Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Re: secure storage of sensitive data in J2EE
From: Dimitris Mistriotis <besieger () yahoo com>
Date: Mon, 7 Feb 2005 16:10:05 -0800 (PST)
I'm not 100% sure but it has to do with how java
garbage collector handles this. If it is a string in 
Java, which are immutable, when you "write" junk into
it, JVM will simply intorduce a new string leaving
previous one in memory until garbage collector finds
it and remove it (something that might take enough
time for it to be read). So you can use StringBuffer
objects but you have to assure that there is not a
string conversion involved anywhere :(

--- Kevin Conaway <kevin.conaway () gmail com> wrote:


A followup question:

Once the data (be it a password or a key) has been
read into memory,
what is an effective and secure way of minimizing
the window that the
plaintext key or password is in memory?

If the data is read into a char [] and then
overwritten with junk
data, would that work?

Kevin

On Tue, 25 Jan 2005 09:18:15 +0000, chaim moshe
<xor256 () hotmail com> wrote:

Hello list,

where can I  store sensitive data like encryption

keys, passwords, etc. in

J2EE?
surely, you can save it in the keystore, but the

catch is where do you store

the keystore password to protect it from external

access?

storing the keystore password in code or in config

files is not secured

enough.

In the .NET environment you have DPAPI that was

designed exactly for this

kind of problem, the sensitive data is encrypted

at the OS level with the

user/machine password and is decrypted at runtime.
What is the solution in the J2EE environment ?

Thanks!





_________________________________________________________________

Express yourself instantly with MSN Messenger!

Download today it's FREE!





http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/








=====
Dimitrios Mistriotis


                
__________________________________ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]