Re: secure storage of sensitive data in J2EE

[Dimitris Mistriotis <besieger () yahoo com>]

I'm not 100% sure but it has to do with how java
garbage collector handles this. If it is a string in 
Java, which are immutable, when you "write" junk into
it, JVM will simply intorduce a new string leaving
previous one in memory until garbage collector finds
it and remove it (something that might take enough
time for it to be read). So you can use StringBuffer
objects but you have to assure that there is not a
string conversion involved anywhere :(

--- Kevin Conaway <kevin.conaway () gmail com> wrote:

> A followup question:
>
> Once the data (be it a password or a key) has been
> read into memory,
> what is an effective and secure way of minimizing
> the window that the
> plaintext key or password is in memory?
>
> If the data is read into a char [] and then
> overwritten with junk
> data, would that work?
>
> Kevin
>
> On Tue, 25 Jan 2005 09:18:15 +0000, chaim moshe
> <xor256 () hotmail com> wrote:
> > Hello list,
> >
> > where can I  store sensitive data like encryption
> keys, passwords, etc. in
> > J2EE?
> > surely, you can save it in the keystore, but the
> catch is where do you store
> > the keystore password to protect it from external
> access?
> > storing the keystore password in code or in config
> files is not secured
> > enough.
> >
> > In the .NET environment you have DPAPI that was
> designed exactly for this
> > kind of problem, the sensitive data is encrypted
> at the OS level with the
> > user/machine password and is decrypted at runtime.
> > What is the solution in the J2EE environment ?
> >
> > Thanks!
_________________________________________________________________
> > Express yourself instantly with MSN Messenger!
> Download today it's FREE!
> >
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> >


=====
Dimitrios Mistriotis


                
__________________________________ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail