How to securely store credentials for external service Code Answer

Hello Developer, Hope you guys are doing great. Today at Tutorial Guruji Official website, we are sharing the answer of How to securely store credentials for external service without wasting too much if your time.

The question is published on by Tutorial Guruji team.

I’m developing an budgeting application that uses a set of tokens and secret keys to access an external financial service, where a token-secret pair map to a single account. In this system, a user can have multiple accounts and therefore multiple sets of token-secret pairs. The token and secret can be used to access the transactions for an account, which means that the token-secret pairs should be securely stored (and be guarded against nefarious access or tampering). Although these pairs should be securely stored, the external financial service API requires the token and secret in plaintext.

What is a secure technique for storing these credentials at rest but providing the external service API with the original, plaintext credentials?

My application is a REST-based Spring Boot application written in Java 9+. Although there have been other answers I’ve seen on this topic, many of them are specific to Android and use Android security techniques (as are thus not applicable to my application). This application also uses Spring Data MonogDB to store other non-sensitive information, but if another technology is required for satisfying the above security requirements, I am open to suggestions.

Answer

This is not a problem that can be solved inside Java.

The token and secret can be used to access the transactions for an account, which means that the token-secret pairs should be securely stored (and be guarded against nefarious access or tampering).

The fundamental issue is who you are securing this against:

  • If you are trying to secure it against the people who manage the platform, it is pretty much unsolvable1.

  • If you are trying to secure it against “ordinary” (i.e. non-privileged) users, then you can either rely on ordinary file system security (plus standard service “hardening”), or you can use something like a Spring Vault or a Hardware Security Module if local file system security is insufficient2.

  • If you are trying to secure against a hacker who might be able to acquire the privilege of a full administrator, this is probably unsolvable too. (Though a hacker may need to be sophisticated … )

Note that you can do things like saving the secrets in a Java keystore, but in order to do that the JVM needs the secret key to the keystore in order to get the secret. And where do you store that secret?


Aside:

… many of them are specific to Android and use Android security techniques (as are thus not applicable to my application).

Those techniques typically assume that the platform itself is secure, and / or that it hasn’t been “rooted” by the user.


1 – So, if your goal is to embed some secrets in an app that you give to a client to use … give up. If that problem was solvable, priracy of software, music, videos, etcetera would have a simple and reliable technological solution. Clearly … it hasn’t.

2 – For a lot of purposes, it isn’t sufficient. However, the decision should be based on an assessment the risks, and balancing risks versus the cost / severity of the consequences of security failure.

We are here to answer your question about How to securely store credentials for external service - If you find the proper solution, please don't forgot to share this with your team members.

Related Posts

Tutorial Guruji