Did you *really* zeroize that key?

[Bill Frantz]

At 8:40 PM -0800 11/7/02, Peter Gutmann wrote:
>It's worth reading the full thread on vuln-dev, which starts at
>http://online.securityfocus.com/archive/82/297827/2002-10-29/2002-11-04/0.
>This discusses lots of fool-the-compiler tricks, along with rebuttals
>on why they could fail.

In that discussion, Dan Kaminsky wrote:
>You also need to ignore that bizarre corner case where the same memory
>   address is mapped to multiple *physical* addresses -- such a memory
>   architecture could simply alter one of the addresses and tag the rest as
>   "tainted" without in fact clearing them.  But I don't think anyone
>   actually does this -- I'm at least significantly more sure of that than
>   I am of the precise semantics of "volatile" vis-a-vis dead code
>elimination.
>
>   Yours Truly,
>
>       Dan Kaminsky
>       DoxPara Research
>       http://www.doxpara.com

There is a common example of this corner case where the memory is paged.
The page containing the key is swapped out, then it is read back in and the
key is overwritten, and then the page is deallocated.  Many OSs will not
zero the disk copy of the key.

Crypto coders have discussed many kludges to ensure that keys are not
swapped out, but they are all quite system specific.  Since the problem we
were trying to solve is different environments producing different results,
I don't feel we are any closer to safe, portable code.

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz           | The principal effect of| Periwinkle -- Consulting
(408)356-8506         | DMCA/SDMI is to prevent| 16345 Englewood Ave.
frantz at pwpconsult.com | fair use.              | Los Gatos, CA 95032, USA



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com