secret-key

Is the following java code sufficient for clearing the secret key in memory (setting all of its byte value to 0)? zerorize(SecretKey key) { byte[] rawKey = key.getEncoded(); Arrays.fill(rawKey, (byte) 0); } In other words, does the getEncoded method return a copy or reference to the actual key? If a copy is returned, then how can I clear the secret key as a security measure? Before trying to clear the key, you should check first if the implementation of the SecretKey interface also implements the javax.security.auth.Destroyable interface. If so, prefer that of course. getEncoded() seems to

I am new to Rails 4, and do not understand the use of secret_key_base under config/secrets.yml in Rails 4. Can you please explain this concept? Also, when I am working in the production environment, I am prompted to set the secret_key with devise.rb , config.secret_key , and secret_key_base . However, I can generate a new secret using the rake secret command. What is the difference between development and production environments? How is it matching the newly generated secret_key when I add it with secret_key_base every time I generate? How is it securing the application with other servers? The

How can I hide my passwords and other sensitive environment variables on-screen in Laravel's whoops output? Sometimes other people are looking at my development work. I don't want them to see these secrets if an exception is thrown, but I also don't want to have to keep toggling debug on and off, or spin up a dedicated site just for a quick preview. As of Laravel 5.5.13, there's a new feature that allows you to blacklist certain variables in config/app.php under the key debug_blacklist . When an exception is thrown, whoops will mask these values with asterisks * for each character. For example

I know that a public client shouldn't use a client secret because, no matter how much you obfuscate it, it won't be protected from reverse engineering . But, the people in charge of the service I am authenticating to don't want to/can't change it. So, I need to store the client secret and try to protect it from reverse engineering as much as I can. So, I thought of encrypting it using at build time using gradle and store it in a file. Then, when I need it at run time I decrypt it. But now I have to solve the problem of how to store the encryption key ... I don't know much about security, so, I

I am creating a Twitter client for Mac OS X and I have a Consumer secret. It's to my understanding I should not share this secret key. The problem is that when I put it as a string literal into my application and use it, like this: #define QQTwitterConsumerSecret @"MYSECRETYOUMAYNOTKNOW" [[QQTwitterEngine alloc] initWithConsumerKey:QQTwitterConsumerKey consumerSecret:QQTwitterConsumerSecret]; It is in the data section of my application's binary. Hackers can read this, disassemble the application, etcetera. Is there any safe way of storing the Consumer secret? Should I encrypt it? There is no

I'm working on a Java authentication subsystem that specs the storage of passwords in the DB as PBKDF2 -generated hashes, and I'm now trying to decide whether I should use SHA1 or SHA512 as PFR. I went through the specs of both but they are very mathematically intensive for me to follow. Can somebody with better crypto-understanding explain how PBKDF2WithHmacSHA512 differs from PBKDF2WithHmacSHA1 ? Here's what I'm trying to do: private static final int HASH_BYTE_SIZE = 64; // 512 bits private static final int PBKDF2_ITERATIONS = 1000; // generate random salt SecureRandom random = new

I am just starting to think about how api keys and secret keys work. Just 2 days ago I signed up for Amazon S3 and installed the S3Fox Plugin . They asked me for both my Access Key and Secret Access Key, both of which require me to login to access. So I'm wondering, if they're asking me for my secret key, they must be storing it somewhere right? Isn't that basically the same thing as asking me for my credit card numbers or password and storing that in their own database? How are secret keys and api keys supposed to work? How secret do they need to be? Are these applications that use the secret