[Cryptography] Making sure memory erasure is not optimized away
Phillip Hallam-Baker
phill at hallambaker.com
Sat Aug 27 11:21:41 EDT 2022
On Sat, Aug 27, 2022 at 5:03 AM Peter Gutmann <pgut001 at cs.auckland.ac.nz>
wrote:
> Phillip Hallam-Baker <phill at hallambaker.com> writes:
>
> >Has anyone got pointers to ways to make sure this is done right?
>
> It's a solved problem, just Google it, e.g. Windows has SecureZeroMemory(),
> glibc has explicit_bzero(), and so on. There are also plenty of ad hoc
> solutions using pointers to volatile and similar.
>
My problem isn't knowing how to do X so much as preventing the compiler
optimizing it away. Another issue is making sure memory gets cleared when
BigIntegers increase in size.
Looks to me like a custom BigInteger library will be needed. Probably one
that is specifically adapted to cryptography and modular arithmetic.
With C# (which you mentioned) and similar languages, a bigger concern is
> that
> you're giving the compiler, and in some cases the engine/interpreter/VM
> fairly complete control over your memory, so you can't really tell where
> copies of sensitive data are ending up.
>
Not unless there are specific controls in place that enforce the memory
wipes. Then the memory manager is working for you rather than against and
correctly implemented makes key leakage less likely.
PHB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20220827/0b7d5040/attachment.htm>
More information about the cryptography
mailing list