* on the Wed, Sep 25, 2013 at 06:47:24PM +0700, Niklas wrote: > This sounds like a classic cold boot attack: > http://en.wikipedia.org/wiki/Cold_boot_attack > > Moving code into a browser extension wouldn't prevent the fact that keys > reside in memory when they are being used. What's worth to note here is > that this is not magical in any way; data in memory can be dumped and > read. Equally data on disk can be mounted and read. This is the nature > of its invention. There is no possible way to write software patches > which change the way that physics and computer hardware works. > Protection against physical access is outside the software world, kind > of like combating gravity with JavaScript.
FWIW, and I'm not suggesting this is something that openpgpjs can take advantage of, but: There is a patch for Linux called TRESOR which helps against cold boot attacks. http://www1.informatik.uni-erlangen.de/tresor When used it moves your keys out of RAM and into your CPUs debug registers. All crypto is then performed directly on the CPU without copying the keys back into main memory. It's typically used with LUKS/dm-crypt for disk encryption and has almost zero overhead when used with a CPU that has AES-NI instructions like an Intel i5/i7. I've used it myself on my laptop with Ubuntu. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
signature.asc
Description: Digital signature
_______________________________________________ http://openpgpjs.org Subscribe/unsubscribe: http://list.openpgpjs.org
