Re: secure storage of sensitive data in J2EE

Forcing the garbage collector to run in Java is considered bad practice


On Tue, 08 Feb 2005 22:49:30 -0500, Ashish Popli <apopli@gmail.com> wrote:
> Cant we simply force garbage collection when you are done using the object?
> Here is a link.
> http://java.sun.com/docs/books/tutorial/essential/system/garbage.html
>
> Kevin Conaway wrote:
>
> > A followup question:
> >
> > Once the data (be it a password or a key) has been read into memory,
> > what is an effective and secure way of minimizing the window that the
> > plaintext key or password is in memory?
> >
> > If the data is read into a char [] and then overwritten with junk
> > data, would that work?
> >
> > Kevin
> >
> > On Tue, 25 Jan 2005 09:18:15 +0000, chaim moshe <xor256@hotmail.com> wrote:
> >
> > > Hello list,
> > >
> > > where can I  store sensitive data like encryption keys, passwords, etc. in
> > > J2EE?
> > > surely, you can save it in the keystore, but the catch is where do you store
> > > the keystore password to protect it from external access?
> > > storing the keystore password in code or in config files is not secured
> > > enough.
> > >
> > > In the .NET environment you have DPAPI that was designed exactly for this
> > > kind of problem, the sensitive data is encrypted at the OS level with the
> > > user/machine password and is decrypted at runtime.
> > > What is the solution in the J2EE environment ?
> > >
> > > Thanks!
> > >
> > > _________________________________________________________________
> > > Express yourself instantly with MSN Messenger! Download today it's FREE!
> > > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/