See: Description
Class | Description |
---|---|
Keyring |
Client class for working with stored keys (such as passwords).
|
Rather than every module in a NetBeans-based application that needs to store passwords for repeated access having to write them to some file on disk using Base64 encoding or similar, this API permits passwords to be stored securely.
There are several platform-specific implementations of password storage
currently available in a separate module org.netbeans.modules.keyring.impl
,
which offer the best combination of security and convenience:
If none of these can be loaded, a fallback implementation is used which encrypts
stored passwords using a single master password, as in e.g. Firefox. The user must
pick a master password, then enter it once per session if the keyring is accessed.
Java's PBEWithSHA1AndDESede
algorithm (SHA-1 / 3-DES) is used to encrypt
passwords. It creates a random salt for the user using SecureRandom
.
In addition to the passwords you ask to save, a sample string is saved to
verify that an entered master password is correct: the sample must be
decryptable and the decrypted value must begin with a magic sequence (the
remainder having been generated randomly, again with UUID
).
The files in the user directory relating to this fallback keyring are marked
go-w
on Unix systems, to discourage brute-force cracking attempts on
multiuser machines.
If even master password encryption is unavailable, due to missing security providers, or a headless AWT which makes dialogs impossible, or simply because the implementation module is not available, then a trivial implementation is used which just keeps passwords in memory for the duration of the JVM session.
Since Java lacks any API for secure non-pageable memory, please consider the following recommendations when working with passwords in memory:
Keyring.read(java.lang.String)
,
pass it on, and do not retain it.char[]
in preference to String
where possible.
This API works with char[]
only.char[]
password if you know you are done with it.
See Keyring.read(java.lang.String)
and Keyring.save(java.lang.String, char[], java.lang.String)
for the behavior of this API.