[Cryptography] Heartbleed and fundamental crypto programming practices

Twan van der Schoot nanitous at xs4all.nl
Fri Apr 11 21:30:14 EDT 2014


Hi Ian,

Probably stating the obvious, but it appears that Java Swing already provides a Swing component for passwords including a note how to erase the content of a pwd holding variable asap:

http://docs.oracle.com/javase/tutorial/uiswing/components/passwordfield.html

And it returns pwds in a char[] to boot! 

http://docs.oracle.com/javase/tutorial/displayCode.html?code=http://docs.oracle.com/javase/tutorial/uiswing/examples/components/PasswordDemoProject/src/components/PasswordDemo.java

I wouldn't use byte[] to store user input, rather char[], because you don't want to handle all possible input methods like German, Dutch, English, Arabic, Traditional and Simplified Chinese. If you insist on using byte[], there are plenty of ways to do it right and quick.

/Twan

On 11 apr. 2014, at 23:02, ianG <iang at iang.org> wrote:

> Hi Twan,
> 
> On 11/04/2014 13:39 pm, Twan van der Schoot wrote:
>> Why not designed your system around StringBuffer rather than String. 
>> 
>> It has the advantage that its access is synchronized. If you need the access speed (which I sincerely doubt), use StringBuilder, its functionality is similar to StringBuffer, but not sync'ed.
> 
> 
> No, the problem is precisely *not choice* in that in order to get a
> SWING element, one has to use the SWING methods available.  In this
> context, the JTextField.getText() returns a String.
> 
> 
>> On 11 apr. 2014, at 15:57, ianG <iang at iang.org> wrote:
>> 
>>> On 10/04/2014 07:15 am, Jerry Leichter wrote:
>>> 
>>>> ...Also, since String's are immutable in Java, you have the problem that even if you know you've got sensitive data you no longer need stored in a String ... there's   nothing you can do to get rid of it.)
>>> 
>>> That problem - exactly, does anyone know a solution in Java to cleansing
>>> Strings?
>>> 
>>> (I write the password, etc code in byte[] but sometimes one has to have
>>> a String, such as asking the user for some input, .. like a password.)
>> 
>> Using which interface?
> 
> 
> OK, I suppose I could further investigate SWING and see if there is a
> class that gives better byte[] access, etc.
> 
> iang
> 



More information about the cryptography mailing list