Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4150490

"String" objects should not be used to store passwords

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P1
    • Resolution: Fixed
    • Affects Version/s: 1.2.0
    • Fix Version/s: 1.2.0
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Resolved In Build:
      1.2beta4
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Not verified

      Description

      It is a safe programming practice to "destroy" a password after it is
      no longer used.

      However, all the methods in java.security.KeyStore and
      java.security.KeyStoreSpi that deal with user-provided passwords
      expect those passwords to be supplied as "String" arguments.

      This is a potential security hole, because objects of type "String"
      are immutable and there is no way to overwrite their memory or
      internal value when done.

      Once a password is entered into an application, it is in memory. If
      that area of memory is not overwritten when the program is done, an
      attacker can recover that password by examining memory (or the hard
      drive if memory was swapped to disk).

      Even the garbage collector will not destroy it. The memory can be
      freed, but that will only mark it for use by something else. The
      password still exists in memory until some other memory use just
      happens to overwrite that location.

      If instead passwords were supplied as character arrays (of type
      "char[]"), key store implementations (supplied by different providers,
      including the one that's built into JDK 1.2) may zeroize the internal
      value of the password after it is no longer needed, or may even
      obfuscate the password characters while held in memory, and
      de-obfuscate them only right before the password is used (and
      obfuscate the password again after it was used).

      Both RSA Data Security (with their "RSA SecurPC" product) and PGP have
      been hit by the same problem.

      The java.security.KeyStore and java.security.KeyStoreSpi classes were
      introduced in JDK 1.2. Other packages in the JDK that deal with
      passwords (e.g., Swing) may want to make similar changes.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jlueheorcl Jan Luehe (Inactive)
              Reporter:
              jlueheorcl Jan Luehe (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Imported:
                Indexed: