In message <[EMAIL PROTECTED]> on Fri, 23 Jul 2004 09:53:08 +0200, Oliver Welter <[EMAIL PROTECTED]> said:
mail> One Idea is, not to store the full key but the derived chunks mail> and produce some "noise" around the parts - so you are unable to mail> read the whole key. Using your "approach" to try every piece of mail> memory as a key will render unusable because you now must try mail> every combination of three randon pieces of memory - I think mail> this will significantl raise the computing time into infinity ;) That is an idea, and it does raise the computing time, for the decryption function itself as well, at least as far as I can see right now. OpenSSL doesn't make much effort to lock pages in RAM and doesn't split up the key in parts as you suggest, so the keys are wide open while processing is going on. If you use the EVP interface, all the cipher data is cleaned up with EVP_CIPHER_CTX_cleanup(), basically by being overwritten with random bytes. In all other cases (if the raw, low-level cipher functions are used), it's the application's job to clean up. The easiest thing to do would probably be to do the splitting in chunks that you suggest. The trouble is that all OpenSSL structures are entirely public, which means that any change leads to yet another round of incompatibility and people who're whining about changed APIs and such. Still, it might be worth looking into... Cheers, Richard ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ ----------------------------------------------------------------- A: Because it fouls the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]