One Java question every day [1], java question

One Java question every day [1], java question

Q: What are the advantages of char [] Compared with String?

Answer:

For information with high security and confidentiality, char [] is better than String. Because String cannot be changed. Even if you modify the original variable, you actually create a new object in the memory, and the original data is still kept in the memory, waiting for recycling. The elements in char [] can be modified. This means that you can immediately modify the password without any trace after the password and other confidential information is used up. This provides better security than String. It can be seen from the example below that after char [] is changed, it is still the object. The String is no longer the original String.

Reference:

In zhihu, this post has a very good answer. I will reference it below:

Author: zhihu user

Link: https://www.zhihu.com/question/36734157/answer/68767786

Source: zhihu

Copyright belongs to the author. For commercial reprint, please contact the author for authorization. For non-commercial reprint, please indicate the source.

Original answer

==================================

The handler makes it clear that although the variable can be thrown away after the String is loaded with the password, the String will not be recycled immediately by GC. First, the process is dumped before the GC is executed to this String, the dump will contain the plaintext string.

If I "modify" the string, for example, assigning it a new value, isn't it?

The answer is no, because the String itself cannot be modified. Any String-based modification function returns a new String, and the original one will be in the memory.

For char [], you can directly modify the content in it before discarding it, so that the password will not exist. However, if you do not submit anything directly to the gc, the above problems will also exist.

Some great gods say this is unfounded.

These so-called gods should have no security knowledge, which is very common.

FAQ

======================================

1. What is the significance of this practice?

If GC is not cleared in time, the exposed window is about the second order. If it can be cleared immediately after HASH calculation, the exposed window is about the order of magnitude in microseconds. Such a simple design can reduce the probability of being attacked, and the cost-effectiveness is very high.

2. How to Use reflection to modify the String? What is the difference and risk compared with modifying char?

The reflection mechanism allows you to view the internal memory members of a String, so that you can directly modify the data zone. However, this approach may cause problems. For the sake of improving the HASH speed and saving space, the String with the same value usually has only one instance.

You can modify your char [] without any side effects. But the char [] in the String may be shared by multiple strings. If you get rid of it, it will affect other strings. For example, the Password is "Password", and the text you enter in the Password box is "Password". Changing the first "Password" will also change the latter one.

3. What should I do if I do not want to see any plain text?

To ensure that "No plaintext password is available for all processing procedures", the underlying API needs to HASH your password before it is used, and this HASH algorithm is what you want. It is best to add salt. However, this is just an ignorance of the user program, and the underlying acquisition will not be clear, it will not be guaranteed.

4. Are there any absolute security policies?

Security is often relative to the attack cost. The higher the attack income, the more likely the hacker will be to accept the high cost of the attack. Therefore, your security policy should match the attack benefits. For extremely sensitive and valuable data sources, great efforts need to be made to ensure security. Currently, there is no absolute security, but only relative security.