Did you *really* zeroize that key?

Steven M. Bellovin smb at research.att.com
Thu Nov 7 09:55:26 EST 2002


In message <200211070207.PAA88426 at ruru.cs.auckland.ac.nz>, Peter Gutmann writes
:
>>[Moderator's note: FYI: no "pragma" is needed. This is what C's "volatile"
>> keyword is for. 
>
>No it isn't.  This was done to death on vuln-dev, see the list archives for
>the discussion.
>
>[Moderator's note: I'd be curious to hear a summary -- it appears to
>work fine on the compilers I've tested. --Perry]
>
Regardless of whether one uses "volatile" or a pragma, the basic point 
remains:  cryptographic application writers have to be aware of what a 
clever compiler can do, so that they know to take countermeasures.

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com ("Firewalls" book)



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list