Java等同于SecureString [英] Java equivalent of SecureString

问题描述

我正在寻找Java，它与.NET的 SecureString.aspx 等效.一个>.在2018年有这样的实施方式吗?

I'm looking for Java's equivalent of .NET's SecureString.aspx. Is there such implementation available in 2018?

OWASP实现并不完全相同，因为它只是一个纯字符数组. .NET等效项提供了其他功能，例如作为从/从非托管内存获取实例以及加密的能力.

OWASP implementation is not exactly the same because it's just a plain char array. While .NET equivalent provides additional features such as the ability to get an instance from/to unmanaged memory and also encryption.

我知道常见的Java模式，它以char[]的形式传递密码，并在使用后用零进行Arrays.fill()的输入.但这需要始终围绕char[]构造一个琐碎的实用程序类.

I'm aware of common Java pattern to pass around passwords as char[] and do Arrays.fill() them with zeros after use. But it requires building a trivial utility class around char[] all the time.

推荐答案

Oracle具有 SecureString 解决方案.

Oracle has a GuardedString implementation. It is the closest match to .NET's SecureString solution.

安全的字符串实现，可以解决与以下问题相关的问题 保持密码为java.lang.String.也就是说，任何代表 因为字符串以明文密码形式保存在内存中并保留在 内存，直到被垃圾回收为止.

Secure string implementation that solves the problems associated with keeping passwords as java.lang.String. That is, anything represented as a String is kept in memory as a clear text password and stays in memory at least until it is garbage collected.

GuardedString类通过存储以下内容来缓解此问题: 加密形式的内存中的字符.加密密钥将为 随机生成的密钥.

The GuardedString class alleviates this problem by storing the characters in memory in an encrypted form. The encryption key will be a randomly-generated key.

以序列化的形式，GuardedString将使用 已知的默认密钥.这是为了提供最低限度的保护 不管运输.与遥控器通讯 连接器框架，建议部署为以下应用程序启用SSL 真正的加密.

In their serialized form, GuardedStrings will be encrypted using a known default key. This is to provide a minimum level of protection regardless of the transport. For communications with the Remote Connector Framework it is recommended that deployments enable SSL for true encryption.

应用程序也可能希望保留GuardedString.如果是 Identity Manager，它应将GuardedString转换为 EncryptedData，以便可以使用 管理Identity Manager的加密功能.其他应用可能 希望整体上序列化APIConfiguration.这些应用 负责加密APIConfiguration blob 额外的安全层(除了基本的默认密钥加密之外) 由GuardedString提供).

Applications may also wish to persist GuardedString. In the case of Identity Manager, it should convert GuardedStrings to EncryptedData so that they can be stored and managed using the Manage Encryption features of Identity Manager. Other applications may wish to serialize APIConfiguration as a whole. These applications are responsible for encrypting the APIConfiguration blob for an additional layer of security (beyond the basic default key encryption provided by GuardedString).

这篇关于Java等同于SecureString的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！