发表新帖
发表新帖

How do I zero-ise a secret key in java?

后端 未结
关注
8 2326
南方客
南方客 2020-12-16 05:22

Is the following java code sufficient for clearing the secret key in memory (setting all of its byte value to 0)?

zerorize(SecretKey key)
{
    byte[] rawKey
8条回答
  • 遥遥无期
    遥遥无期 (楼主)
    2020-12-16 05:48

    Depending on the technology powering the garbage collector, any single object may be moved (i.e. copied) in physical memory at any time, so you cannot be sure that you will really destroy the key by zeroing an array -- assuming that you can access "the" array which holds the key, and not a copy thereof.

    In shorter words: if your security model and context call for zeroing keys, then you should not use Java at all (or just about anything but C and assembly).

    0 讨论(0)
 看不清?
提交回复
热议问题