System and method for using key-pair encryption to secure keystore contents
Publication Date: 2010-Aug-11
The IP.com Prior Art Database
Disclosed is a method for using an asymmetric key system to protect the contents of the keystore, removing the dependency on passwords.
System and method for using key -pair encryption to secure keystore contents
The problem is securing a keystore without need for passwords, which are inherently
less secure than other cryptographic mechanisms such as asymmetric keys. Some
application servers already require that secure key stores do not use passwords.
Current keystore passwords are stored in configuration files, which are normally sent out
for support, and customers view this as a security problem.
Current known solutions for securing a keystore use passwords. Current Java*
Cryptography Extension Key Stores control secure access to the data within the key
store using passwords, or no secure access at all.
The problems with keystores relying on passwords are:
1. Passwords are inherently less secure than keys
2. Passwords can be harder to manage and secure within an enterprise
3. Passwords require an additional layer of security, to protect the passwords
The solution disclosed here uses an asymmetric key system to protect the contents of
the keystore, removing the dependency on passwords. Additionally, since passwords
are essentially symmetric keys, a single password grants access to both the storage and
retrieval of keystore contents. Conversely, with an asymmetric key system, a division of
privilege can exist for store-only access by using the public key, and retrieve actions to
holders of the private key.
The solution employs a key-pair encryption scheme to control access to the key store.
The control mechanism is both:
1. Public key:
• contained within the keystore
• controls access to storage-type functions
• used to encrypt the contents of the keystore
2. Private key:
• the systems authorized to access the keystore
• controls the retrieval-type functions
• exists as an artifact maintained within the operating system
• controlled and protected by operating system mechanisms
• secured, maintained and controlled as per the security policy of the
enterprise so that normal users do not have access to this key, and the key
is restricted to the processes which make use of it.
The act of properly decrypting the data is the access control mechanism. This solution