Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Java equivalent of SecureString

Tags:

I'm looking for Java's equivalent of .NET's SecureString.aspx. Is there such implementation available in 2018?

OWASP implementation is not exactly the same because it's just a plain char array. While .NET equivalent provides additional features such as the ability to get an instance from/to unmanaged memory and also encryption.

I'm aware of common Java pattern to pass around passwords as char[] and do Arrays.fill() them with zeros after use. But it requires building a trivial utility class around char[] all the time.

like image 305
Mikhail Kholodkov Avatar asked Jul 09 '18 09:07

Mikhail Kholodkov


People also ask

What is secure String in java?

Secure string implementation that solves the problems associated with keeping passwords as java. lang. String . That is, anything represented as a String is kept in memory as a clear text password and stays in memory at least until it is garbage collected.

Which datatype is used for password in java?

So java itself recommending to use the get password() method. Another reason for storing a password in char[] array, because char[] can be sanitized, for example, after usage one can override a clear password with junk, while String is immutable in Java.

What is SecureString?

SecureString is a string type that provides a measure of security. It tries to avoid storing potentially sensitive strings in process memory as plain text.

Is SecureString encrypted?

As others have already answered, the contents of SecureString are encrypted using DPAPI, so the keys aren't stored in your application, they're part of the OS.


1 Answers

Oracle has a GuardedString implementation. It is the closest match to .NET's SecureString solution.

Secure string implementation that solves the problems associated with keeping passwords as java.lang.String. That is, anything represented as a String is kept in memory as a clear text password and stays in memory at least until it is garbage collected.

The GuardedString class alleviates this problem by storing the characters in memory in an encrypted form. The encryption key will be a randomly-generated key.

In their serialized form, GuardedStrings will be encrypted using a known default key. This is to provide a minimum level of protection regardless of the transport. For communications with the Remote Connector Framework it is recommended that deployments enable SSL for true encryption.

Applications may also wish to persist GuardedString. In the case of Identity Manager, it should convert GuardedStrings to EncryptedData so that they can be stored and managed using the Manage Encryption features of Identity Manager. Other applications may wish to serialize APIConfiguration as a whole. These applications are responsible for encrypting the APIConfiguration blob for an additional layer of security (beyond the basic default key encryption provided by GuardedString).

like image 60
sanketshah Avatar answered Sep 20 '22 06:09

sanketshah