Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: secure storage of sensitive data in J2EE

from [Michael Silk] Network Security [Permanent Link]
Subject: RE: secure storage of sensitive data in J2EE
Date: Thu, 10 Feb 2005 14:12:02 +1100 
Michael,

What is some example implementations of the usage of SecureString?

To store a CC coming from a submission? Surely it could be tracked as
it's coming in (browser -> server -> [ here ! ] -> your code), in that
case.

To store a password? Where does the password initially come from? and
where does it get used? do other API's take a SecureString and _never_
realise it into a common string form?

It seems the weak link in the chain would break this one, ... or am I
missing something :) ?

Further, on what basis is it encrypted? Under the user that is running
the code? As such, wouldn't any other (malicious) .net code be running
under the same privileges and hence be able to decrypt it?

-- Michael Silk



-----Original Message-----
From: Michael Howard [mailto:mikehow@microsoft.com] 
Sent: Thursday, 10 February 2005 10:15 AM
To: Benjamin Livshits; chaim moshe; webappsec@securityfocus.com
Subject: RE: secure storage of sensitive data in J2EE

I know this is not J2EE, but in .NET Framework, we added a 
SecureString class that:

1) is automatically encrypted in memory (to mitigate the 
paged-out-data
threat)
2) is cleared when the string is no longer used
3) is GC'd rapidly
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: secure storage of sensitive data in J2EE, Nick Seward
Next by Date:  Re: secure storage of sensitive data in J2EE, Michael Silk
Previous by Thread:  RE: secure storage of sensitive data in J2EE, Michael Howard
Next by Thread:  Re: secure storage of sensitive data in J2EE, Olaf Reitmaier
Indexes:  [Date] [Thread] [Top] [All Lists]