WebApp Sec: Re: secure storage of sensitive data in J2EE

[Nick Seward <nseward () cscn com>]

Randy wrote:

> I've always wondered what the point of a System.gc() was... what 
> applications would calling System.gc() be useful if the JVM has the 
> right to choose wether or not it gets called?
> Does anyone know of an actual useful implementation of System.gc()?
>
> --Randy
>
> On Wed, 9 Feb 2005, Nick Seward wrote:
>
> > Ashish Popli wrote:
> >
> > > Cant we simply force garbage collection when you are done using the 
> > > object?
> > > Here is a link.
> > > http://java.sun.com/docs/books/tutorial/essential/system/garbage.html
> > >
> > > Kevin Conaway wrote:
> > >
> > > > A followup question:
> > > >
> > > > Once the data (be it a password or a key) has been read into memory,
> > > > what is an effective and secure way of minimizing the window that the
> > > > plaintext key or password is in memory?
> > > >
> > > > If the data is read into a char [] and then overwritten with junk
> > > > data, would that work?
> > > >
> > > > Kevin
> > > >
> > > > On Tue, 25 Jan 2005 09:18:15 +0000, chaim moshe 
> > > > <xor256 () hotmail com> wrote:
> > > > > Hello list,
> > > > >
> > > > > where can I  store sensitive data like encryption keys, passwords, 
> > > > > etc. in
> > > > > J2EE?
> > > > > surely, you can save it in the keystore, but the catch is where do 
> > > > > you store
> > > > > the keystore password to protect it from external access?
> > > > > storing the keystore password in code or in config files is not 
> > > > > secured
> > > > > enough.
> > > > >
> > > > > In the .NET environment you have DPAPI that was designed exactly 
> > > > > for this
> > > > > kind of problem, the sensitive data is encrypted at the OS level 
> > > > > with the
> > > > > user/machine password and is decrypted at runtime.
> > > > > What is the solution in the J2EE environment ?
> > > > >
> > > > > Thanks!
> > > > >
> > > > > _________________________________________________________________
> > > > > Express yourself instantly with MSN Messenger! Download today it's 
> > > > > FREE!
> > > > > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> > Forcing garbage collection through System.gc() does not gaurantee 
> > garbage collection will occur.
> > The API for Java 1.5.0 says this about System.gc() : " Calling the 
> > |gc| method suggests that the Java Virtual Machine expend effort 
> > toward recycling unused objects......."
> > Notice it uses the word suggest. The JVM will try to run garbage 
> > collecting but it may not.
> > The same goes with the System.Runfinalization(). You are just 
> > requesting it does this. The JVM may not actually do it.
> > Nick
I am not sure of a useful implementation of System.gc(). This might be 
better answered by studying the garbage collector in the JVM. This is 
not a trivial subject and something I have no knowledge of. Maybe there 
is some documentation online or some one on this list that knows. All I 
know is that the garbage collector does it's very best to keep things 
"clean".
Nick