[Cryptography] Heartbleed and fundamental crypto programming practices
Phillip Hallam-Baker
hallam at gmail.com
Wed Apr 16 11:24:55 EDT 2014
On Wed, Apr 16, 2014 at 1:14 AM, Bear <bear at sonic.net> wrote:
> As far as I know, C (and C++) with its 'volatile' directive are
> the only language standards that give you a promise about being
> able to force something to never get swapped out and never have
> a read or write specified by the code omitted - which means a
> way to control many of the *implicit* channels you have to care
> about in security code.
There is a C# class that does the same thing.
http://msdn.microsoft.com/en-us/library/system.security.securestring(v=vs.110).aspx
I am not sure what the story is for keys, I think the assumption is
that they will be implemented in a CAPI library. But there is a
similar problem in C, unless you really understand what is going on,
keys get passed on the stack all the time.
But I need to find out soon...
--
Website: http://hallambaker.com/
More information about the cryptography
mailing list