Mind Your Keys? A Security Evaluation of Java Keystores.

Cryptography is complex and variegate and requires to combine different algorithms and mechanisms in nontrivial ways. This complexity is often source of vulnerabilities. Secure key management is one of the most critical aspects, since leaking a cryptographic key vanishes any advantage of using cryptography. In this paper we analyze Java keystores, the standard way to manage and securely store keys in Java applications. We consider seven keystore implementations from Oracle JDK and Bouncy Castle, a widespread cryptographic library. We describe, in detail, how the various keystores enforce confidentiality and integrity of the stored keys through passwordbased cryptography and we show that many of the implementations do not adhere to state-of-the-art cryptographic standards. We investigate the resistance to offline attacks and we show that, for non-compliant keystores, brute-forcing can be up to three orders of magnitude faster with respect to the most compliant keystore. Additionally, when an attacker can tamper with the keystore file, some implementations are vulnerable to denial of service attacks or, in the worst case, arbitrary code execution. Finally we discuss the fixes implemented by Oracle and Bouncy Castle developers following our responsible disclosure.