WebApp Sec mailing list archives
RE: secure storage of sensitive data in J2EE
From: Michael Silk <michaelsilk () gmail com>
Date: Thu, 10 Feb 2005 14:12:02 +1100
Michael, What is some example implementations of the usage of SecureString? To store a CC coming from a submission? Surely it could be tracked as it's coming in (browser -> server -> [ here ! ] -> your code), in that case. To store a password? Where does the password initially come from? and where does it get used? do other API's take a SecureString and _never_ realise it into a common string form? It seems the weak link in the chain would break this one, ... or am I missing something :) ? Further, on what basis is it encrypted? Under the user that is running the code? As such, wouldn't any other (malicious) .net code be running under the same privileges and hence be able to decrypt it? -- Michael Silk
-----Original Message----- From: Michael Howard [mailto:mikehow () microsoft com] Sent: Thursday, 10 February 2005 10:15 AM To: Benjamin Livshits; chaim moshe; webappsec () securityfocus com Subject: RE: secure storage of sensitive data in J2EE I know this is not J2EE, but in .NET Framework, we added a SecureString class that: 1) is automatically encrypted in memory (to mitigate the paged-out-data threat) 2) is cleared when the string is no longer used 3) is GC'd rapidly
Current thread:
- Re: secure storage of sensitive data in J2EE, (continued)
- Re: secure storage of sensitive data in J2EE Richard Moore (Feb 09)
- Re: secure storage of sensitive data in J2EE Nick Seward (Feb 09)
- Re: secure storage of sensitive data in J2EE Randy (Feb 09)
- Re: secure storage of sensitive data in J2EE Nick Seward (Feb 09)
- Re: secure storage of sensitive data in J2EE Alexander Klimov (Feb 10)
- Re: secure storage of sensitive data in J2EE Olaf Reitmaier (Feb 09)
- Re: secure storage of sensitive data in J2EE Olaf Reitmaier (Feb 09)
- Re: secure storage of sensitive data in J2EE Michael Silk (Feb 09)
- Re: secure storage of sensitive data in J2EE Michael Silk (Feb 09)
- Re: secure storage of sensitive data in J2EE exon (Feb 10)
- Re: secure storage of sensitive data in J2EE exon (Feb 14)