Cryptography is complex and variegate and requires to combine different algorithms and mechanisms in nontrivial ways. This complexity is often source of vulnerabilities. Secure key management is one of the most critical aspects, since leaking a cryptographic key vanishes any advantage of using cryptography. In this paper we analyze Java keystores, the standard way to manage and securely store keys in Java applications. We consider seven keystore implementations from Oracle JDK and Bouncy Castle, a widespread cryptographic library. We describe, in detail, how the various keystores enforce confidentiality and integrity of the stored keys through passwordbased cryptography and we show that many of the implementations do not adhere to state-of-the-art cryptographic standards. We investigate the resistance to offline attacks and we show that, for non-compliant keystores, brute-forcing can be up to three orders of magnitude faster with respect to the most compliant keystore. Additionally, when an attacker can tamper with the keystore file, some implementations are vulnerable to denial of service attacks or, in the worst case, arbitrary code execution. Finally we discuss the fixes implemented by Oracle and Bouncy Castle developers following our responsible disclosure.

Mind Your Keys? A Security Evaluation of Java Keystores

R. Focardi;F. Palmarini;M. Squarcina;M. Tempesta
2018

Abstract

Cryptography is complex and variegate and requires to combine different algorithms and mechanisms in nontrivial ways. This complexity is often source of vulnerabilities. Secure key management is one of the most critical aspects, since leaking a cryptographic key vanishes any advantage of using cryptography. In this paper we analyze Java keystores, the standard way to manage and securely store keys in Java applications. We consider seven keystore implementations from Oracle JDK and Bouncy Castle, a widespread cryptographic library. We describe, in detail, how the various keystores enforce confidentiality and integrity of the stored keys through passwordbased cryptography and we show that many of the implementations do not adhere to state-of-the-art cryptographic standards. We investigate the resistance to offline attacks and we show that, for non-compliant keystores, brute-forcing can be up to three orders of magnitude faster with respect to the most compliant keystore. Additionally, when an attacker can tamper with the keystore file, some implementations are vulnerable to denial of service attacks or, in the worst case, arbitrary code execution. Finally we discuss the fixes implemented by Oracle and Bouncy Castle developers following our responsible disclosure.
Proceedings of the Network and Distributed System Security Symposium
File in questo prodotto:
File Dimensione Formato  
ndss2018_02B-1_Focardi_paper.pdf

accesso aperto

Tipologia: Versione dell'editore
Licenza: Accesso libero (no vincoli)
Dimensione 901.7 kB
Formato Adobe PDF
901.7 kB Adobe PDF Visualizza/Apri

I documenti in ARCA sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/10278/3697741
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? 0
social impact