Keystore

Purpose

A Keystore object is representing a location where a collection of login credential information such as Active Directory, Kerberos or a local directory of private keys. The essence of the Keystore object is that if an attacker manages to read it, it will give access to login information/credentials (UserAccounts) or encryption keys needed to decrypt Dataflow and Datastore when needed.

Connections

Keystore and Neighboring Objects
Keystore and Neighboring Objects

 

ObjectConnectionDescriptionFunction
HostKeystore ExecutionA connection to a Host object denotes that the Keystore is hosted by the Host.A missing connection to a Host prevents Read access through Hosts.
ClientKeystore ExecutionA connection to a Client object denotes that the Keystore is hosted by the Client.A missing connection to a Client prevents Read access through Clients.
ServiceKeystore ExecutionA connection to a Service object denotes that the Keystore is hosted by the Service.A missing connection to a Service prevents Read access through Services.
WebApplicationKeystore ExecutionA connection to a WebApplication object denotes that the Keystore is hosted by the WebApplication.A missing connection to a WebApplication prevents Read access through WebApplications.
DataflowAuthenticationA connection to a Dataflow object denotes that the key to decrypt the Dataflow is stored in the Keystore.A missing connection to a Dataflow prevents the Attacker from bypassing the encryption and authentication on the Dataflow through a Keystore.
DatastoreAuthenticationA connection to a Datastore object denotes that the key to decrypt the Datastore is stored in the Keystore.A missing connection to a Datastore prevents Read access to an encrypted Datastore through a Keystore.
UserAccountAuthenticationA connection to a UserAccount object denotes that the credentials to the UserAccount is stored in the Keystore.A missing connection to a UserAccount prevents compromise to a UserAccount through a Keystore.

Applicability

Since a keystore is defining where encryption/access keys are located, connecting a keystore to a datastore is only applicable when the datastore is encrypted. If not, you will not need any keys to read it once you reach it.

Keystore anv datastore
Keystore anv datastore

Attack Steps and Defenses

Keystore Attack Steps and Defenses
Keystore Attack Steps and Defenses

 

Attack StepDescriptionLeads to
ReadReading the contents of the Keystore.Dataflow: Eavesdrop
Dataflow: ManInTheMiddle
Datastore: Read
Datastore: Write
UserAccount: Compromise
DeleteDeleting the contents of the Keystore.Dataflow: DenialOfService
Datastore: Delete
Datastore: Dataflow.DenialOfService
DefenseDescriptionImpactDefault
EncryptedWhether the data in the Keystore is encrypted or not.An Encrypted Keystore can help prevents Read.Off