Re: secure storage of sensitive data in J2EE

Michael Silk wrote:
> But my point was that if there is a local app trying to look through
> the memory of the .net runtime for the "secure" string, why doesn't it
> just instead bypass that and look for where the String _comes in_ to
> that memory. (i.e. from the user submission, or from something else).

Because it's supposed to be encrypted when it arrives over the network. 
If the malicious app has access to read the keyboard where the password 
is entered, the game is lost.

> > You can encrypt the data by user, by process or by machine. It's all
> > supported through Crypt[Un]ProtectMemory
>
>
> So you are saying that upon your setting up of a SecureString you can
> tell it to encrypt the information by process; something like:
> ---
> new SecureString(mySecretData, ENCRYPTION_DOMAIN.Process);
> ---
>
> Even so, wouldn't another malicious asp.net app be running in the same process?
>
>
> On Wed, 9 Feb 2005 21:06:33 -0800, Michael Howard <mikehow@microsoft.com> 
> wrote:
>
> > It certainly can't help the data on the network - I know of no
> > programming language that can!!
> >
> > The real threat being mitigated here is a local attack trying to grovel
> > through an app or pagefile for secret data.
> >
> > You can encrypt the data by user, by process or by machine. It's all
> > supported through Crypt[Un]ProtectMemory
> >
> > [Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
> > [Protect Your PC] http://www.microsoft.com/protect
> > [Blog] http://blogs.msdn.com/michael_howard
> >
> > [On-line Security Training]
> > http://mste/training/offerings.asp?TrainingID=53074
> >
> > -----Original Message-----
> > From: Michael Silk [mailto:michaelsilk@gmail.com]
> > Sent: Wednesday, February 09, 2005 7:12 PM
> > To: webappsec@securityfocus.com; Michael Howard
> > Subject: RE: secure storage of sensitive data in J2EE
> >
> > Michael,
> >
> > What is some example implementations of the usage of SecureString?
> >
> > To store a CC coming from a submission? Surely it could be tracked as
> > it's coming in (browser -> server -> [ here ! ] -> your code), in that
> > case.
> >
> > To store a password? Where does the password initially come from? and
> > where does it get used? do other API's take a SecureString and _never_
> > realise it into a common string form?
> >
> > It seems the weak link in the chain would break this one, ... or am I
> > missing something :) ?
> >
> > Further, on what basis is it encrypted? Under the user that is running
> > the code? As such, wouldn't any other (malicious) .net code be running
> > under the same privileges and hence be able to decrypt it?
> >
> > -- Michael Silk
> >
> >
> > > -----Original Message-----
> > > From: Michael Howard [mailto:mikehow@microsoft.com]
> > > Sent: Thursday, 10 February 2005 10:15 AM
> > > To: Benjamin Livshits; chaim moshe; webappsec@securityfocus.com
> > > Subject: RE: secure storage of sensitive data in J2EE
> > >
> > > I know this is not J2EE, but in .NET Framework, we added a
> > > SecureString class that:
> > >
> > > 1) is automatically encrypted in memory (to mitigate the
> > > paged-out-data
> > > threat)
> > > 2) is cleared when the string is no longer used
> > > 3) is GC'd rapidly