> On Feb 17, 2018, at 11:00 , cryptography-dev-requ...@python.org wrote:
> 
> Date: Sat, 17 Feb 2018 04:04:00 +0100
> From: Alex <python-cryptogra...@qu3.org>
> To: cryptography-dev@python.org
> Subject: Re: [Cryptography-dev] Destroying keys and secrets?
> Message-ID: <d057417f-ce19-1a60-4d18-18680c562...@nigl.biz>
> Content-Type: text/plain; charset="utf-8"
> 
> You might have a look at:
> https://github.com/dnet/pysecstr
> 
> Here is a longer description about the used method:
> https://www.sjoerdlangkemper.nl/2016/06/09/clearing-memory-in-python/
> 
> Disclaimer: This is not a recommendation just a hint for further
> exploration. Be also aware that you can't control if and when Python
> swaps memory to disk.



> On Feb 16, 2018, at 16:44 , cryptography-dev-requ...@python.org wrote:
> Date: Fri, 16 Feb 2018 21:54:23 +0000
> From: Matt Bullock <matt.s.b...@gmail.com>
> To: cryptography-dev@python.org
> Subject: Re: [Cryptography-dev] Destroying keys and secrets?
> 
> I've also toyed with the idea of making a C extension analogous to the
> SecretKey structure from Java, which never lets the actual key material out
> of the structure, but in order to actually do anything with the key
> material it still needs to surface to Python at some point, which puts us
> back in the same position we started with. ..unless we were to re-implement
> all of pyca/cryptography in Cython, but that's a thought for a different
> time…



> On Feb 16, 2018, at 16:44 , cryptography-dev-requ...@python.org wrote:
> 
> Date: Fri, 16 Feb 2018 15:44:39 -0700
> From: John Pacific <m...@johnpacific.com>
> To: cryptography-dev@python.org
> Subject: Re: [Cryptography-dev] Destroying keys and secrets?
> Message-ID:
>       <cahr1pup6wvzdho02yfozg4mwttdz3cxrkpjssbuj1wtlupu...@mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Afaik, there is no reliable way to do this in Python.
> 
> I have taken some time to implement some OpenSSL methods that at least
> clear the memory on private numbers before freeing it in BIGNUMBER
> operations.
> 
> See the PR here: https://github.com/pyca/cryptography/pull/4072
> 
> However, as it comes for the Elliptic curve





Gentlemen,



        Thank you for your fine answers. They comport with my expectations.

        Without boring you with my details, I am doing something similar to an 
ephemeral ECDH exchange. The secrets have a very short lifetime. Hence, I’m not 
worried about swapping to disk. (Though most of the cloud vendors claim the 
swap vm is encrypted.)

For example:

secret_bytes = os.urandom(384//8)
secret_int = int.from_bytes(secret_bytes, byteorder='big')
private_key = ec.derive_private_key(secret_int, ec.SECP384R1(), backend)



        I would like secret_bytes, secret_int, and private_key to be zeroed-out 
before I exit the function. I want as precise an object lifetime as possible. 
While I fully understand the values of a library maintainer wishing to have a 
robust solution for all supported versions and runtimes, I have explicit 
control of this function and its execution environment. I’m more concerned 
about revealing the secret in a hostile cloud. In particular, I don’t have the 
string aliasing problem. Yes, this is a fragile and extremely hazardous 
solution. OTOH, the industry just freaked out about Meltdown. It behooves us 
all to manage key lifetimes carefully. 



        As I dig into examining this problem further, I assume the 
ec.derive_private_key() function takes a conservative approach and doesn’t ever 
copy the secret_int? If I’m living well, banging the bytes in secret_bytes 
might hit the only copy of the secret. Depends upon whether int.from_bytes() 
copies the storage of an immutable source.




        Again, thank you for your answers. I’ll keep you posted with my 
progress.



Anon,
Andrew
____________________________________
Andrew W. Donoho
Donoho Design Group, L.L.C.
andrew.don...@gmail.com, +1 (512) 666-7596, twitter.com/adonoho

No risk, no art.
        No art, no reward.
                -- Seth Godin


_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev

Reply via email to