20.11.2015 12:09, Dimitry Sibiryakov wrote: > 20.11.2015 9:53, Alex Peshkoff wrote: >> Yes, and as the result key is passed from holder to crypt plugin via >> open source code. As it was reasonably suggested by Vlad our code should >> better never touch keys at all. > > That may sound good, but in reality cannot gain any additional security. > Besides, the > information was already passed via remote module.
Key holder allows engine to never see encryption key. It is very important as engine is open for everyone while plugins are private\closed code and could protect itself. It is not required by design to send the secret key over the wire in open form. All engine know about the key - its name\id. All engine see - some plugin-specific data passed in callback. Plugin author should take care how to hide secret key from attacker. Regards, Vlad PS Key holders is not mine invention. It was introduced after learning of CryptoAPI on Windows. ------------------------------------------------------------------------------ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
