.Net SecureString in Java

Question

I am trying to use a 3rd party authentication web service at a customer site. the web services was written in .Net and accepts SecureString as password type.

AuthResult Login(string username, SecureString passkey)

My app is written in Java and there is no compatible type for SecureString in Java that I can use :( When I generate an axis proxy, it generates a stub with no members for SecureString, and hence I am not able to make the authentication call to the service.

public class SecureString  implements java.io.Serializable {
    public SecureString() {
        ...
    }
}

I am trying http://sanguinecomputing.com/a-secure-string-implementation-for-long-term-storage-of-sensitive-data-in-java/ but I am not very hopeful

Can anyone help me with how to overcome this interoperability issue? I am looking for a way to send parameter of type secureString from Java app code to .Net Service.

Answer 1

Exactly. SecureString is not a serializable type. It can never be, across machines, as SecureString relies on DPAPI, which itself relies on local machine properties to construct it's encryption key/vector.

The fact that an API was posted with a SecureString -type parameter shows a vital flaw in its design. No remote client could possibly hand that parameter in.

Answer 2

... My app is written in Java and there is no compatible type for SecureString in Java

... Can anyone help me with how to overcome this interoperability issue?

As you know, there is no SecureString in Java.

In Java, you are supposed to use char[] and overwrite the material when you are finished with it. From Using Password-Based Encryption in the Java Cryptography Extension (JCE) Reference Guide:

It would seem logical to collect and store the password in an object of type java.lang.String. However, here's the caveat: Objects of type String are immutable, i.e., there are no methods defined that allow you to change (overwrite) or zero out the contents of a String after usage. This feature makes String objects unsuitable for storing security sensitive information such as user passwords. You should always collect and store security sensitive information in a char array instead.

So your SecureString will have a private char[], and you will zeroize the array on destruction. I believe .Net's SecureString masks the string when not in use (I don't believe its true encryption, but I could be wrong). So you'll need to provide a mask function, too.