Windows上智能卡的java密钥库和密码安全性
[英]java keystore and password security for smartcard on windows
问题描述
http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html 
http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html
In the code below password is requested to the user by the java application: 在下面的代码中,java应用程序向用户请求密码:
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
// get user password and file input stream
char[] password = getPassword();
java.io.FileInputStream fis =
new java.io.FileInputStream("keyStoreName");
ks.load(fis, password);
fis.close();
Does it mean the application could get my digital certificate password even if it is on a smartcard and potentially use it for something else ? 这是否意味着应用程序可以获得我的数字证书密码,即使它是在智能卡上并可能用于其他东西?
1 个解决方案
解决方案1
2 2012-08-04 12:01:17
Yes, another application with sufficient privileges could read the contents of the password from memory or snoop the password as it is typed into the keyboard. 是的,具有足够权限的另一个应用程序可以从内存中读取密码的内容,或者在输入键盘时隐藏密码。
The code example shows the password stored as a char array, which is recommended practice. 代码示例显示存储为char数组的密码,这是推荐的做法。 Such arrays can be reset to a different value after the password is used, unlike immutable String s. 使用密码后,这些数组可以重置为不同的值,这与不可变的String不同。 This minimises the attack window, but does not remove it. 这可以最小化攻击窗口,但不会将其删除。
Several smart card manufacturers offer external PIN pad devices that ensure the password is delivered directly to the card. 多家智能卡制造商提供外部密码键盘设备,确保密码直接发送到卡上。 You could consider investigating one of these solutions. 您可以考虑调查其中一种解决方案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.