[cryptography] Best practices for paranoid secret buffers

Kevin kevinsisco61784 at gmail.com
Wed May 7 11:43:48 EDT 2014


On 5/6/2014 11:56 PM, Tony Arcieri wrote:
> Can anyone point me at some best practices for implementing buffer 
> types for storing secrets?
>
> There are the general coding rules at cryptocoding.net 
> <http://cryptocoding.net> for example, that say you should use 
> unsigned bytes and zero memory when you're done, but I'm more curious 
> about specific strategies, like:
>
> - malloc/free + separate process for crypto
> - malloc/free + mlock/munlock + "secure zeroing"
> - mmap/munmap (+ mlock/munlock)
>
> Should finalizers be explicit or implicit? (or should an implicit 
> finalizer try to make sure buffers are finalized if you don't do it 
> yourself?)
>
> Are paranoid buffers worth the effort? Are the threats they'd 
> potentially mitigate realistic? Are there too many other things that 
> can go wrong (e.g. rewindable VMs) for this to matter?
>
> --
> Tony Arcieri
>
>
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
I do think it is worth the effort.  Yes, what you are talking about 
takes extra work but it is better to be safe than sorry.  I will say, 
however, that you should understand the read/write process is taxed.  
This is what I mean:
Let's assume you set aside a chunk of memory.  At some point it needs to 
be freed.  How often do you wish the algorithm to do this? It is 
important to figure this out because your ram will be used and flushed 
(in part) over and over.


-- 
Kevin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140507/05e8441c/attachment.html>


More information about the cryptography mailing list