3回答

ibeautiful

Oracle有一个GuardedString实现。它与.NETSecureString解决方案最接近。安全的字符串实现，解决了与将密码保留为关联的问题java.lang.String。也就是说，任何表示为字符串的内容都将作为明文密码保存在内存中，并且至少保留到内存中直到被垃圾回收为止。所述GuardedString类通过以加密的形式存储在存储器中的字符减轻这个问题。加密密钥将是随机生成的密钥。GuardedStrings将以其序列化形式使用已知的默认密钥进行加密。这是为了提供最低级别的保护，而不管运输情况如何。为了与远程连接器框架进行通信，建议部署启用SSL进行真正的加密。应用程序也可能希望继续存在GuardedString。对于Identity Manager，应将转换GuardedString为， EncryptedData以便可以使用Identity Manager的“管理加密”功能对其进行存储和管理。其他应用程序可能希望APIConfiguration整体进行序列化。这些应用程序负责对APIConfigurationBlob进行加密，以提供额外的安全性（除了所提供的基本默认密钥加密之外GuardedString）。

0 0

0

慕尼黑5688855

我修改了OWASP版本，以将char数组随机填充到内存中，以便静止时的char数组不与实际字符一起存储。import java.security.SecureRandom;import java.util.Arrays;/*** This is not a string but a CharSequence that can be cleared of its memory.* Important for handling passwords. Represents text that should be kept* confidential, such as by deleting it from computer memory when no longer* needed or garbaged collected.*/public class SecureString implements CharSequence {&nbsp; &nbsp;private final int[] chars;&nbsp; &nbsp;private final int[] pad;&nbsp; &nbsp;public SecureString(final CharSequence original) {&nbsp; &nbsp; &nbsp; this(0, original.length(), original);&nbsp; &nbsp;}&nbsp; &nbsp;public SecureString(final int start, final int end, final CharSequence original) {&nbsp; &nbsp; &nbsp; final int length = end - start;&nbsp; &nbsp; &nbsp; pad = new int[length];&nbsp; &nbsp; &nbsp; chars = new int[length];&nbsp; &nbsp; &nbsp; scramble(start, length, original);&nbsp; &nbsp;}&nbsp; &nbsp;@Override&nbsp; &nbsp;public char charAt(final int i) {&nbsp; &nbsp; &nbsp; return (char) (pad[i] ^ chars[i]);&nbsp; &nbsp;}&nbsp; &nbsp;@Override&nbsp; &nbsp;public int length() {&nbsp; &nbsp; &nbsp; return chars.length;&nbsp; &nbsp;}&nbsp; &nbsp;@Override&nbsp; &nbsp;public CharSequence subSequence(final int start, final int end) {&nbsp; &nbsp; &nbsp; return new SecureString(start, end, this);&nbsp; &nbsp;}&nbsp; &nbsp;/**&nbsp; &nbsp; * Convert array back to String but not using toString(). See toString() docs&nbsp; &nbsp; * below.&nbsp; &nbsp; */&nbsp; &nbsp;public String asString() {&nbsp; &nbsp; &nbsp; final char[] value = new char[chars.length];&nbsp; &nbsp; &nbsp; for (int i = 0; i < value.length; i++) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;value[i] = charAt(i);&nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; return new String(value);&nbsp; &nbsp;}&nbsp; &nbsp;/**&nbsp; &nbsp; * Manually clear the underlying array holding the characters&nbsp; &nbsp; */&nbsp; &nbsp;public void clear() {&nbsp; &nbsp; &nbsp; Arrays.fill(chars, '0');&nbsp; &nbsp; &nbsp; Arrays.fill(pad, 0);&nbsp; &nbsp;}&nbsp; &nbsp;/**&nbsp; &nbsp; * Protect against using this class in log statements.&nbsp; &nbsp; * <p>&nbsp; &nbsp; * {@inheritDoc}&nbsp; &nbsp; */&nbsp; &nbsp;@Override&nbsp; &nbsp;public String toString() {&nbsp; &nbsp; &nbsp; return "Secure:XXXXX";&nbsp; &nbsp;}&nbsp; &nbsp;/**&nbsp; &nbsp; * Called by garbage collector.&nbsp; &nbsp; * <p>&nbsp; &nbsp; * {@inheritDoc}&nbsp; &nbsp; */&nbsp; &nbsp;@Override&nbsp; &nbsp;public void finalize() throws Throwable {&nbsp; &nbsp; &nbsp; clear();&nbsp; &nbsp; &nbsp; super.finalize();&nbsp; &nbsp;}&nbsp; &nbsp;/**&nbsp; &nbsp; * Randomly pad the characters to not store the real character in memory.&nbsp; &nbsp; *&nbsp; &nbsp; * @param start start of the {@code CharSequence}&nbsp; &nbsp; * @param length length of the {@code CharSequence}&nbsp; &nbsp; * @param characters the {@code CharSequence} to scramble&nbsp; &nbsp; */&nbsp; &nbsp;private void scramble(final int start, final int length, final CharSequence characters) {&nbsp; &nbsp; &nbsp; final SecureRandom random = new SecureRandom();&nbsp; &nbsp; &nbsp; for (int i = start; i < length; i++) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;final char charAt = characters.charAt(i);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;pad[i] = random.nextInt();&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;chars[i] = pad[i] ^ charAt;&nbsp; &nbsp; &nbsp; }&nbsp; &nbsp;}}

0 0

0