How to keep the key used for decryption during web application runtime

1
votes

How can I securely store a crypto key object of type javax.crypto.SecretKey during a user session in a java web application? I have to manage such a key, because I can create that key only after login but may need that key later for some decryption of sensitive user data.

The secretKey itself is derived from the user password by a password based derived key functions (currently "PBKDF2WithHmacSHA1"). The used salt and number of iterations are persistent in the database. With those parameters -- password, salt and iterations -- I can recreate that password key right after login, when the password is available. After that, I'd like to keep the generated key in memory, in contrast to keep the plain password all the time.

Since I'm using Spring / Hibernate, is it safe to put that key object into a bean with session scope? Such an object exists in-memory only and should be safe, isn't it?

The general question: is it possible to build secure environments if the time a secret key is available differs from the time this key should used, even by some minutes?

1
springarchitectureencryptioncryptography

1 Answers

3
votes

It all depends on what your requirement/definition of 'safe' for this project.

Keeping secret key in memory, in session scope is 'safe' from the prospective that it theoretically should not be accessible from other sessions. Unless of course there are bugs or security vulnerabilities in Spring, web container or in your code - take a look at session hijacking for example, make sure you understand the potential risks.

On the other hand once secret key is in memory in readable form it can be potentially recovered via memory dump or through unsecured swap file. If the session is distributed or persistent it could be intercepted when session data is transmitted to another node or persisted to disk or database. Granted, this is relatively more difficult and would require access to the network or box which runs your software.