3

When using Jasypt's StandardPBEStringEncryptor we have to set password explicitly in spring bean configuration file. Is it ok and secure to have the password in the bean configuration file? Will it be a problem in PCI Compliance to store the encryptor password?

4

3 回答 3

1

This will not be PCI compliant. Data encrypting keys cannot be stored in plaintext. The specific point is 3.5.2 which is:

Examine system configuration files to verify that keys are stored in encrypted format, and that key-encrypting keys are stored separately from data-encrypting keys.

You would probably also have other issues around the key management area, such as 3.6.6 (Split knowledge and dual control of keys)

Verify that key-management procedures are implemented to require split knowledge and dual control of keys (for example, requiring two or three people, each knowing only their own part of the key, to reconstruct the whole key).

Key management is the most challenging part of PCI compliance. You may want to consider using a (already PCI compliant) 3rd party to manage your card data. If you are rolling your own then I would advise that you bring in the assistance of a QSA (PCI Qualified Security Assesor) at the earliest opportunity to evaluate the security you're planning on implementing. ultimately it will be the QSA that you need to convince in order to pass your PCI requirements, and they will be more than happy to advise.

于 2010-07-26T11:00:43.063 回答
0

You need to store the symmetric key somewhere. A configuration file is a good place, as long as no one has access to it.

于 2010-07-22T18:24:11.170 回答
0

I have an idea

you can encrypt all of your plain password with keyPair of keystore.jks. You know that the keystore.jks has its own password. you can remember that password and when your program get started enter it on console. for example when your program start:

Console console = System.console();
        keyPair = loadKeystore(new String(console.readPassword()));


private static KeyPair loadKeystore(String pwd) {
        InputStream is = Main.class.getResourceAsStream("/keystore.jks");

        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
        keystore.load(is, s.toCharArray());

        String alias = "youralias";

        Key key = keystore.getKey(alias, pwd.toCharArray());
        if (key instanceof PrivateKey) {
            // Get certificate of public key
            Certificate cert = keystore.getCertificate(alias);

            // Get public key
            PublicKey publicKey = cert.getPublicKey();

            // Return a key pair
            return new KeyPair(publicKey, (PrivateKey) key);
        }
        return null;
    }

when you return the keypair you can uses it for encrypt your password.

key = loadKeystore("yourpass").getPrivate().getEncoded()

goodluck

于 2018-07-17T14:09:53.833 回答