[GNU Crypto] Passwords Immutable?

[Bryan Hoover]

Hello,

Had a question.  Thought I'd join the list.

I'm integrating the SRP (client, and server) mechanism into a
sourceforge project.  It's been going without a hitch.  Very nice.

The question of String immutability came up -- Java String hangs around
in memory indefinitly and this supposedly makes it vulnerable to memory
sniffing.

I've tracked down that the library uses a HashMap String property for
the password.  It's converted to a char array before processing.

Anyone know whether there's anything to the notion that the String
password in the HashMap could be sniffed by someone on the local
network?  Is it a serious problem?

I'm playing around with the code at the moment, thinking about setting
the property as a StringBuffer, or char array, and then doing the
necessary conversion when the property is read by the lower level
routines.  Would be easy enough.

OR, perhaps there's a way around this I've missed?

I hope I havn't touched a nerve with this, as I'm joining the group
blindly, without having read any of the messages for context or
anything.  I'm new to Java, so sorry if I'm off base with the String
question.

Regards,

Bryan
--
At least the vulture kept on pecking at Prometheus's liver, and Loki had
the poison constantly dripping down on him; at least there was an
interruption, however monotonous. - (Soren Kierkegaard - Either/Or)

http://www.wecs.com/content.htm

This signature file is generated by Pick-a-Tag !
Written by Jeroen van Vaarsel
http://www.google.com/search?hl=en&ie=ISO-8859-1&q=pick-a-tag