|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: secure storage of sensitive data in J2EE
From: Michael Silk (michaelsilk
gmail.com)
Date: Wed Feb 09 2005 - 21:12:02 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Michael,
What is some example implementations of the usage of SecureString?
To store a CC coming from a submission? Surely it could be tracked as
it's coming in (browser -> server -> [ here ! ] -> your code), in that
case.
To store a password? Where does the password initially come from? and
where does it get used? do other API's take a SecureString and _never_
realise it into a common string form?
It seems the weak link in the chain would break this one, ... or am I
missing something :) ?
Further, on what basis is it encrypted? Under the user that is running
the code? As such, wouldn't any other (malicious) .net code be running
under the same privileges and hence be able to decrypt it?
-- Michael Silk
> -----Original Message-----
> From: Michael Howard [mailto:mikehowmicrosoft.com]
> Sent: Thursday, 10 February 2005 10:15 AM
> To: Benjamin Livshits; chaim moshe; webappsecsecurityfocus.com
> Subject: RE: secure storage of sensitive data in J2EE
>
> I know this is not J2EE, but in .NET Framework, we added a
> SecureString class that:
>
> 1) is automatically encrypted in memory (to mitigate the
> paged-out-data
> threat)
> 2) is cleared when the string is no longer used
> 3) is GC'd rapidly
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]