Natural Order Development | Java SecureString Class

Blog >> Side Notes >> Java SecureString Class

Java SecureString Class 2008-08-01 11:26:55 Secure string implementation is very hard. A secure string is a means to keep and use confidential data. Essentially the text cannot be stored as plain text and definitely cannot be stored in a Java String object since that is immutable and there is no definable point when it will be removed from the system. Secure String Implementations should: text is encrypted for privacy when being used deleted from computer memory when no longer needed not be allowed to be paged to swap memory cannot be seen via memory inspection I was very excited about secure strings when I learned of them. But I have not been able to find an implementation for Java. I am sure better minds then me are looking into this problem. But, I have need now. So breaking the cardinal rule of "don't implement cryptographic solutions unless you have a PhD in math and another in cryptology" I am making a stab at it. I have found this one article which is very excellent (but for .NET): Credential Management with the .NET Framework 2.0 http://msdn2.microsoft.com/en-us/library/aa480470.aspx "Summary: Get an introduction to the Credential Management API that includes functions for user interface handling and lesser-known functions for managing a user's credential set. Also see a .NET class library that dramatically simplifies the task of credential management, for languages such as C# and Visual Basic .NET, and provides a more elegant and robust approach to credential management for C++ developers. (26 printed pages)" Posted by Leeland Assigned Tags: 0 Comments
Comments:

Java SecureString Class

2008-08-01 11:26:55

Secure string implementation is very hard. A secure string is a means to keep and use confidential data. Essentially the text cannot be stored as plain text and definitely cannot be stored in a Java String object since that is immutable and there is no definable point when it will be removed from the system.

Secure String Implementations should:

text is encrypted for privacy when being used
deleted from computer memory when no longer needed
not be allowed to be paged to swap memory
cannot be seen via memory inspection

I was very excited about secure strings when I learned of them. But I have not been able to find an implementation for Java. I am sure better minds then me are looking into this problem. But, I have need now. So breaking the cardinal rule of "don't implement cryptographic solutions unless you have a PhD in math and another in cryptology" I am making a stab at it.

I have found this one article which is very excellent (but for .NET):

Credential Management with the .NET Framework 2.0 http://msdn2.microsoft.com/en-us/library/aa480470.aspx

"Summary: Get an introduction to the Credential Management API that includes functions for user interface handling and lesser-known functions for managing a user's credential set. Also see a .NET class library that dramatically simplifies the task of credential management, for languages such as C# and Visual Basic .NET, and provides a more elegant and robust approach to credential management for C++ developers. (26 printed pages)"