发表新帖
发表新帖

How do I zero-ise a secret key in java?

后端 未结
关注
8 2332
南方客
南方客 2020-12-16 05:22

Is the following java code sufficient for clearing the secret key in memory (setting all of its byte value to 0)?

zerorize(SecretKey key)
{
    byte[] rawKey
8条回答
  • 孤城傲影
    孤城傲影 (楼主)
    2020-12-16 05:33

    In other words, does the getEncoded method return a copy or reference to the actual key?

    key.getEncoded() will return a reference to an array.

    If the content of key is discarded when you do the Array.fill depends on whether or not the key is backed by the returned array. Given the documentation, it seems to me as if the encoding of the key is another representation of the key, i.e., that the key is not backed by the returned array.

    It's easy to find out though. Try the following:

    byte[] rawKey = key.getEncoded();
Arrays.fill(rawKey, (byte) 0);

byte[] again = key.getEncoded();
Log.d(Arrays.equals(rawKey, again));

    If the output is false, you know that the key is still stored in SecretKey.

    0 讨论(0)
 看不清?
提交回复
热议问题