[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
  Web www.spinics.net

Re: [GNU Crypto] Passwords Immutable?

>>>>> "Bryan" == Bryan Hoover <bhoover@xxxxxxxx> writes:

Bryan> Casey Marshall wrote:
>> Another idea: how about making passwords expirable? After a timeout
>> passes, the object could be automatically destroyed.
>> This could be a standard interface; an abstract class,
>> ExpirableObject, that implements destroyable and, on creation, is
>> registered with a timer that will call destroy() once the timeout
>> elapses.

Bryan> Yeah, good point.  I wasn't sure where to put the destructor
Bryan> call.  As it stands, the destructor is called when the
Bryan> mechanism is reset, in resetMechanism.

Bryan> I assume the objective is to cover for any situation in which
Bryan> resetMechanism is not called -- which could include client side
Bryan> crashing for instance, or just not calling it, which, asfaik is
Bryan> okay in terms of the SASL protocol specification (and perhaps
Bryan> something in addition to this?).

I think in general this sort of class will be useful, too. The idea
behind it being that if the programmer forgets that he has these keys
in memory, they will be wiped out after too long a timeout, in hope
that the memory there would not have been swapped to disk.

Bryan> In any event, in this light, resetMechanism is probably not the
Bryan> best place to put the constructor.

Bryan> So now that you mention it, why not destroy the password as
Bryan> soon as possible?  It's not needed beyond initialization is
Bryan> it?, so once that's done, perhaps that'd be the time to call
Bryan> the destructor.  Looks like that would be right after or within
Bryan> sendPublicKey.

I would say yes. Destroying sensitive data as soon as possible should
be the rule.

Bryan> I note that ClientMechanism implements dispose(), but it is
Bryan> empty, and is not overridden in SRPClient.  Perhaps this would
Bryan> be the place to put the destructor call?  But again, relies on
Bryan> client to make the dispose() call.

Bryan> There's also the ClientStore session timeout which causes the
Bryan> mechanism to be, if you will, ultimately reset -- that is,
Bryan> reset to the extent the session can't be reused.

I must admit that I'm not all that familiar with the SASL classes;
that was Raif's domain.

Attached is my first attempt at an ExpirableObject.

Casey Marshall || csm@xxxxxxx
/* ExpirableObject.java -- an object that is automatically destroyed.
   Copyright (C) 2004 Free Software Foundation, Inc.

This file is part of GNU Crypto.

GNU Crypto is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2, or (at your option) any
later version.

GNU Crypto is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; see the file COPYING.  If not, write to the

   Free Software Foundation Inc.,
   59 Temple Place - Suite 330,
   Boston, MA 02111-1307

Linking this library statically or dynamically with other modules is
making a combined work based on this library.  Thus, the terms and
conditions of the GNU General Public License cover the whole

As a special exception, the copyright holders of this library give you
permission to link this library with independent modules to produce an
executable, regardless of the license terms of these independent
modules, and to copy and distribute the resulting executable under
terms of your choice, provided that you also meet, for each linked
independent module, the terms and conditions of the license of that
module.  An independent module is a module which is not derived from
or based on this library.  If you modify this library, you may extend
this exception to your version of the library, but you are not
obligated to do so.  If you do not wish to do so, delete this
exception statement from your version.  */

package gnu.crypto.util;

import java.util.Timer;
import java.util.TimerTask;

import javax.security.auth.DestroyFailedException;
import javax.security.auth.Destroyable;

 * The base class for objects with sensitive data that are automatically
 * destroyed after a timeout elapses. On creation, an object that extends
 * this class will automatically be added to a {@link Timer} object that,
 * once a timeout elapses, will automatically call the {@link
 * Destroyable#destroy()} method.
 * <p>Concrete subclasses must implement the {@link doDestroy()} method
 * instead of {@link Destroyable#destroy()}; the behavior of that method
 * should match exactly the behavior desired of <code>destroy()</code>.
 * <p>Note that if a {@link DestroyFailedException} occurs when the timeout
 * expires, it will not be reported.
 * @see Destroyable
public abstract class ExpirableObject implements Destroyable

  // Constants and fields.
  // -------------------------------------------------------------------------

   * The default timeout, used in the default constructor.
  public static final long DEFAULT_TIMEOUT = 3600000L;

   * The timer that expires instances.
  private static final Timer EXPIRER = new Timer (true);

   * A reference to the task that will destroy this object when the timeout
   * expires.
  private final Destroyer destroyer;

  // Constructors.
  // -------------------------------------------------------------------------

   * Create a new expirable object that will expire after one hour.
  protected ExpirableObject()

   * Create a new expirable object that will expire after the specified
   * timeout.
   * @param delay The delay before expiration.
   * @throws IllegalArgumentException If <i>delay</i> is negative, or if
   *  <code>delay + System.currentTimeMillis()</code> is negative.
  protected ExpirableObject (final long delay)
    destroyer = new Destroyer (this);
    EXPIRER.schedule (destroyer, delay);

  // Instance methods.
  // -------------------------------------------------------------------------

   * Destroys this object. This method calls {@link doDestroy}, then, if
   * no exception is thrown, cancels the task that would destroy this object
   * when the timeout is reached.
   * @throws DestroyFailedException If this operation fails.
  public final void destroy() throws DestroyFailedException

   * Subclasses must implement this method instead of the {@link
   * Destroyable#destroy()} method.
   * @throws DestroyFailedException If this operation fails.
  public abstract void doDestroy() throws DestroyFailedException;

  // Inner classes.
  // -------------------------------------------------------------------------

   * The task that destroys the target when the timeout elapses.
  private final class Destroyer extends TimerTask

    // Fields.
    // -----------------------------------------------------------------------

    private final ExpirableObject target;

    // Constructor.
    // -----------------------------------------------------------------------

    Destroyer (final ExpirableObject target)
      this.target = target;

    // Instance methods.
    // -----------------------------------------------------------------------

    public void run()
          if (!target.isDestroyed())
      catch (DestroyFailedException dfe)
gnu-crypto-discuss mailing list

[Home]     [Gnu Classpath]     [Linux Kernel]     [Linux Cryptography]     [Fedora]     [Fedora Directory]     [Red Hat Development]     [Red Hat 9 Bible]     [Fedora Bible]     [Red Hat 9]     [Network Security Reading]

  Powered by Linux