Skip to content
/ secure-strings Public

Utility for storing passwords in memory encrypted form to prevent heap inspection

License

MIT license
2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

dwp/secure-strings

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
.dwp
.dwp
 
 
config
config
 
 
gitlab-ci
gitlab-ci
 
 
src
src
 
 
.gitignore
.gitignore
 
 
.gitlab-ci.yml
.gitlab-ci.yml
 
 
.travis.yml
.travis.yml
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 
renovate.json
renovate.json
 
 

Repository files navigation

secure-strings

Build Status Known Vulnerabilities

This project is to make it easy to store passwords in an encrypted form using a cipher that is constructed inside the application and is different for every instance.

This was created to mitigate the Heap_Inspection vulnerability:-

String variables are immutable - in other words, once a string variable is assigned, its value cannot be changed or removed. Thus, these strings may remain around in memory, possibly in multiple locations, for an indefinite period of time until the garbage collector happens to remove it. Sensitive data, such as passwords, will remain exposed in memory as plaintext with no control over their lifetime.

Breaking Change with Java17

A breaking change is introduced with version 2.0.0 which is Java 17 upgrade.

Jakarta EE 9 a new top-level jakarta package, replacing EE 8’s javax top-level package. For example, the Servlet specification in Jakarta EE 8 uses a javax.servlet package but this has changed to jakarta.servlet in EE 9.

Generally speaking, it’s not possible to mix Java EE and Jakarta EE APIs in the same project. You need to ensure that your own code, as well as all third-party libraries are using jakarta.* package imports.

Project inclusion

properties entry in pom

<properties>
    <dwp.securestrings.version>x.x</dwp.securestrings.version>
</properties>

dependency reference

<dependency>
    <groupId>uk.gov.dwp.crypto</groupId>
    <artifactId>secure-strings</artifactId>
    <version>${dwp.securestrings.version}</version>
</dependency>

Example of use

import uk.gov.dwp.crypto.SecureStrings;
import javax.crypto.SealedObject;

Standard implementation

public class Pojo {
    private SecureStrings secureStrings = new SecureStrings();
    private SealedObject password = null;

    public String getPassword() {
        return secureStrings.revealString(password);
    }

    public void setPassword(String password) {
        this.password = secureStrings.sealString(password);
    }
}

Injected class

public class Pojo {
    private SecureStrings secureStrings = null;
    private SealedObject password = null;

    @Inject
    public Pojo(SecureStrings secureStrings) {
        this.secureStrings = secureStrings;
    }

    public String getPassword() {
        return secureStrings.revealString(password);
    }

    public void setPassword(String password) {
        this.password = secureStrings.sealString(password);
    }
}

About

Utility for storing passwords in memory encrypted form to prevent heap inspection

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

2 stars

Watchers

5 watching

Forks

1 fork
Report repository

Releases 3

release notes Latest
Feb 12, 2019
+ 2 releases

Packages

 
 
 

Languages