Use of string instead of byte[] 

During an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub, we randomly inspected a few of the misuses. One of the misuses for which we could confirm as a true positive of the analysis, [CogniCryptSAST](https://github.com/CROSSINGTUD/CryptoAnalysis), is in this project. 

- In the class [com.github.ontio.account.Account ](https://github.com/ontio/ontology-java-sdk/blob/master/src/main/java/com/github/ontio/account/Account.java#L222) (L222, `derivedHalf2` is "filled" with the passed string to the function), a string is passed as a secret key that is considered insecure. In Java, strings are immutable and stay in memory until collected by Java's garbage collector. Thus, they are longer visible in memory for attackers than necessary and outside of the direct control of the developer. The suggested data types by the [JCA](https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#PBEEx) are bytes.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Use of string instead of byte[] #259

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Use of string instead of byte[] #259

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions