RE: secure storage of sensitive data in J2EE

["Michael Howard" <mikehow () microsoft com>]

I know this is not J2EE, but in .NET Framework, we added a SecureString
class that:

1) is automatically encrypted in memory (to mitigate the paged-out-data
threat)
2) is cleared when the string is no longer used
3) is GC'd rapidly 


[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect
[Blog] http://blogs.msdn.com/michael_howard

[On-line Security Training]
http://mste/training/offerings.asp?TrainingID=53074


-----Original Message-----
From: Benjamin Livshits [mailto:livshits () cs stanford edu] 
Sent: Wednesday, February 09, 2005 2:23 PM
To: 'chaim moshe'; webappsec () securityfocus com
Subject: RE: secure storage of sensitive data in J2EE

Is there a list of "sensitive" functions in J2EE or Struts that expect
password data to be passed?

-Ben

> -----Original Message-----
> From: chaim moshe [mailto:xor256 () hotmail com]
> Sent: Tuesday, January 25, 2005 1:18 AM
> To: webappsec () securityfocus com; secprog () securityfocus com
> Subject: secure storage of sensitive data in J2EE
>
>
> Hello list,
>
> where can I  store sensitive data like encryption keys, passwords, 
> etc. in J2EE?
> surely, you can save it in the keystore, but the catch is where do you

> store the keystore password to protect it from external access?
> storing the keystore password in code or in config files is not 
> secured enough.
>
>
> In the .NET environment you have DPAPI that was designed exactly for 
> this kind of problem, the sensitive data is encrypted at the OS level 
> with the user/machine password and is decrypted at runtime.
> What is the solution in the J2EE environment ?
>
> Thanks!