Secret key should be stored as a byte[]

Question

Secret key should be stored as a byte[]

antlen opened this issue 3 years ago · 1 comments

https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#PBEEx

However, here's the caveat: Objects of type String are immutable, i.e., there are no methods defined that allow you to change (overwrite) or zero out the contents of a String after usage. This feature makes String objects unsuitable for storing security sensitive information such as user passwords.

Answer 1 · 2021-11-26T05:33:54.000Z

There is no real need to store a secret key as a String as Binance just needs the byte[] to create the SecretKeySpec. Added to this, a lot of developers will store their private key in a java keystore and when the key is loaded from the keystore it will be in a byte[]. So the the ideal scenario is to load the key as byte[] from the keystore and pass to binance to create the SecretKeySpec from the byte[]. In this flow the secret key never needs to be stored as a String for the lifetime of the application.

char[] keystorePassword; // ="xxxxx";
KeyStore keystore = KeyStore.getInstance("JCEKS");
keystore.load(new FileInputStream(ATH), password);
Key k = keystore.getKey("BinanceSecretKey", password);
SecretKeySpec secret = new SecretKeySpec(k.getEncoded(),"AES");
BinanceApiClientFactory factory = BinanceApiClientFactory.newInstance(apiKey, secret.getEncoded());