Re: secure storage of sensitive data in J2EE

[Michael Silk <michaelsilk () gmail com>]

But my point was that if there is a local app trying to look through
the memory of the .net runtime for the "secure" string, why doesn't it
just instead bypass that and look for where the String _comes in_ to
that memory. (i.e. from the user submission, or from something else).

> You can encrypt the data by user, by process or by machine. It's all
> supported through Crypt[Un]ProtectMemory

So you are saying that upon your setting up of a SecureString you can
tell it to encrypt the information by process; something like:
---
new SecureString(mySecretData, ENCRYPTION_DOMAIN.Process);
---

Even so, wouldn't another malicious asp.net app be running in the same process?


On Wed, 9 Feb 2005 21:06:33 -0800, Michael Howard <mikehow () microsoft com> wrote:
> It certainly can't help the data on the network - I know of no
> programming language that can!!
>
> The real threat being mitigated here is a local attack trying to grovel
> through an app or pagefile for secret data.
>
> You can encrypt the data by user, by process or by machine. It's all
> supported through Crypt[Un]ProtectMemory
>
> [Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
> [Protect Your PC] http://www.microsoft.com/protect
> [Blog] http://blogs.msdn.com/michael_howard
>
> [On-line Security Training]
> http://mste/training/offerings.asp?TrainingID=53074
>
> -----Original Message-----
> From: Michael Silk [mailto:michaelsilk () gmail com]
> Sent: Wednesday, February 09, 2005 7:12 PM
> To: webappsec () securityfocus com; Michael Howard
> Subject: RE: secure storage of sensitive data in J2EE
>
> Michael,
>
> What is some example implementations of the usage of SecureString?
>
> To store a CC coming from a submission? Surely it could be tracked as
> it's coming in (browser -> server -> [ here ! ] -> your code), in that
> case.
>
> To store a password? Where does the password initially come from? and
> where does it get used? do other API's take a SecureString and _never_
> realise it into a common string form?
>
> It seems the weak link in the chain would break this one, ... or am I
> missing something :) ?
>
> Further, on what basis is it encrypted? Under the user that is running
> the code? As such, wouldn't any other (malicious) .net code be running
> under the same privileges and hence be able to decrypt it?
>
> -- Michael Silk
>
> > -----Original Message-----
> > From: Michael Howard [mailto:mikehow () microsoft com]
> > Sent: Thursday, 10 February 2005 10:15 AM
> > To: Benjamin Livshits; chaim moshe; webappsec () securityfocus com
> > Subject: RE: secure storage of sensitive data in J2EE
> >
> > I know this is not J2EE, but in .NET Framework, we added a
> > SecureString class that:
> >
> > 1) is automatically encrypted in memory (to mitigate the
> > paged-out-data
> > threat)
> > 2) is cleared when the string is no longer used
> > 3) is GC'd rapidly