[WEB SECURITY] Encrypting Client Data

Peter Conrad conrad at tivano.de
Fri Jun 10 03:36:50 EDT 2011


Am Donnerstag, 9. Juni 2011 schrieb Justin Scott:
> they log out or their session times out, the key data would be removed
> from memory (as an aside, the app is built on a Java virtual machine
> so the usual memory garbage collection methods in Java would apply,
> and we can zero over the data before closing their session as well).
> So, given this information, can you think of anything that we've
> missed? Any other risk factors we should consider?

talking about java garbage collection: the garbage collector copies
long-lived objects between heap regions during their lifetime
(see http://www.oracle.com/technetwork/java/gc-tuning-5-138395.html
for a detailed explanation). So zeroing over the data will not
really help (but doesn't hurt, of course).

Also, if you're planning a clustered application with session
replication you'll be transmitting the unprotected keys across
your intra-cluster-network.

Peter Conrad
Tivano Software GmbH
Bahnhofstr. 18
63263 Neu-Isenburg
Tel: 06102 / 8099070
Fax: 06102 / 8099071
HRB 11680, AG Offenbach/Main
Geschäftsführer: Martin Apel

More information about the websecurity mailing list