java keystore and password security for smartcard on windows
Question
http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html
In the code below password is requested to the user by the java application:
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
// get user password and file input stream
char[] password = getPassword();
java.io.FileInputStream fis =
new java.io.FileInputStream("keyStoreName");
ks.load(fis, password);
fis.close();
Does it mean the application could get my digital certificate password even if it is on a smartcard and potentially use it for something else ?
1 answers
solution1
2 2012-08-04 12:01:17
Yes, another application with sufficient privileges could read the contents of the password from memory or snoop the password as it is typed into the keyboard.
The code example shows the password stored as a char array, which is recommended practice. Such arrays can be reset to a different value after the password is used, unlike immutable String s. This minimises the attack window, but does not remove it.
Several smart card manufacturers offer external PIN pad devices that ensure the password is delivered directly to the card. You could consider investigating one of these solutions.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.