WebApp Sec mailing list archives

Re: secure storage of sensitive data in J2EE

From: exon <exon () home se>
Date: Mon, 14 Feb 2005 20:24:13 +0100

Michael Silk wrote:

Comments inline.
-----Original Message-----
From: exon [mailto:exon () home se]Sent: Friday, 11 February 2005 9:33 AM
To: webappsec () securityfocus com
Subject: Re: secure storage of sensitive data in J2EE

Michael Silk wrote:
Exon said:
Because it's supposed to be encrypted when it arrives over thenetwork.
And how can that happen in such a way that an application
listening to
the incoming information can't get at it first?
It can't, but protecting pieces of memory from prying eyeswas what this discussion was about.
Yes, and the sub-discussion with Michael Howard was about the
usefulness of SecureString (this is the discussion where you responded
to me).

SecureString (whatever that is) would, if it works as the name suggests,be useful for keeping the key to decrypt the incoming packets. If datais to be sent in plaintext it's naturally of no use at all.

-- Michael

Current thread:

RE: secure storage of sensitive data in J2EE, (continued)
- RE: secure storage of sensitive data in J2EE Michael Silk (Feb 09)
  - Re: secure storage of sensitive data in J2EE Olaf Reitmaier (Feb 09)
    - Re: secure storage of sensitive data in J2EE Olaf Reitmaier (Feb 09)
    - Re: secure storage of sensitive data in J2EE Michael Silk (Feb 09)
- RE: secure storage of sensitive data in J2EE Michael Howard (Feb 09)
  - Re: secure storage of sensitive data in J2EE Michael Silk (Feb 09)
    - Re: secure storage of sensitive data in J2EE exon (Feb 10)
- RE: secure storage of sensitive data in J2EE Michael Howard (Feb 10)
- Re: secure storage of sensitive data in J2EE exon (Feb 10)
- RE: secure storage of sensitive data in J2EE Michael Silk (Feb 11)
  - Re: secure storage of sensitive data in J2EE exon (Feb 14)