Heap Inspection fix in OpenPGP Library for Java

A memory dump of the Java Virtual Machine can reveal passwords stored in class members in clear text (String variables, char arrays, etc.) and until recently DidiSoft OpenPGP Library for Java was impacted by this security threat. Thanks to a hint from an Intel team we have made steps in order to fix those issues. The two classes that were affected were com.didisoft.pgp.KeyStore and com.didisoft.pgp.net.LDAPClient.

As of version 3.1.3 of the library all passwords available as class member variables are stored in javax.crypto.SealedObject. The class constructors you are already familiar with, still have a minimal security concern that the encryption key is a class member, although being a secure random value randomized at each instantiation.

Version 3.1.3 introduces constructors with on demand password encryption key

The new thing in version 3.1.3 are the additional class constructors that provide a thorough security measure in keeping the SealedObject encryption key in a Listener interface implementation, provided as parameter. The interface has only one simple method that must provide the encryption key (AES) :

public interface ICustomKeyListener {
	/**
	 * Returns the bytes of the encryption key used for securing a {@link SealedObject} 
	 * 
	 * @param sender class instance invoking this method
	 * @return encryption key used for securing a {@link SealedObject}
	 */
	public byte[] getKey(Object sender);
}

The returned key doesn’t have to align with any of the supported AES key sizes (128, 192, 256 bits), because it will be hashed and padded internally. You can provide even shorter keys (although not recommended) like : new byte[] { 1, 2, 3, }

Here is a simple implementation demonstrated with the additional KeyStore class constructor:

KeyStore ks = new KeyStore("my.keystore", "password", new ICustomKeyListener() {			
	public byte[] getKey(Object sender) {
		return new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14. 15, 16 };
	}
});

Note: Of course in a real world scenario probably the method will return a configuration value from a settings property file.

The same usage scenario applied to the LDAPClient class.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Heap Inspection fix in OpenPGP Library for Java

Contact Us

Announcements

Subscribe for Updates