 14
  • 8
  • I just copied certificateData out of the keystore into a crt-file, it works. Of course i cannot access a password protected keypair INSIDE a protected keystore, but thats encrypted with the keypairs password, not with the keystores – billdoor Aug 22 '12 at 13:16
  • 1
    public key is public, it is not sensitive data – Ted Shaw Aug 22 '12 at 13:22
  • 1
    But what is the purpose of keystore password anyway? I faced that keypair password protect keypair, but what info from keystore is protected by keystore password? – gkuzmin Aug 22 '12 at 13:25
7

On a JKS or BKS keystore the password is not pointless, but it doesn't do what you might assume, either.

It doesn't encrypt the data in the keystore or in any way prevent access to it, but it does verify the integrity of the keystore. Without knowing the password, it is not possible to make changes to a keystore without the normal user of it finding out (typically due to their tools telling them "Keystore was tampered with, or password was incorrect")

In some other keystore types (such as Keystore.BouncyCastle) the keystore password protects against inspection as well as tampering.

ZoFreX
  • 8,812
  • 5
  • 31
  • 51
-1

The JKS keystores are binary stores and its contents are encrypted using the password as a key. No one can access the contents without the password. The password is for protecting the contents of the store from illegitimate accesses and manipulation. You can for sure open the encrypted content in some editor but cannot make sense out of it.

Drona
  • 6,886
  • 1
  • 29
  • 35
  • seems to make sense, but i can access the contents (and make sense out of them) – billdoor Aug 22 '12 at 13:36
  • 1
    You cannot get a usable data out of it. Password protection also prevents manipulation of the store. – Drona Aug 22 '12 at 14:02
  • 1
    for another time: i DO GET usable data, but pprevents the keystore from manipulation! thank you! – billdoor Aug 22 '12 at 14:09
  • 3
    "its contents are encrypted using the password as a key" this is not correct - try changing the password on a JSK keystore and you will observe that 99% of the file does not change as a result. Password on a JKS keystore is used for verification only. – ZoFreX Jul 05 '13 at 15:40
  • 2
    I don't understand why this is the accepted answer since it is obviously incorrect. – treaz Jan 10 '14 at 10:37
  • i hate to edit an old question, but as i needed to reread the answer i saw that treaz is absolutely right - i marked the correct answer now – billdoor Feb 17 '16 at 15:39