I'm not 100% sure but it has to do with how java
garbage collector handles this. If it is a string in
Java, which are immutable, when you "write" junk into
it, JVM will simply intorduce a new string leaving
previous one in memory until garbage collector finds
it and remove it (something that might take enough
time for it to be read). So you can use StringBuffer
objects but you have to assure that there is not a
string conversion involved anywhere :(
--- Kevin Conaway <kevin.conaway@gmail.com> wrote:
A followup question:
Once the data (be it a password or a key) has been
read into memory,
what is an effective and secure way of minimizing
the window that the
plaintext key or password is in memory?
If the data is read into a char [] and then
overwritten with junk
data, would that work?
Kevin
On Tue, 25 Jan 2005 09:18:15 +0000, chaim moshe
<xor256@hotmail.com> wrote:
Hello list,
where can I store sensitive data like encryption
keys, passwords, etc. in
J2EE?
surely, you can save it in the keystore, but the
catch is where do you store
the keystore password to protect it from external
access?
storing the keystore password in code or in config
files is not secured
enough.
In the .NET environment you have DPAPI that was
designed exactly for this
kind of problem, the sensitive data is encrypted
at the OS level with the
user/machine password and is decrypted at runtime.
What is the solution in the J2EE environment ?
Thanks!
_________________________________________________________________
Express yourself instantly with MSN Messenger!
Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
=====
Dimitrios Mistriotis
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail
