{"title":"A Secure String Class Compliant with PCI DSS","authors":"Katarína Amrichová, Terézia Mézesová","doi":"10.1145/3360664.3360681","DOIUrl":null,"url":null,"abstract":"Computer programs often work with a variety of sensitive data and class String is widely used in object-oriented programming languages for this purpose. However, saving sensitive data to a String object is not safe as it is not encrypted and may still be in the operating memory even after it is no longer needed. Due to non-deterministic behaviour of mechanism responsible for removing unused items from the memory, we cannot say with certainty when String with sensitive data will actually be removed. If an attacker gets either part of or even the entire memory image, then they can easily read these sensitive data. This paper discusses the options in object oriented languages that provide programmers with a way of storing the data in memory in an encrypted form. We present a pseudo code for a secure String class that is compliant with Data retention and Cryptography requirements of the PCI DSS standard.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"12 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Third Central European Cybersecurity Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3360664.3360681","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1
Abstract
Computer programs often work with a variety of sensitive data and class String is widely used in object-oriented programming languages for this purpose. However, saving sensitive data to a String object is not safe as it is not encrypted and may still be in the operating memory even after it is no longer needed. Due to non-deterministic behaviour of mechanism responsible for removing unused items from the memory, we cannot say with certainty when String with sensitive data will actually be removed. If an attacker gets either part of or even the entire memory image, then they can easily read these sensitive data. This paper discusses the options in object oriented languages that provide programmers with a way of storing the data in memory in an encrypted form. We present a pseudo code for a secure String class that is compliant with Data retention and Cryptography requirements of the PCI DSS standard.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
